EEOC Releases New Rules for Wellness Programs
The Equal Employment Opportunity Commission (the EEOC) has proposed some long awaited rules for wellness programs, which in many cases fall outside of current regulations with regards to data privacy and security. The new regulations are intended to work alongside those already laid down in the Health Insurance Portability and Accountability Act (HIPAA) and the Americans with Disabilities Act (ADA). The Rules will help to make sure appropriate security measures are implemented to protect any medical data that is collected on employees, and also ensure that privacy safeguards are put in place to restrict access to that data.
Regulations for HIPAA-Covered and Non-HIPAA-Covered Wellness Programs
The new rules proposed by the EEOC apply to wellness programs that involve medical examinations being conducted, in addition to any that make inquiries about disabilities. Wellness programs that are offered to employees as part of a group health plan are already covered under HIPAA regulations, and any data collected on the employees would be classed as Protected Health Information (PHI). That data is already required to be protected by physical, technical and administrative safeguards under the HIPAA Security Rule, while disclosure of the data is covered under the HIPAA Privacy Rule.
The EEOC Rules also apply to wellness programs that are provided directly from the employer and are not part of a group health plan. These wellness programs are not covered by HIPAA, and the newly proposed rules extend coverage to include these.
The EEOC accepts that the current safeguards used to protect PHI under HIPAA would likely suffice, so there would be little in the way of additional safeguards or measures required by HIPAA-covered entities in order to comply with EEOC Wellness Program Rules. According to the EEOC, HIPAA-covered entities “likely will be able to comply with its obligation under section 1630.14(d) (6) by complying with the HIPAA Privacy Rule.”
It is not clear at this stage how the EEOC Wellness Program Rules would interact with HIPAA exactly, for instance, under the newly proposed rules, certain information must be provided to the participants in the programs. This is already required under HIPAA and should be put in the Notice of Privacy Practices. Under EEOC Wellness Program Rules, medical information on employees – or Protected Health Information (PHI) that is collected must be explained to the employee taking part in the program.
This information includes details of the PHI that will be collected and stored on the participant; the reason why PHI is required; exactly who PHI will be shared with; the controls in place covering the disclosure of PHI; and the controls are used to prevent unauthorized disclosure of PHI
The rules state that employers will only be allowed to collect data in “aggregate form which does not disclose, and is not reasonably likely to disclose, the identity of specific individuals, except as is necessary to administer the program or as otherwise permitted under the ADA confidentiality rule.”
Employers may or may not already be implementing the necessary safeguards; however the EEOC has provided some guidance for employers to help them “protect the confidentiality of employee medical information.” These include:
- The provision of training to any staff likely to come into contact with medical information.
- The development of privacy policies to say how the data will be used, and under what circumstances.
- Implementation of multi-layered online security systems to protect against hackers and other cybersecurity threats.
- Measures to prevent the disclosure of medical information – Data encryption for example.
- Establishment of rules covering data breaches, where the individuals responsible are held accountable and the business relationships with vendors who disclose information must be terminated. Policies must also be developed to ensure all breaches are investigated promptly and to take swift action to prevent further information from being disclosed.
