Tag Archives: HIPAA

Has Your Wellness Program Had a Check-Up Lately?

Contributed by Suzannah Wilson Overholt, October 1, 2019

EMPOLOYEE WELLNESS Businessman drawing Landing Page on blurred abstract background

Wellness programs are a popular employee benefit. Whether an employer already has a program in place or is considering implementing one, it should be mindful of the requirements of federal law.

The Health Insurance Portability and Accountability Act (HIPAA) divides workplace wellness programs into two categories: participatory and health-contingent.  The latter are subject to specific nondiscrimination standards while the former are not.

Participatory programs give an employee a reward for engaging in a specific act.  These include gym membership reimbursement; diagnostic testing with rewards not based on outcomes; reimbursement for the cost of smoking cessation programs (regardless of whether the employee quits); and rewards for attending free health education seminars. As long as participation is available to all individuals, the program complies with HIPAA’s nondiscrimination requirements.  There is no limit on financial incentives for these programs. 

By contrast, health-contingent programs require individuals to meet certain health-related standards to qualify for rewards. There are two categories of health-contingent programs: activity based and outcome based. These programs must follow certain nondiscrimination standards. 

Activity based programs require performance or completion of an activity related to a specific health factor to obtain a reward but not a specific health outcome. Examples include walking, diet, and exercise programs.

Outcome based programs require that a particular health outcome or reasonable alternative be reached or maintained. These programs generally have a measurement, test, or screening as part of an initial standard and a larger program targeting individuals who do not meet the initial standard. Examples of such standards include quitting smoking, lowering cholesterol, or meeting certain exercise goals.

Five non-discrimination standards apply to all health-contingent programs:

  1. Participants must be allowed to qualify at least once a year;
  2. The incentive/penalty must be limited to 30% of the cost of the premium for the plan (50% for programs related to reducing tobacco use);
  3. The program must be reasonably designed to promote health or prevent disease;
  4. The full reward must be available to all similarly situated individuals, and the program must provide a reasonable alternative standard to achieve the reward; and
  5. Notice must be provided of other means of qualifying for the reward.

Regardless of the type of program, privacy rules apply if the program conducts health risk assessments (HRAs) or monitors employee health.  HIPAA prohibits employers from using protected health information for employment-related reasons.

The Americans with Disabilities Act (ADA) requires that wellness programs be voluntary.  The rewards associated with a wellness program cannot be so significant that an employee feels coerced to participate.

The Genetic Information Non-Discrimination Act (GINA) is an issue if the program collects genetic information. Any HRA conducted prior to, or in connection with, benefit enrollment may not collect genetic information, including family medical history. Such information may only be requested after enrollment. No reward may be tied to providing genetic information. HRAs that do not request such information can be tied to a reward. 

Employers should consult their program designers to ensure their wellness programs comply with these regulations.

Does Your Workplace Wellness Program Comply With Existing Laws?

Contributed by Allison Sues, May 23, 2017

The National Business Group on Health’s Eighth Annual Survey on Corporate Health recently revealed the growing prevalence of workplace wellness programs. Many such programs are expanding their aim to not only better the physical health of employees, but also to improve employees’ emotional health and financial security.

employee wellness

Words “Employee Wellness” with a red circle around it

Employers should be cautious that health and wellness programs, particularly those dealing with the physical and emotional health of employees, do not run afoul of existing laws. Many employers offer employees health promotion and disease prevention activities, commonly including programs aimed at smoking cessation, weight management, and physical activity challenges. Any wellness program that asks participants to provide personal medical information or submit to health testing should comply with the Americans with Disabilities Act (ADA), Genetic Information Nondiscrimination Act (GINA), and the Health Insurance Portability and Accountability Act (HIPAA).

Looking closer at the ADA, it generally prohibits employers from making disability-related inquiries or requiring employees to submit to medical exams. The statute exempts wellness programs from this prohibition, stating that employers may “conduct voluntary medical examinations, including voluntary medical histories that are part of an employee health program available to employees at that worksite.” 42 U.S.C. § 12112(d)(4)(B). EEOC regulations confirm that wellness programs must be voluntary, confidential, and reasonably designed to promote health or prevent disease.  29 C.F.R. § 1630.14 (d)(1)-(4).

  • Wellness programs must be used only to improve the health of participating employees. A wellness program is reasonably designed to promote health or prevent disease if it has a reasonable chance of bettering the health of participants, is not overly burdensome, and is not a subterfuge for violating the ADA or any other law.
  • Employers must be able to show how they utilize any collected medical information to better participants’ health. A wellness program will raise suspicion if it collects employee health information through questionnaires, testing, or screening without providing any results, follow-up information, or advice designed to improve the participant’s health.
  • Wellness programs that collect employee health information must be voluntary. This means that employees may choose not to participate in the wellness program without suffering any retaliation or adverse action, including denial of coverage under a group health plan.
  • An incentive-based program may still be deemed voluntary. Use of a financial reward, financial penalty, or other incentive to encourage participation in a wellness program does not render the program involuntary if the maximum incentive does not exceed regulatory thresholds. For employers offering a group health plan, incentives must not exceed thirty percent of the total cost of coverage for the employee (including both contributions from employer and employee).
  • Employers must provide employees with notification about the wellness program. The notification must describe all personal medical information that will be collected and how it will be used. The notification must also explain what measures the employer will take to ensure the information is not improperly disclosed.

New HIPAA Rules Raise the Stakes for Employers – UPDATED!

Contributed by Caryl Flannery and Rebecca Dobbs

If your business sponsors a self-insured or fully insured HIPAA-covered group health plan (including medical, dental, vision, long-term care, and employee assistance programs), your duties under HIPAA (Health Insurance Portability and Accountability Act) and exposure to liability just increased significantly.  On January 17, the Department of Health and Human Services issued the final rule implementing the 2009 HITECH act which significantly upgraded HIPAA responsibilities and enforcement.  The new rule has implications for many employers because it expands the definition of who is covered by HIPAA and adds new protections for employees and penalties for plan sponsors. 

Under the new rules, an employer who contracts out health plan services to third parties needs to ensure that those third parties’ obligations as a Business Associate (“BA”) are met.  BAs must sign a Business Associate Agreement with the plan sponsor spelling out the safeguards the BA will take to protect PHI and clarifying the BA’s role in the use of the PHI. 

Being directly covered by HIPAA carries significant duties including designing policies and systems to ensure that PHI is used only for purposes consistent with the law; implementing safeguards for electronically stored PHI; tracking all disclosures of PHI; instituting additional protections for genetic information; complying with Health and Human Services (HHS) investigations and requests for information; and providing notice to employees whose PHI has been deemed inappropriately disclosed pursuant to the new materially lower “breach” threshold.  HIPAA-covered entities are also subject to the newly‑enhanced penalties for breaches.  Penalties for willful neglect and failure to correct will be at least $50,000 per violation and could be as much as $1.5 million in a calendar year.  Under the new rules, HHS is no longer required to enter into informal resolution with covered entities and may immediately seek penalties through adversarial proceedings. 

The new HIPAA requirements are complex and can only be summarized here.  For more information on how the new HIPAA rules may affect your business, contact your employment or healthcare attorney.  In the meantime, employers should begin taking the following actions:

  • Work with your insurance providers to make sure that you have the smallest possible role in collecting, accessing or receiving employee PHI. 
  • Review existing Business Associate Agreements to ensure that they reflect the new regulations.  Monitor all BAs with whom you share PHI. 
  • Post the revised Notice of Privacy Practices on your benefits website and distribute the notice to plan participants.
  • Revise employee documents to eliminate all reference to or requirement for genetic information including family medical history.
  • Audit your privacy practices to determine risks and weaknesses in your system then address those areas.