In the March issue of WellnessRx we reported the decision in EEOC v. Flambeau, where a federal court ruled against the Equal Employment Opportunity Commission (EEOC).
The court found that an employer did not violate the Americans with Disabilities Act (ADA) when it required employees to complete a health risk assessment and to undergo biometric testing in order to participate in the company’s group health plan.
Two months later, the EEOC issued its final rule outlining the requirements for wellness programs to be compliant with the ADA. And the law is no longer in Flambeau’s favor.
Before we evaluate the new ADA rule, let’s back up a few years. Remember the HIPAA Nondiscrimination Rules issued in 2013?
Those rules divided wellness programs into two categories: “participation-based” and “health-contingent” programs. Participation-based programs that do not require an individual to meet a specific health standard in order to obtain a reward (or where no reward is offered) are not considered discriminatory under HIPAA (assuming participation in the program is made available to all similarly situated individuals).
By contrast, health-contingent programs – those that require individuals to satisfy a specified health standard in order to obtain a reward – must adhere to five safeguards known as the HIPAA Nondiscrimination Rules (read about them here).
Beginning January 1, 2017, employers that sponsor group health plans have one more set of regulations to adhere to. While the new ADA rule attempts to align with the HIPAA Nondiscrimination Rules as closely as possible, there are notable differences. The EEOC explicitly states that compliance with the HIPAA Nondiscrimination Rules is not determinative of compliance with the ADA.
In order to comply with the new ADA rule, employer-sponsored wellness programs that utilize HRAs or biometric screenings must make participation voluntary, and:
- Must make the program reasonably designed to promote health or prevent disease;
- May not require participation;
- May not deny access to health insurance or benefits to an employee who does not participate (this was the issue in Flambeau);
- May not retaliate against, interfere with, coerce, intimidate, or threaten any employee who does not participate or fails to achieve certain health outcomes;
- Must provide a notice, in easy to understand language, that explains the medical information that will be obtained, how it will be used, who will receive it, the restrictions on disclosure, and the methods the covered entity uses to prevent improper disclosure of sensitive information; and
- Must limit the incentive to 30 percent of the total cost of the plan in which the employee is enrolled. (While HIPAA places no limits on incentives for participatory wellness programs, the ADA 30-percent rule applies regardless of whether the wellness program is participation-based or a health-contingent wellness program.)
Moreover, the ADA rule imposes two new confidentiality requirements on businesses, requiring that:
- Employers may only receive information collected by a wellness program in aggregate form – personally identifiable information may only be used if necessary for the employer to administer its own wellness program (employers acting in this capacity must certify to the group health plan that it will safeguard and not improperly use or share the information); and
- Employers may not require an employee to agree to the sale, exchange, transfer, or other disclosure of their health information, or to waive confidentiality protections under the ADA in exchange for an incentive, or as a condition for participating in a wellness program (except to the extent permitted by the ADA to carry out specific activities related to the wellness program).
So what are the implications to employers that use a health risk assessment (or biometric screening) and incentives as part of an employee wellness program?
- Program coordinators need to familiarize themselves with both sets of wellness regulations (the HIPAA Nondiscrimination Rules and the new ADA rules) to ensure their program is in compliance with both laws.
- To guarantee a “reasonably designed” program, make sure the health risk assessment and biometric data isn’t just collected, but is used to provide employees with results and follow-up information, or to plan health improvement programs that address the health needs of the employee population.
- If employees are presently required to complete a health risk assessment (or biometric screening) prior to enrolling in the company’s group health plan, if the incentives currently exceed the 30 percent threshold, or if employees are required to consent to the sharing of their personal information to participate or qualify for an incentive, changes will need to be made to bring the program into compliance by the effective date (January 1, 2017 for calendar year plans).
- Notices should be reviewed to ensure they clearly convey all of the information required by the rule.
- And if the employer is receiving personally identifiable information as an administrator of its own wellness program, confirm firewalls are in place to prevent unintended disclosure, ensure that individuals who handle medical information are not decision makers with hiring/firing authority, and amend any plan documents to include a certification by the wellness coordinator that it will safeguard the information and not improperly use or share it. Unless these safeguards in place, employers may only receive aggregate data from their wellness program participants.
For background information on what the ADA is and how it applies to wellness programs generally, as well as additional guidance on what constitutes a “reasonably designed” wellness program and the types of incentives and penalties that are permitted, click here.
 To be clear, the EEOC actually issued two new rules on May 17, 2016: one pertaining to wellness programs under GINA (the Genetic Information Nondiscrimination Act), and one relating to wellness programs under the ADA. This compliance update will focus on the ADA updates (for a summary of the amendments to GINA’s regulations, click here).
 The ADA rule is only applicable to wellness programs that obtain medical information from employees. However, even employer-sponsored wellness programs that don’t collect medical information must provide reasonable accommodations to allow employees with disabilities to earn whatever incentive is offered.
 Various scenarios of how to apply the 30-percent rule are discussed in the regulations. Employers should carefully review the rule and consider engaging legal counsel in determining the amount of total incentive allowed.
 A sample notice that complies with this rule is available at www.eeoc.gov/laws//regulations/ada-wellness-notice.cfm.