The newly proposed EEOC Rules for Wellness Programs aim to span the gaps between current legislation and ensure that employees are better protected from cyber theft, medical fraud and identity theft by safeguarding their confidential medical information.
Wellness programs are often offered to employees by their employers, in many cases as part of a group health plan. Employers receive benefits or incentives for promoting them and the employees gain important health benefits.
There has been some concern that the long overdue Equal Employment Opportunity Commission rules on wellness programs may affect incentives and how they are paid; however the main purpose of the new rules is to ensure that any data collected on employees is properly protected and secured. Not all wellness programs are covered under the Health Insurance Portability and Accountability Act (HIPAA), and therefore the data collected by these programs may not always need to be secured to HIPAA security standards.
EEOC Rules for Wellness Programs Compliment HIPAA
The EEOC Rules for Wellness Programs have been developed to complement existing legislation, in particular HIPAA and the Americans with Disabilities Act (ADA). EEOC’s proposed regulations cover employer-sponsored group health plan wellness programs in addition to wellness programs not currently covered under HIPAA regulations. They apply to any wellness program that requires its participants to summit to a medical examination, provide medical data or information about any disabilities.
If identifiable health information is exposed or divulged, HIPAA covered entities must implement a number of breach response procedures including issuing breach notification letters to the affected individuals. When breaches occur, if they are discovered to have been caused by violations of HIPAA rule, heavy fines can follow. Non-compliance can also conceivably result in a heavy fine even in the absence of a data breach.
However, some wellness programs that collect this information are covered by HIPAA and some are not, even if the exact same information is asked and the same data is collected by each. The new EEOC Rules for wellness programs would resolve this security gap and ensure that all wellness programs that collect medical data apply safeguards to secure it and policies to govern how it is used and disclosed.
The new EEOC Rules state that “aggregate form which does not disclose, and is not reasonably likely to disclose, the identity of specific individuals, except as is necessary to administer the program or as otherwise permitted under the ADA confidentiality rule.” The EEOC has also issued guidance to help employers ensure that medical data remains confidential and they suggest a number of “best practices” that should be adopted to keep data confidential in line with current HIPAA regulations on privacy and security.