News & Resources

Publications & Media

Health Plan Hot Topics: New Wellness Regulations, HIPAA Audits, and More

Labor & Employment Alert John L. Barlament

It may feel like spring, but federal regulators recently released a blizzard of new guidance in the health plan area. Recent court cases have added to the concerns for plan sponsors. We discuss these hot topics below.

I. New ADA Wellness Regulations.

On May 17, the Equal Employment Opportunity Commission (EEOC) released new wellness regulations—which were literally decades in the making. The good news is that the EEOC did not use the Americans with Disabilities Act (ADA) to outlaw most wellness plans. The bad news is that the EEOC has created significant new requirements, many of which are different than prior requirements or other laws. Here are the key items in these new regulations.

Broad Scope of "Plans" Which are Covered. Most employers tie their wellness plans to their major medical plans. But some wellness plans are offered to all employees. Regardless of how an employer structures its wellness plan, the EEOC regulations will apply if the plan includes any "disability-related inquiries" or "medical examinations." It appears that most health risk assessments (HRAs) or blood draws (e.g., to determine an employee's cholesterol level or glucose level) would be "medical examinations" or "disability-related inquiries."

Maximum Wellness Rewards Do Not Match Up with HIPAA. Under the HIPAA wellness regulations, an employer generally can offer up to 50 percent of the total cost of family coverage as an incentive to participate in a wellness plan. Under the new EEOC regulations, an employer is generally capped at 30 percent of the cost of employee-only coverage. This difference could easily be hundreds or thousands of dollars per year.

There is no cap under the ADA regulations with regard to spousal coverage. However, as discussed below, there is a 30 percent cap under new GINA regulations for spouses. So an employer whose wellness reward previously was at the 50 percent of family coverage limit likely will need to decrease its wellness reward. But the decrease might not be as significant as we initially feared, if the employer can "make up" some of the difference through a spouse-related wellness discount.

The EEOC noted that its 30 percent standard generally is less than the standard approved by three other federal agencies [the Internal Revenue Service (IRS), Department of Labor (DOL), and Department of Health and Human Services (HHS)]. However, the EEOC concluded that it does not matter—it will still enforce its own, lower limit.

Somewhat confusingly, just inquiring about smoking status appears to be excluded from these percentage calculations—but physically testing for nicotine use (e.g., looking for nicotine in a hair or blood sample) is included in these calculations.

Ensuring Participation is "Voluntary." The EEOC is very concerned that any wellness plan's disability-related inquiry or medical examination must be "voluntary" for the employee. Using that legal "hook," the EEOC has created several requirements employers must satisfy in order to prove that the wellness program is voluntary.

#1: No Tie to Benefits or Benefit Levels. An employer cannot deny coverage under a major medical plan if an employee refuses to participate in the wellness plan's inquiries. Similarly, an employer cannot use the inquiry as a "gateway" to better coverage. In other words, an employer cannot condition an employee's enrollment in a "better" health plan (e.g., lower deductible, better network) upon an employee agreeing to the inquiry. For example, an employer cannot require an employee to complete a health risk assessment to obtain health plan coverage or better health plan coverage.

#2: No Retaliation. Not surprisingly, an employer cannot retaliate against an employee for refusing to participate in the wellness plan's inquiry. An employer cannot require employees to participate in the wellness plan.

#3: Notice Requirement. Employers will have to create and distribute a new notice explaining:

* What medical information will be obtained;

* How the medical information will be used;

* Who will receive the medical information;

* The restrictions on disclosure of the medical information; and

* The "methods" the employer will use to prevent improper disclosure of medical information.

Drafting the Notice. The EEOC will provide, by mid-June, a sample notice. Depending on the level of detail the EEOC is expecting, drafting this notice may be complicated. For example, in terms of "who" will receive the medical information, how specific must the notice be? Must it include the actual names of, for example, the wellness vendor (such as "ABC Wellness Vendor, Inc.")? Or just a reference to the fact that a wellness vendor will receive the medical information? Must it include vendors of that vendor (such as a laboratory the wellness vendor has hired to analyze the blood samples)? In what detail must the "methods" to prevent improper disclosure be described? Will employers need to create procedures to establish and consistently follow those methods? Then provide training to employees on those methods? The notice requirement raises a number of questions which will need to be carefully examined once the EEOC's model is released.

New Confidentiality Requirements. The new regulations —like the prior regulations—generally require that employers ensure the confidentiality of employee medical information which is part of the wellness plan. On its face, that sounds reasonable. But what steps, exactly, are required? First, the regulations state that only non-identifiable information may be shared with the employer, unless the employer needs more information to administer the wellness program. An employer which never receives any identifiable health information in connection with its wellness program may have little more to do in terms of confidentiality. Second, the "Interpretive Guidance"—a less-formal piece of the new regulations—clarifies that these confidentiality rules also apply to wellness vendors.

If the employer receives identifiable information, the employer will need to follow additional steps. It appears a wellness vendor which holds this information will also need to follow these steps. Somewhat unhelpfully, the EEOC states that "some" of the following steps "may be required by law" while others "may be best practices"—without stating which are which. So employers and wellness vendors likely will try to implement all or most of them. We list them below and compare them to the HIPAA privacy and security rules (which are broader and contain more requirements than just these).

EEOC ADA Provision (Best Practice/Required by Law)

Also Required by HIPAA?

1. Training. Train all individuals who handle medical information about the requirements of the ADA and, as applicable, HIPAA's privacy, security, and breach requirements, and any other privacy laws.

Not exactly. HIPAA does require training on its privacy and security requirements. But it does not require training on the ADA's confidentiality provisions or on "any other privacy laws." So employers and wellness vendors likely will be required to expand their current privacy training to include these new laws.

2. Policies and Procedures. Employers and "program providers" (likely meaning wellness vendors) "should" have "clear" privacy policies and procedures related to the collection, storage, and disclosure of medical information.

Not exactly. HIPAA does require policies and procedures for a "covered entity" but not for an employer (which is not the "covered entity" under HIPAA). HIPAA also does not specifically require this for a business associate like a wellness vendor (although many business associates create policies and procedures, even if not legally required).

3. Safeguards Against Unauthorized Access. Online and, apparently, offline technology should guard against unauthorized access—e.g., through encrypting the medical information.

Not exactly. HIPAA does require a covered entity and a business associate to establish some safeguards. However, encryption is specifically not a "required implementation specification"—it is one which only must be considered, not necessarily implemented.

4. Report Breaches. Breaches of confidentiality "should" be reported to affected employees "immediately" and should be thoroughly investigated.

Not exactly. Unfortunately, it appears that any "breach" must be reported under the EEOC regulation. That is in contrast to HIPAA's breach rule, which allows for minor incidents to not be reported. Also troubling is the reference to providing notice "immediately" to an employee. Does that require notice within a few minutes or hours of a breach being discovered? If so, that would not provide sufficient time, generally, for an employer to determine what happened and to offer practical assistance to the employee.

5. Discipline Employees. Employers "should make clear" that individuals responsible for disclosures of confidential medical information will be disciplined if the employee breaches confidentiality of the medical information.

Yes, somewhat. HIPAA-covered entities must be prepared to discipline employees who breach the relevant policies and procedures. Under the new ADA regulations, though, it is not known how, exactly, an employer will make this "clear." Should a statement to that effect go in an employee handbook? A notice to wellness plan enrollees? Both places?

6. Fire Your Vendors (Perhaps). Employers "should consider discontinuing relationships with vendors responsible for breaches of confidentiality."

No. HIPAA does discuss terminating a business associate, but not specifically for a breach. Note that this will likely require employers to review their contracts with all vendors who hold this EEOC-covered information and include in the vendor contract the ability to terminate if the vendor commits a breach.

7. Firewall Within Employer. "Individuals who handle medical information that is part of an employee health program should not be responsible for making decisions related to employment, such as hiring, termination, or discipline."

A third-party vendor likely should be aware of this "strict confidentiality" provision and should follow it.

Employers which administer their own wellness program "need adequate firewalls in place to prevent unintended disclosure."

No. It probably is a "best practice" under HIPAA to engage in this type of "firewalling." But it is not required. And it raises questions about how small employers will handle this, as the human resources director often is involving in hiring/firing and in wellness plan administration. The regulations note that for such a small employer, the "decision-makers" may not use the information to discriminate on the basis of disability.

An employer and its wellness vendor may want to put procedures in place so that the wellness vendor knows which employees of the employer are within this "firewall," so, if the vendor will share medical information with the employer, only the "firewalled employees" receive the information.

8. Review Vendor's Privacy Policies For Ensuring Confidentiality. An employer should review a wellness vendor's "privacy policies" so it is "familiar" with them.

No. This is an area which raises significant questions. Many vendors will be reluctant to provide detailed security provisions—doing so could actually reduce overall security of the vendor (because now many third parties will know the vendor's security provisions, making them less secure). Also, is an employer liable if it receives the policies, but fails to review them? Fails to catch obvious mistakes or gaps? If an employer asks the vendor to change something and the vendor refuses, must the employer fire the vendor?

Reasonably Designed. Under the new ADA regulations, a wellness program must be "reasonably designed" to improve health. That is very similar to HIPAA's wellness regulations. However, the ADA regulations go beyond those HIPAA regulations, by stating that a wellness program which measures, tests, screens, or collects health information must provide "results, follow-up information, or advice" designed to improve health. That would seem to not be overly burdensome. Most wellness programs which collect health information (e.g., a blood draw) provide results about the analysis of the health information (e.g., glucose levels and blood sugar levels).

No Safe Harbor. Many employers have relied on an ADA "safe harbor" for "bona fide benefit plans" as a way of ensuring that they can ask medical-related questions of employees. Absent this safe harbor, most wellness programs would have failed the ADA's requirements. The safe harbor has been upheld in several court cases, including Seff v. Broward County.

The new regulations contain an extensive discussion of the safe harbor. The EEOC concludes that the safe harbor is simply inapplicable to wellness programs. In other words, an employer which wants to ensure compliance with the ADA must follow the new regulations—the "bona fide benefit plans" path is no longer available (absent an employer challenging the EEOC's position in court and winning).

Effective Date. The new ADA regulations have several possible effective dates. For the two largest changes—the new notice rule and the 30 percent limit on incentives—the changes begin applying on the first day of the first plan year starting on or after January 1, 2017 (e.g., July 1, 2017 for a July 1 plan year). The EEOC states that all the "other provisions" of the new rule are merely "clarifications of existing obligations" and are effective immediately.

As if to prove their point, the EEOC immediately filed the new regulations in the court case between the EEOC and Orion Energy System. The case involves a dispute over Orion's wellness program. In the filing, the EEOC claimed that Orion cannot rely on the above-described "safe harbor." Many other employers around the country rely on this same safe harbor. According to the new regulations and the EEOC filing, that reliance is immediately invalidated—there is no "lead time" to implement this change. So, at least in theory, nearly every employer with a wellness plan which gathers medical information on employees must immediately consider how to address this "revocation" of the safe harbor. This lack of time to prepare will no doubt cause significant concerns among many employers nationwide. However, employers may choose to wait and see the results of the court case before taking action.

Other changes raise similar concerns. For example, it is now clear, as noted above, that an employer can no longer use participation in a wellness plan as a "gateway" to participating in a "better" health plan. That change seems to be effective immediately (or, perhaps, retroactively). If an employer had used such a participation requirement for the 2016 plan year, what should the employer do now? Must the employer, in the middle of the current plan year, offer a special enrollment opportunity to employees who previously refused to participate in the wellness plan (and who therefore failed the "gatekeeper" test)? The lack of a transition period raises complicated questions.

II. New GINA Regulations.

The Genetic Information Nondiscrimination Act (GINA) generally prohibits employers from acquiring an employee's genetic information. Normally that is not a problem—few employers intentionally collect such information.

But there had been a lingering, technical question—whether an employer's collection of a spouse's health history would be considered the acquisition of an employee's genetic information. The two don't seem the same at all, but a technical glitch in the statute had raised the possibility that a spouse's health history would be considered an employee's "genetic information."

In the new regulations, the EEOC clarifies that a spouse's health history is indeed genetic information. But the regulations then provide a "path" for an employer's wellness program to still collect the information. In other words, if a plan sponsor follows the new requirements, the sponsor can still have spouses participate in a wellness program. The regulations rule out collecting such health information on children.

Many of the same requirements which apply in the ADA regulations, discussed above, also apply in the new GINA regulations. This includes the 30 percent limit on the reward for collecting, in this case, a spouse's health information (while the ADA regulations impose a separate 30 percent limit on collecting the employee's health information). Notably, though, the new GINA regulations require an employer to obtain a spouse's "knowing, voluntary and written authorization" before collecting the spouse's health information. The authorization form must:

* Be written so that the spouse is reasonably likely to understand it;

* Describe the information that will be obtained and the general purposes for which it will be used; and

* Describe the restrictions on disclosure of the information.

While the EEOC has promised a model notice under the ADA regulations, it has not promised any model authorization under the GINA regulations. So employers (or their wellness vendors) will want to prepare such an authorization if spousal health information will be collected.

Effective Date. The EEOC states that most of the new GINA regulations are merely a "clarification" of existing law. Therefore, they are immediately (and, technically, retroactively) effective. So, for example, an employer that uses its wellness plan as a "gateway" for a spouse to participate in a better plan may need to immediately consider modifying the program. However, the change relating to obtaining the spouse's authorization, and the related 30 percent reward, is not effective immediately. Rather, it is effective for the first plan year beginning on or after January 1, 2017.

III. HIPAA Audits.

The Office for Civil Rights (OCR) recently announced that it will begin "Phase 2" audits to ensure that covered entities and business associates are complying with HIPAA's privacy and security rules. An employer with a self-funded health plan generally must ensure that the plan is following these rules. Business associates must ensure that their workforces follow the rules. Helpfully, the OCR has provided the list of questions it will ask of a covered entity and business associate.

The questions generally track the regulations. So in theory a health plan or business associate which has policies and procedures should be in good shape. But the questions do ask the OCR examiner to "drill deeper" and see whether the policies and procedures are actually being followed in practice. So a business associate, or an employer with a covered health plan, should make sure that its employees have read, and actually follow, those policies and procedures.

IV. Fair Labor Standards Act Case.

A new case from a federal district court in Wisconsin has raised some Fair Labor Standards Act ("FLSA") concerns. In the case (Gilbertson v. City of Sheboygan, the court reviewed whether an employer's contributions to a health reimbursement arrangement were part of the employee's "regular rate" of pay. If so, the employer generally must pay overtime on that amount.

Example. Suppose an employee who is subject to the FLSA's overtime rules has a "regular rate" of pay of $20 per hour. Their overtime rate of pay would be $30 per hour ($20 x 1.5). The employer contributes $2 per hour into the employee's health reimbursement arrangement. For determining overtime payments, is the employee's "regular rate" of pay $20? Or $22 (the $20 base pay plus the $2 per hour contributed to the health reimbursement arrangement)?

Tracking the above example, the Gilbertson court determined that the "regular rate" of pay was $22 per hour, not $20 per hour. So the employer owed additional amounts (the employer had been using the $20 per hour in our example).

The employer could have—with some effort—avoided the result. It appears that an employer could establish a trust or otherwise irrevocably contribute funds to a third party who will pay benefits. Few employers have trusts anymore. And many contracts with third party administrators for self-funded plans (not just HRAs, but major medical, dental, vision, etc.) do not contain the precise language needed to avoid this result. Bottom line: Most employers with any type of self-funded health plan (not just health reimbursement arrangements) should review their current contracts with their third party administrators and possibly change the language in the contract, to try to match up with the relevant FLSA exceptions.

V. ERISA Section 510.

In May 2015 several employees of Dave & Busters (the restaurant chain) brought a claim that the employer had unlawfully reduced employees' hours in an effort to minimize the employer's exposure under the ACA's "Employer Shared Responsibility" rules. The argument was that the reduction in hours violated ERISA Section 510. ERISA Section 510 prohibits an employer from interfering with an employee's accrued benefits. By itself the lawsuit was not too surprising—plaintiffs' lawyers had publicly discussed the possibility of such an action. But what was somewhat surprising was that the first stage of the first such case to be decided in this context was a win (a survival of a motion to dismiss) for the employees.

The new case illustrates that employers should be careful in how they communicate the reasons for reducing employees' hours. ERISA does not prohibit a reduction in hours for legitimate business reasons. But if the cost of health benefits is mentioned as one of those reasons, a viable lawsuit is now more likely. So employers should be careful and likely should not blame the ACA as the reason for a reduction in hours.

VI. New Nondiscrimination Rules.

In lengthy new regulations issued on May 18, 2016, OCR provided final regulations under ACA Section 1557. Section 1557 broadly prohibits discrimination in health programs on the basis of race, color, national origin, sex, age, or disability.

Only a minority of employers will be subject to these new rules. The new rules directly apply only to an employer which receives "federal financial assistance." This will probably include hospitals, pharmacies, and educational organizations. It can also apply to third party administrators ("TPAs"), especially if they participate in the ACA's Marketplaces.

One practical effect of the new rule is that a covered employer may have to expand the health plan benefits it offers to transgender employees and dependents. For example, a denial of coverage for gender reassignment surgery is, under these new rules, generally "unlawful on its face."

What if Your TPA is Subject to the Rules? Significantly, the new rules clarify that an employer is not necessarily subject to the Section 1557 rules simply because its TPA receives federal financial assistance and is covered by the new rule. (Not all TPAs will receive such assistance, but some will.) Instead, the OCR will determine who is responsible for an employer's discriminatory plan design—the TPA or the employer. If the TPA is responsible, the TPA is liable. But if the employer is responsible, the employer is not liable (unless it also is receiving federal financial assistance). We have some concerns about how, exactly, the OCR will determine who is "responsible" in this situation. We can envision TPAs and plan sponsors "blaming" each other for the discriminatory provision.

Action Steps. Employers should verify whether they receive any "federal financial assistance." If not, there should be little to do. But if an employer does receive this assistance, it should review its plan document and identify any areas where it potentially discriminates on the basis of any of the above protected classes. It may also be a good idea to discuss the matter with the TPA, to verify if the TPA is subject to the new rules. The new rule is generally effective July 18, 2016. But if a health plan must be modified because of the new rule, it will be effective the first day of the first plan year beginning on or after January 1, 2017.

If you have any questions regarding these rules, please contact John Barlament at (414) 277-5727/[email protected], or your local Quarles & Brady attorney.

Related Content