On January 7, 2021, the EEOC finally released the proposed language revising the wellness incentive rules under the Americans with Disabilities Act (ADA) and the Genetic Information and Nondiscrimination Act (GINA). This language was what the wellness industry has been waiting for since the EEOC met on the proposed rules on June 11, 2020.
Now that we have the language, it is much easier to evaluate the proposed changes to the rules. Recall these changes are occurring as a result of a court order issued in the AARP v. EEOC case. In that case, the judge agreed with the EEOC that the rules issued in 2016, at least with regard to the 30 percent incentive limit, were arbitrary and needed to be revised.
One of the more surprising things about the proposed rules is that the EEOC did not just replace the language previously deleted in January 2019. Instead, the EEOC replaced everything, even language that they had previously left intact. Now, much of the replaced language that had not been affected by the AARP v. EEOC case is the same. But not all of it. Here is a summary of the proposed changes to both the ADA and GINA, listed in order of most surprising to least surprising, based on what we knew from the June 2020 meeting:
For whatever reason, the EEOC believes that employees will no longer care about how their health information, collected from health risk assessments or biometric screens, will be used and disclosed. Moreover, the EEOC states that the proposed rules still prohibit employers from conditioning participation in a wellness program on an employee allowing information to be disclosed to a third party. That’s fine, but that doesn’t mean employers can’t disclose health information to a third party, they just can’t prohibit employees from participating if they don’t want their information disclosed to a third party. The question is, without the notice, how will employees know that a third party might see or use their health information? The notice is what told them that. Finally, the EEOC reasons that unlike GINA, the ADA statute does not contain a notice requirement, so why should the regulations?
What the EEOC fails to mention, however, is that the notice requirement added by the 2016 rules did more than just address whether and how an employee’s health information would be shared with third parties. It also described who at the employer might see the information and why, and reminded employees that unless the employer had some role to play in administering the wellness program, the employer would only see information in the aggregate. The notice also described how their information would be protected and why their information was being collected. It is important to note that there is no requirement, other than the requirement that employers keep employee medical information confidential (29 CFR § 1630.14(d)), that employers or wellness program providers have privacy policies and procedures related to the collection, storage and disclosure of health information. The EEOC says that employers and providers should have such policies and procedures (see Proposed Rule at 17), but nothing requires them to unless the wellness program is part of a group health plan, in which case HIPAA privacy and security rules apply.
The best the EEOC was able to in the proposed rules is to encourage employers who use third-party vendors to be familiar with the vendor’s privacy policies for ensuring the confidentiality of medical information and security policies that guard against inadvertent disclosure to, or access by, unauthorized parties. This is not a requirement that the vendor have such policies (though if they do not, I suspect their business model may not be as attractive to employers as those that do). Moreover, the EEOC guidance states that employers that administer their own wellness programs Need adequate firewalls in place to prevent unintended disclosure. But, this statement appears in the “guidance” to the rules, not the rule language itself. Enforcement authority for disobeying guidance is much more difficult to impose than disobedience relating to regulatory language.
It is hard to imagine that employees will no longer care about these notice and privacy issues just because the incentive is de minimis. Also, as discussed below, not every wellness program will be subject to the de minimis incentive limit. Health contingent, group health plan wellness programs will be allowed to incentivize up to the maximums provided under the HIPAA/ACA wellness incentive rules (up to 30% of health coverage cost or up to 50% for tobacco-related programs). So, removing the notice requirement for all wellness programs that collect health information seems nonsensical.
Now, the EEOC is removing this requirement because “we believe that the de minimis incentive standard will make it unlikely that an employee will choose to participate in a program that requires providing medical information unless the employee believes the program has some value in promoting health or preventing disease.” Proposed Rule at 8. So, the EEOC now places the burden on employees to determine whether a wellness program is reasonably designed to promote health or prevent disease, rather than on the employer. The EEOC also notes that health contingent, group health plan wellness programs will still be subject to the HIPAA/ACA requirement that those programs must be reasonably designed to promote health or prevent disease. Id. However, participatory programs, whether group health plan or not, will no longer be required to ensure any health information collection activity is tied to a program reasonably designed to promote health or prevent disease.
The EEOC believes that limiting incentives to de minimis only will make employees care less about whether the health information collection activity actually aims to improve their wellbeing. The EEOC is banking on the assumption that de minimis incentives will discourage employees from participating if they doubt the effectiveness of the wellness program. To me, this makes the wellness program designer’s job more challenging, as there is less incentive for employers to invest in programs that could be truly helpful to improving employee wellbeing.
The proposed rules define “health contingent” wellness programs as “a program that requires an individual to satisfy a standard related to a health factor to obtain a reward (or requires an individual to undertake more than a similarly situated individual based on a health factor in order to obtain the same reward). A health contingent wellness program may be an activity-only wellness program or an outcome-based wellness program.” ADA Proposed Rule at 13. So, if a group health plan wellness program collects health information through an activity-based or outcome-based wellness program, as those terms are understood through the HIPAA/ACA rules, the wellness program could incentivize employees up to 30% of the cost of health coverage (or 50% for tobacco-related programs).
How do you know if your wellness program is a group health plan program? The EEOC provides some guidance on that too. If you answer “yes” to any of the following questions, the EEOC would consider your wellness program to be a group health plan wellness program potentially subject to the insurance safe harbor:
ADA Proposed Rule, at 9.
The EEOC is reversing course on the applicability of the insurance safe harbor because it believes it ignored certain safe harbor language in the 2016 rule. Specifically, the EEOC explains that it ignored the fact that the insurance safe harbor also applies when an employer uses employee health data for “classifying risks” or “administering risks.” In the 2016 rule, the EEOC says it focused merely on “underwriting risks.” The EEOC believed a group health plan would not use wellness program data for underwriting risks. However, in this re-write of the rules, the EEOC believes wellness program data would be useful for group health plans in classifying risks or administering risks. As an example, the EEOC states that a wellness program that includes a physical examination and biometric screening can be beneficial in identifying key health indicators related to chronic disease that can be measured and tracked over time. Employers can use these measures to help employees manage specific risk factors and use the data to create future benefit plans. ADA Proposed Rule, at 10.
That may be true, but that example provided by the EEOC is not a health contingent wellness program. An employer would not need to tie an incentive to meeting a health goal or standard to be able to use HRA or biometric data to track risk factor progress or create future benefit plans. Tying the incentive to participation in the HRA or biometric screen would likely be enough to get the data needed for future benefit planning. So, the example provided by the EEOC to justify reviving the insurance safe harbor for health contingent, group health plan programs only makes no sense. It appears that participatory programs, such as described in their example, could also benefit from the safe harbor. At least with regard to the rationale provided by the EEOC.
Now, the EEOC states that an employer can offer de minimis incentives to both spouses and children of employees to encourage them to provide information about their manifestation of diseases or disorders. See GINA Proposed Rule at 10. The GINA regulation language uses the same examples of what qualifies as “de minimis” as the ADA language (discussed below). The GINA proposed rule does not alter the current prohibition against incentivizing employees for revealing their genetic information, such as family medical history. As is currently the law, wellness programs that include family medical history questions in an employee health risk assessment must alert the employee that refusal to answer those questions will not result in disqualification for any incentive related to taking the HRA. 29 CFR § 1635.8(b)(2)(ii); see also 81 Fed. Reg. at 31144, n. 16.
Also, the proposed GINA rules keep the authorization requirement. To obtain genetic information from employees or their family members, the individual must provide “prior knowing, voluntary, and written authorization.” GINA Proposed Rule at 23.
Although we knew the de minimis language was coming in the proposed rules, what is surprising is looking back at the GINA 2016 rules when the EEOC refused to define “de minimis” incentives. Back then, the EEOC argued it was not possible to define which incentives would qualify as “de minimis” and which would not. The EEOC stated “We suspect that employers’ interpretation of the term would vary, and there is no clear basis on which to establish a threshold for the de minimis value.” 81 Fed. Reg. at 31150 (May 17, 2016). I’m not sure circumstances have changed. I suspect that employers’ interpretations of the term “de minimis” will still vary and that there really is no clear threshold for the de minimis value. True, the IRS uses this same vague language when determining if an incentive is subject to taxation. 26 USC § 132(a)(4). So, this should be somewhat familiar territory for employer wellness programs. But the EEOC’s stark change in position about its comfort level with “de minimis” from 2016 to now undermines my confidence in the agency’s ability to provide helpful guidance and understanding for the workplace wellness industry.
As a reminder, the above summaries are of proposed rules, not final rules. That means these rules do not have the force of law (yet). Interested parties have 60 days to submit comments about the proposed rules. Then the EEOC will take review those comments and issue final rules at some later date.
If you are interested in submitting comments to the EEOC, contact the Center for Health and Wellness Law, LLC and we would be happy to assist you in that effort.
 See 45 CFR § 146.121(f)(1)(iii).