Under new EEOC rules (published May 17, 2016, under the Americans with Disabilities Act, ADA), employers that offer wellness programs that collect employee health information must provide a notice to employees informing them:
- what information will be collected,
- how it will be used,
- who will receive it, and
- what will be done to keep it confidential.
The EEOC has published the sample notice below to help employers comply with the ADA and has also published some questions and answers about the notice requirement and use of the sample notice. Employers may write their own notices rather than use the EEOC sample notice, but employers may wish to use the EEOC notice to ensure they are complying with all EEOC requirements. There are many bracketed areas in the notice that an employer must customize so the information is specific to that employer’s wellness program. Note additionally that the third paragraph under “Protections from Disclosure of Medical Information” provides that “information stored electronically will be encrypted.” Employers who are not encrypting such data (some employers use access control rather than encryption) will need to adjust this language accordingly, or encrypt files containing this data.
Following the sample notice is some additional information from the Questions and Answers about the Notice.
NOTICE REGARDING WELLNESS PROGRAM
[Name of wellness program] is a voluntary wellness program available to all employees. The program is administered according to federal rules permitting employer-sponsored wellness programs that seek to improve employee health or prevent disease, including the Americans with Disabilities Act of 1990, the Genetic Information Nondiscrimination Act of 2008, and the Health Insurance Portability and Accountability Act, as applicable, among others. If you choose to participate in the wellness program you will be asked to complete a voluntary health risk assessment or “HRA” that asks a series of questions about your health-related activities and behaviors and whether you have or had certain medical conditions (e.g., cancer, diabetes, or heart disease). You will also be asked to complete a biometric screening, which will include a blood test for [be specific about the conditions for which blood will be tested.] You are not required to complete the HRA or to participate in the blood test or other medical examinations.
However, employees who choose to participate in the wellness program will receive an incentive of [indicate the incentive] for [specify criteria]. Although you are not required to complete the HRA or participate in the biometric screening, only employees who do so will receive [the incentive].
Additional incentives of up to [indicate the additional incentives] may be available for employees who participate in certain health-related activities [specify activities, if any] or achieve certain health outcomes [specify particular health outcomes to be achieved, if any]. If you are unable to participate in any of the health-related activities or achieve any of the health outcomes required to earn an incentive, you may be entitled to a reasonable accommodation or an alternative standard. You may request a reasonable accommodation or an alternative standard by contacting [name] at [contact information].
The information from your HRA and the results from your biometric screening will be used to provide you with information to help you understand your current health and potential risks, and may also be used to offer you services through the wellness program, such as [indicate services that may be offered]. You also are encouraged to share your results or concerns with your own doctor.
Protections from Disclosure of Medical Information
We are required by law to maintain the privacy and security of your personally identifiable health information. Although the wellness program and [name of employer] may use aggregate information it collects to design a program based on identified health risks in the workplace, [name of wellness program] will never disclose any of your personal information either publicly or to the employer, except as necessary to respond to a request from you for a reasonable accommodation needed to participate in the wellness program, or as expressly permitted by law. Medical information that personally identifies you that is provided in connection with the wellness program will not be provided to your supervisors or managers and may never be used to make decisions regarding your employment.
Your health information will not be sold, exchanged, transferred, or otherwise disclosed except to the extent permitted by law to carry out specific activities related to the wellness program, and you will not be asked or required to waive the confidentiality of your health information as a condition of participating in the wellness program or receiving an incentive. Anyone who receives your information for purposes of providing you services as part of the wellness program will abide by the same confidentiality requirements. The only individual(s) who will receive your personally identifiable health information is (are) [indicate who will receive information such as “a registered nurse,” “a doctor,” or “a health coach”] in order to provide you with services under the wellness program.
In addition, all medical information obtained through the wellness program will be maintained separate from your personnel records, information stored electronically will be encrypted, and no information you provide as part of the wellness program will be used in making any employment decision. [Specify any other or additional confidentiality protections if applicable.] Appropriate precautions will be taken to avoid any data breach, and in the event a data breach occurs involving information you provide in connection with the wellness program, we will notify you immediately.
You may not be discriminated against in employment because of the medical information you provide as part of participating in the wellness program, nor may you be subjected to retaliation if you choose not to participate.
If you have questions or concerns regarding this notice, or about protections against discrimination and retaliation, please contact [insert name of appropriate contact] at [contact information].
Additional Information from the Q&As
An employer may have its wellness program provider give the notice, but the employer is still responsible for ensuring that employees receive it. (Q/A 2)
Once the notice requirement becomes effective, the EEOC’s rule does not require that employees get the notice at a particular time (e.g., within 10 days prior to collecting health information). But they must receive it before providing any health information, and with enough time to decide whether to participate in the program. Waiting until after an employee has completed an HRA or medical examination to provide the notice is illegal. (Q/A 4)
The ADA rule only requires a notice, not signed authorization, though other laws, like HIPAA, may require authorization. Title II of the Genetic Information Nondiscrimination Act (GINA) requires prior, written, knowing, and voluntary authorization when a wellness program collects genetic information, including family medical history. (Q/A 5)
The notice can be given in any format that will be effective in reaching employees being offered an opportunity to participate in the wellness program. For example, it may be provided in hard copy or as part of an email sent to all employees with a subject line that clearly identifies what information is being communicated (e.g., “Notice Concerning Employee Wellness Program”). Avoid providing the notice along with a lot of information unrelated to the wellness program as this may cause employees to ignore or misunderstand the contents of the notice. If an employee files a charge with EEOC and claims that he or she was unaware of a particular medical examination conducted as part of a wellness program, EEOC will examine the contents of the notice and all of the surrounding circumstances to determine whether the employee understood what information was being collected, how it was being used, who would receive it, and how it would be kept confidential. (Q/A 6)