Employer-sponsored wellness programs are designed to promote healthier lifestyles through health screenings, fitness incentives, and/or lifestyle coaching.
In recent years, such programs have become increasingly popular, offering benefits to both employees and employers. However, when not structured properly, wellness programs can create various legal risks. Ensuring compliance with various laws, such as the Americans with Disabilities Act ("ADA"), the Genetic Information Nondiscrimination Act ("GINA"), and Health Insurance Portability and Accountability Act ("HIPAA"), is essential to avoid legal repercussions.
GINA Considerations in Employer Wellness Programs
When offering employer-sponsored wellness programs, employers must ensure that they are properly collecting genetic information. GINA prohibits discrimination on the basis of genetic information with respect to health insurance and employment. In the context of employer-sponsored wellness programs, employers must abide by GINA. Many wellness programs ask employees to complete health risk assessments (commonly referred to as HRAs). If a health risk assessment inquires about family medical history, even asking for employees to consider providing information voluntarily, then the employer runs the risk of violating GINA.
However, GINA allows the collection of such health information if: (1) it is voluntary; (2) the employee provides prior, knowing, written, and voluntary authorization for the employer to collect genetic information; (3) the information is kept confidential; and, (4) any incentive tied to participation does not depend on disclosing genetic information.
HIPAA Considerations for Wellness Programs: Privacy and Data Security Requirements
Another question that frequently arises when discussing health information in the workplace is whether HIPAA applies. Whether HIPAA applies to a wellness program depends on how the program is structured. HIPAA applies only to covered entities and business associates—it does not extend to employers in their capacity as employers.
When a wellness program is offered as part of a group health plan, the individually identifiable health information collected from or about the program's participants is protected health information ("PHI") covered by the HIPAA rules. Even though HIPAA protections do not directly apply to the employer, HIPPA does protect: (1) the individually identifiable health information held by the group health plan; and, (2) the PHI that is retained by the employer as plan sponsor on the plan's behalf when the plan sponsor administers aspects of the plan (i.e., wellness program benefits).
When collecting such information, employers must ensure that PHI is kept confidential and secure, stored separately from personnel files, and accessed only by authorized individuals. To ensure proper safeguards are in place, employers should create administrative safeguards (training and policies), physical safeguards (secure storage), and technical safeguards (encryption and access controls).
When a wellness program is offered by an employer directly (i.e., not as part of a group health plan), the information collected is not protected by HIPAA. However, other federal or state laws may apply to the use, collection, and protection of such information.
ADA Considerations for Wellness Programs: Voluntary Participation and Reasonable Accommodations
At its core, the ADA prohibits employers from discriminating against individuals because of a disability. Additionally, the ADA prohibits employers from making disability-related inquiries or requiring medical examinations unless they are job-related and consistent with business necessity. Because of these prohibitions, employers must ensure they are compliant with the ADA to avoid discrimination and protect employee and applicant rights.
While the ADA prohibits disability-related inquiries, the law allows such inquiries if they are part of a voluntary wellness program. To be truly voluntary, participation cannot be coerced or tied to significant incentives or penalties pressuring employees to disclose health information. In 2016, the Equal Employment Opportunity Commission (the "EEOC") published a final rule on wellness programs under the ADA. Under its final rule, the EEOC opined that if a wellness program is open only to employees enrolled in a particular plan, then the maximum allowable incentive an employer can offer is 30% of the total cost for self-only coverage.
However, since the publication of that 2016 final rule, and following a United States Court for the District of Columbia decision, the EEOC withdrew its wellness program incentive limits. Thus, legal uncertainty remains regarding how much of an incentive is too much. Therefore, employers should continuously review their wellness programs to determine whether there are incentives for participation that make employees feel like they have no choice but to participate.
In addition to ensuring wellness programs are voluntary, employers must maintain the confidentiality of any medical information collected through wellness program. Like other medical information, this data should be stored securely and separately from personnel records. Employers should also ensure that reasonable accommodations are provided, meaning employees with disabilities are given alternative means to participate in a wellness activity. For example, an employee unable to join a walking challenge due to a mobility impairment should be offered an equivalent option to earn the same reward.
Conclusion
While wellness programs can improve employee health and reduce healthcare costs, they must be implemented with care. Legal compliance is not just a regulatory requirement—it’s critical to protecting employee rights and avoiding costly litigation. By aligning wellness programs with legal requirements, employers can support employee well-being without compromising privacy or costly legal exposure.
