A workplace wellness program may be subject to a number of different federal laws, depending on how the program is structured. An employer’s wellness program that provides medical care (for example, biometric screenings) is generally subject to ERISA, COBRA and the HIPAA privacy and security rules. These laws require employers to:
- Explain the wellness program’s terms in a summary plan description (SPD);
- Provide qualified beneficiaries with the opportunity to elect COBRA coverage after experiencing a qualifying event; and
- Protect the individually identifiable health information collected from or created about participants in the wellness program.
To simplify their compliance obligations, employers often incorporate their wellness programs into their group health plans. This would allow them, for example, to include the wellness program in the group health plan’s SPD.
Wellness Program Design
As employers look for ways to control health care costs, many consider workplace wellness programs. Workplace wellness programs can encourage employees to make lifestyle changes to improve their health or adhere to a particular course of treatment.
Workplace wellness programs can take a variety of different forms—for example, some programs offer only educational services, while other programs offer gym memberships, biometric testing and health counseling. Wellness programs often incorporate incentives or rewards to encourage employee participation, such as gift cards, free or discounted gym memberships, or reductions in group health plan premiums.
There are a number of federal nondiscrimination rules that should be considered when designing a wellness program, such as those in HIPAA, the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA). These laws, for example, may limit the maximum reward offered by the wellness program.
In addition, employers should evaluate how sponsoring a wellness program impacts their compliance obligations under the HIPAA privacy and security rules and other federal laws, such as ERISA and COBRA.
ERISA sets minimum standards for employee benefit plans maintained by private-sector employers. ERISA exempts only two types of employers from its requirements—governmental and church employers.
Many plans or programs that provide benefits to employees are considered employee benefit plans that are subject to ERISA. In order for a wellness program to be considered an ERISA-covered employee benefit plan, it must satisfy all of the following requirements:
- There must be a plan, fund or program
- That is established or maintained by an employer
- For the purpose of providing medical, surgical, or hospital care
- To participants and their beneficiaries
Wellness Programs – Medical Care
In general, a wellness program’s status as an ERISA-covered benefit depends on the services or care provided by the program. If a wellness program provides medical care, it will be considered a group health plan subject to ERISA.
Wellness programs that include the following services are considered ERISA plans because they provide medical care:
- Counseling services from trained professionals;
- Physical examinations;
- Biometric screenings (for example, blood pressure or cholesterol screenings); or
- Flu shots or other immunizations.
However, wellness programs that only consist of educational services or merely encourage healthy living habits (for example, healthy cooking classes or exercise programs) do not provide medical care, and are not covered by ERISA.
Under ERISA, employers are required to take the following steps with respect to their employee benefit plans:
- Adopt an official plan document that describes the plan’s terms and operations;
- Explain the plan’s terms and rules to participants through an SPD;
- File an annual report (Form 5500) for the plan, unless a filing exemption applies;
- Comply with certain fiduciary standards of conduct with respect to the plan; and
- Establish a claims and appeals process for participants to receive benefits from the plan.
Wellness programs are commonly offered as a component of an employer’s group health plan. Under this approach, only individuals who participate in the employer’s group health plan are eligible for the wellness program. Many ERISA requirements for a wellness program (for example, the plan document and SPD) can be satisfied by incorporating the program into the group health plan’s ERISA compliance.
COBRA requires covered group health plans to offer continuation coverage to employees, spouses and dependent children when group health coverage would otherwise be lost due to certain specific events, called qualifying events. COBRA generally applies to group health plans maintained by private-sector employers that had at least 20 employees on more than 50 percent of typical business days in the previous calendar year.
COBRA does not apply to group health plans maintained by small employers (those with fewer than 20 employees) or churches. There are also special coverage rules for government employers, although, as a practical matter, most government group health plans are required to offer continuation coverage.
Wellness Program – Medical Care
A wellness program that provides medical care is considered a group health plan that is subject to COBRA, unless the employer sponsoring the program qualifies for the exemption for small employers or churches.
“Medical care” broadly refers to the diagnosis, cure, mitigation and prevention of disease and includes wellness services such as physical examinations, biometric screenings, counseling services and flu shots or other immunizations.
If a wellness program is subject to COBRA, qualified beneficiaries must be given the opportunity to elect COBRA coverage for the program after experiencing a qualifying event (for example, a termination of employment). Certain notices must also be provided to plan participants, including an initial notice when participation begins and an election notice after a qualifying event occurs.
Employers often bundle their wellness programs with their group health plans, so that only employees who participate in the group health plan are eligible for the wellness program. In these cases, the employer may design its COBRA practices so that only qualified beneficiaries who elect COBRA coverage for the group health plan are eligible to continue coverage under the wellness program.
However, if the wellness program is offered to all employees, including those who are not enrolled in the employer’s group health plan, COBRA coverage for the wellness program must be offered separately. This may increase the risk to the employer because individuals who elect COBRA for the wellness program have the same open enrollment and HIPAA special enrollment rights as similarly situated active employees.
In general, the maximum COBRA premium is 102 percent of the cost to the plan for similarly situated beneficiaries who have not experienced a qualifying event. In calculating premiums for continuation coverage, a plan can include the costs paid by both the employee and the employer, plus an additional 2 percent for administrative costs.
Unfortunately, the IRS has not issued much guidance on calculating COBRA premiums and has not specifically addressed how to calculate the premium for a wellness program. However, plan sponsors are expected to calculate COBRA premiums “in good faith compliance with a reasonable interpretation” of COBRA’s requirements.
Employers may offer premium discounts as a wellness program reward. An employer’s premium discount does not affect the COBRA premium because the cost to the plan for purposes of setting COBRA premiums combines the cost to both the employer and employee.
HIPAA Privacy and Security Rules
The HIPAA privacy and security rules protect individuals’ identifiable health information—called protected health information (or PHI)—held by covered entities or their business associates. Health plans are a type of covered entity.
Wellness programs that provide medical care (for example, biometric screenings) are generally considered health plans that are subject to HIPAA’s privacy and security rules. Wellness programs offered as part of a health plan are also subject to the HIPAA rules. For example, a wellness program is considered part of a group health plan when an employer offers incentives or rewards related to group health plan benefits, such as reductions in premiums or cost-sharing amounts, in exchange for participation in the program.
There is a narrow exemption for certain small, self-funded health plans. Under this exemption, a wellness program with fewer than 50 eligible employees that is administered by the employer that sponsors the program is exempt from the HIPAA rules.
HHS issued frequently asked questions (FAQs) that address the applicability of the HIPAA privacy and security rules to workplace wellness programs. According to these FAQs:
- Where a wellness program is offered as part of a group health plan, the individually identifiable health information collected from or created about participants in the wellness program is PHI and protected by the HIPAA rules. HIPAA also protects PHI that is held by the employer as plan sponsor on the plan’s behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan.
- Where a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information that is collected from employees by the employer is not protected by the HIPAA rules. However, other federal or state laws may apply and regulate the collection and use of the information.
The HIPAA privacy and security rules restrict the circumstances under which a group health plan may allow an employer as plan sponsor access to PHI, including PHI about participants in a wellness program offered through the plan, without the written authorization of the individual.
Often, the employer as plan sponsor will be involved in administering certain aspects of the group health plan, which may include administering wellness program benefits offered through the plan. Where this is the case, and absent written authorization from the individual to disclose the information, the group health plan may provide the employer as plan sponsor with access to the PHI necessary to perform its plan administration functions, but only if the employer as plan sponsor amends the plan documents and certifies to the group health plan that it agrees to, among other things:
- Establish adequate separation between employees who perform plan administration functions and those who do not;
- Not use or disclose PHI for employment-related actions or other purposes not permitted by the privacy rule;
- Where electronic PHI is involved, implement reasonable and appropriate administrative, technical and physical safeguards to protect the information, including by ensuring that there are firewalls or other security measures in place to support the required separation between plan administration and employment functions; and
- Report to the group health plan any unauthorized use or disclosure, or other security incident, of which it becomes aware.
Employers that sponsor fully insured medical plans often do not perform plan administration functions on behalf of the group health plan. These employers have limited compliance responsibilities under the HIPAA rules if the information they receive from the health insurance issuer or health plan is limited to enrollment information and summary health information (if requested for purposes of modifying the plan or obtaining premium bids for coverage under the plan). However, sponsoring a self-funded or self-administered wellness program may subject the employer to additional HIPAA compliance requirements, unless the program qualifies for the exemption for small plans.