June 19, 2015
Bernadette B. Wilson
Acting Executive Officer, Executive Secretariat
U.S. Equal Employment Opportunity Commission
131 M Street NE
Washington, DC 20507
Re: Amendments to Regulations Under the Americans With Disabilities Act: Proposed Rule
RIN No. 3046-AB01
The Privacy Rights Clearinghouse (PRC) appreciates the opportunity to comment on the Equal Employment Opportunity Commission’s (EEOC) proposed rule regarding regulations and interpretive guidance implementing Title I of the Americans with Disabilities Act (ADA) as they relate to employer wellness programs that include disability-related inquiries and/or medical examinations.
PRC is a nonprofit consumer privacy education and advocacy organization. We serve consumers nationwide and have invited individuals to contact us with their privacy-related questions, concerns, and complaints since 1992. Our mission is to engage, educate, and empower individuals to protect their privacy. In turn, we identify trends and communicate our findings to advocates, policymakers, industry, media, and other consumers.
Employees are concerned about data privacy and employer wellness programs.
Employer wellness programs may help reduce costs associated with healthcare and improve employee health overall, but they also raise significant concerns. PRC’s concerns relate primarily to the privacy of medical and behavioral data that such programs must collect to function.
PRC has received a number of complaints and questions from individuals regarding employer health and wellness programs. Individuals who are penalized for choosing not to participate in wellness programs describe feeling “extorted” to share information they don’t trust is being protected. Other individuals question the methods by which employers collect health information and transmit it to health plans or commercial vendors.
One individual who contacted us stated that a five (5) percent penalty on his health plan cost is enough to make him feel forced to participate in a program that collects data based on a blood sample.
Another individual noted: “I feel it is very invasive (not to mention inconvenient) to have to manage these appointments through the wellness program instead of just going to my own doctor and managing my own health…. The employer handles the payroll deductions for employee contributions to healthcare costs (which are partially funded by the employer). Isn’t the knowledge that an employee is paying higher premiums also giving the employer an indication that the employee’s health doesn’t meet screening standards? [Does this also] enable them to potentially use that knowledge to discriminate against that employee?”
A third individual, who identified himself as disabled and stated that his prescription information had been shared with third parties through a wellness program, is now being contacted by companies offering to help him manage diseases (most of which he does not have).
These are just a few examples of the types of complaints the PRC receives regarding employer wellness programs. They illustrate relevant employee concerns that the EEOC addresses in the proposed rule.
The EEOC should issue rules to address wellness programs offered through group health plans as well as programs offered through vendors not subject to HIPAA.
PRC’s big-picture concern with the proposed rule is that it primarily applies to wellness programs that employers offer in connection with group health plans. We believe it is necessary for EEOC rules and guidance to also meaningfully account for privacy and security implications of wellness programs that are administered by vendors who are not covered under the Health Insurance Portability and Accountability Act (HIPAA).
We find that many individuals assume that all health and medical information is protected by HIPAA. They do not realize that HIPAA only applies to covered entities and their business associates. In turn, individuals are often surprised when they find out their sensitive information is subject to a vendor’s privacy policy (if the vendor even has one) and/or a contractual agreement with their employer.
We always recommend that employees ask employers whether the program in question is administered through a health plan or part of an agreement with a commercial vendor. When a wellness program is only subject to an agreement with a vendor to provide the service to employees, we warn individuals that they should ask questions and read the vendor’s privacy policy. However, privacy policies are notoriously difficult to understand and often give individuals no rights with regard to their information. In addition, many individuals are unaware of the potential commercial value of their health and wellness data. For these reasons, we encourage the EEOC to write privacy protections into rules and guidance that cover all employer wellness plans.
PRC recommends that the proposed rule apply to wellness programs regardless of whether they offer rewards or penalties considered de minimis.
As technology has advanced, so has the ability to take data from one source and combine it with data from other sources to make inferences about individuals. This is particularly concerning in the health arena where data may be combined to reveal disabilities or other sensitive health issues. Health plans, commercial vendors not covered under HIPAA, and employers have the ability to collect vast amounts of employee health and medical data through wellness programs regardless of the incentives an employer offers to encourage employee participation. Therefore, PRC believes it is critical for the EEOC to include all employer wellness programs in both its rules and guidance.
PRC recommends that the EEOC require additional privacy protections for information collected through employer wellness plans.
PRC is pleased that the EEOC’s proposed rule requires employers to provide employees notice that clearly explains what medical information will be collected, who will receive the medical information, how the medical information will be used, the restrictions on its disclosure, and the methods the covered entity will employ to prevent improper disclosure of the medical information. We also support the intent of the EEOC’s proposal to allow disclosure of medical information to employers only in aggregate form. However, even if employers do not have access to an employee’s medical information, we are concerned that they may make inferences and decisions based solely on whether an employee participates in a wellness program.
PRC believes that the EEOC should strengthen its rules to give employees additional privacy protections for their health information regardless of whether a wellness program is administered by a health plan. For example, employees should have the right to receive a privacy notice, and access and obtain copies of any health or medical information stored by vendors who are not HIPAA covered entities. They should be able to dispute incorrect information and request amendment. In addition, employees should be able to find out who their information has been disclosed to and restrict certain disclosures. These rights should be clear, and they should be easy to exercise. Individuals deserve privacy protections regardless of whether their employer’s wellness program is administered by a HIPAA covered entity.
The EEOC should obtain more information before finalizing its rule with regard to determining what constitutes a “voluntary” wellness program under the ADA.
The ADA requires wellness programs that include disability-related inquiries and/or medical examinations to be voluntary. In its request for comments, the EEOC poses the question of whether an individual should be allowed to obtain certification from his or her physician in lieu of disclosing medical information for a wellness program. PRC does not have the expertise to comment on whether a particular practice is appropriate. However, we do believe that EEOC rules should require employers to offer employees some type of viable alternative to disclosing additional medical information that may reveal a disability in order to receive a benefit.
In addition, individuals, especially those with disabilities they wish to keep confidential, should not be forced to choose between disclosing sensitive medical information and foregoing cost savings. Up to thirty (30) percent of the cost of employee-only coverage can add up to a significant amount of money, especially for low- or moderate-income families. Therefore, we recommend that EEOC conduct further research into the effects of such incentives.
Finally, while PRC believes employers should always offer employees the opportunity to affirmatively opt in to employer wellness programs, we do not believe it is meaningful to require employees to sign an authorization stating that their participation is voluntary. If employees have no viable alternative and cannot afford to take a penalty or forgo cost savings, they may participate but feel they have not made a voluntary choice to give up additional health or medical information.
PRC appreciates the opportunity to submit comments, and is happy to answer any further questions.
Beth Givens
Executive Director
Privacy Rights Clearinghouse
https://www.privacyrights.org