HIPAA Compliance for Employee Assistance Programs

Many companies offer benefits to workers in the form of Employee Assistance Programs (EAPs). In most instances, EAPs are subject to the HIPAA Privacy, Security, and Breach Notification rules. This article discusses HIPAA compliance for employee assistance programs.

What is HIPAA Compliance for Employee Assistance Programs and Employers?

HIPAA compliance for employee assistance programs requires the program’s medical care component to comport with the HIPAA Privacy Rule and the HIPAA Security Rule. In certain instances, an employer who maintains an EAP also will be subject to the HIPAA regulations, as seen below.

Do you have an effective HIPAA compliance program? Find out now by completing the HIPAA compliance checklist.

What is the Difference Between a Self-Insured EAP and a Fully Insured EAP?

Self-insured (self-funded) EAP are operated by the employer. In contrast, fully-insured EAPs are EAPs the employer purchases from an insurance carrier. A fully insured EAP is administered by the carrier, not by the employer.  

Employers acting as employers are generally not subject to HIPAA regulations. However, when an employer sponsors or administers a self-insured EAP that provides medical care, the EAP must be HIPAA compliant, to the extent the EAP comes into contact with PHI. Since the employer that sponsors or administers the EAP is acting on the plan’s behalf, the employer itself must comply with HIPAA as well.

For EAPs that are fully-insured or embedded in a fully-insured policy, such as long-term disability coverage, however, the insurer will have the primary obligations for compliance with the HIPAA Rules for the EAP. The employer will not be responsible for overall compliance with the HIPAA Rules for a fully insured EAP, provided the employer does not receive PHI from the insurer, or only receives summary health information or enrollment/disenrollment information.

What are the HIPAA Requirements for Self-Insured EAPs?

Employers who have a self-insured EAP must evaluate the EAP plan documents to include any language required by the HIPAA rules. In addition, employers must create and implement policies and procedures for the EAP to ensure the plan is and remains HIPAA compliant. Such policies and procedures should include items such as when PHI may be used and disclosed; required security measures under the Security Rule; and breach notification requirements.

Rather than reinvent the wheel, one option for employers to accomplish the above, is to amend any existing compliance documents and policies and procedures under the HIPAA Rules for its self-insured group health plan (if it has one) to make them apply to the EAP as well.

What are the Business Associate Requirements for Self-Insured EAPs?

Employers with self-insured EAPs rely on vendors for plan administrative and other functions. To the extent these functions involve sharing of PHI, the employer whose EAP provides medical care, must enter into a HIPAA business associate agreement with the EAP vendor. The business associate agreement must contain language under which the vendor agrees to safeguard ePHI. Additional required business associate agreement language can be found by clicking here.