- The ERISA and HIPAA Privacy Implication of Employee Assistance Programs
- March 22, 2004
- Law Firm: Winston & Strawn LLP - Chicago Office
An increasing common form of benefit program available to employees is an employee assistance program, or EAP. Frequently, we are asked whether these programs are subject to ERISA, and over the last few years, whether they are subject to HIPAA's privacy procedures.
The nature of EAPs has evolved over time, and the guidance that the DOL provided in this area was given at an early stage of the industry's development. Nonetheless, it presents the rules in this area. The DOL has focused upon whether such arrangements provide health care in determining whether such arrangements will be treated as employee welfare benefit plans. In most instances, EAPs will be deemed by the DOL to be providing health care, and thus subject to ERISA. For example, counseling sessions, even if limited in number, providing assistance for problems related to drug and alcohol abuse, stress, anxiety, depression, and similar health problems are considered health care. This rule applies even in the instance in which the EAP counselor refers employees to professionals for further counseling or assistance after a preliminary analysis. The only exception to this rule is for a purely telephone referral system, which is rarely found today, and conceptually is difficult to understand, because some level of triage is necessary in order to make an appropriate referral to a professional.
Assuming that the EAP is treated as a welfare benefit plan for purposes of ERISA, a number of consequences will follow. First, under ERISA's fiduciary rules, a written plan document and summary plan description will be required. In our experience, this requirement is observed more in the breach. Typically, there will be a brochure and a services agreement, but rarely something that resembles a formal plan. Second, it will be subject to the HIPAA privacy requirements, likely requiring a plan amendment. Third, if the EAP provides for management referrals as well as self-referrals, it may be necessary to satisfy the HIPAA privacy requirements to create firewalls so that those persons in HR who deal with the EAP provider have no role in personnel decisions.