Many workplace wellness programs use a wellness portal that participants use to provide health information through a health risk assessment, learn healthy living tips, track fitness or nutrition progress, among other things. These wellness portals are not immune from complying with laws governing the collection, storage, use and disclosure of participant health information. Owners of wellness portals must be aware of requirements under HIPAA, the FTC Act, the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA), for example.
In May 2016, the Equal Employment Opportunity Commission (EEOC) issued final rules under the ADA and GINA that impact wellness portals. The ADA requires wellness programs that collect health information, regardless of whether there are any incentives, to provide participants with a notice. The notice must be understandable, describe the type of medical information that will be obtained, the specific purposes for which the information will be used, and describe how the employer will protect that health information from improper disclosure. The EEOC issued a sample notice, which can be found here. Importantly, this notice must be provided before the participant reveals their health information through the portal. That means that the portal must have a mechanism in place to ensure that the participant sees the notice. This might be through a pop-up window that the participant must read before moving into the portal services and offerings.
Similarly, the GINA rules require an “authorization” for the collection of “genetic information.” The final GINA rules now permit wellness programs to incentivize employee spouses to disclose the spouse's manifestation of disease or disorder information. Such information is considered “genetic information” and may be collected through a spouse completing a health risk assessment on the wellness portal. Before the spouse can disclose that information, however, the spouse must provide “prior, knowing, voluntary and written authorization.” The authorization form must also describe the confidentiality protections and restrictions on the disclosure of genetic information.
For wellness portals, this prior, knowing, voluntary and written authorization may need to take the form of a pop-up window that the wellness participant actively acknowledges seeing and reading, perhaps through an electronic signature, before revealing their manifestation of disease or disorder information through the portal. The Center for Health and Wellness Law, LLC has helped clients navigate how to address these requirements through wellness portals.
One other item of note for wellness portals under the EEOC rules: portals should not just be about collecting health information. The portal must offer meaningful follow-up to the participants in order to meet the ADA and GINA requirements that the wellness program be “reasonably designed to promote health and prevent disease.” The EEOC rules state that the program must provide results, follow-up information or advice in order to be reasonably designed to promote health or prevent disease. The Center for Health and Wellness Law, LLC can help ensure your portal is in compliance. Please contact our firm to assist with your wellness compliance needs.