Subscribe (Free) to
Daily or Weekly Newsletters
Post a Job

Featured Jobs

ERISA Compliance Consultant

Employee Fiduciary, LLC
(Remote / AL)

Employee Fiduciary, LLC logo

Pension Plan Administrator

DeMars Pension Consulting Services, Inc.
(Remote / Overland Park KS / Hybrid)

DeMars Pension Consulting Services, Inc. logo

Retirement Plan Administrator

Retirement Solutions Specialists
(Remote / Jacksonville FL / Hybrid)

Retirement Solutions Specialists logo

Enrolled Actuary

Concierge Retirement Services, Inc.

Concierge Retirement Services, Inc. logo

Retirement Plan Consultant

Concierge Retirement Services, Inc.

Concierge Retirement Services, Inc. logo

Senior Specialist, 401k Recordkeeping

T Bank N.A.
(Dallas TX / Hybrid)

View More Employee Benefits Jobs

Free Newsletters

“BenefitsLink continues to be the most valuable resource we have at the firm.”

-- An attorney subscriber

Mobile app icon
LinkedIn icon     Twitter icon     Facebook icon

Guest Article

(From the Employer's Guide to HIPAA Privacy Requirements, Thompson Publishing Group)

Employers May Need to Restructure EAPs to Minimize Impact of Privacy Rules

Summary: Employers should consider restructuring their employee assistance programs (EAPs) to minimize the impact of HIPAA's privacy rules. In addition, special protections may apply to employee communications made in the course of an EAP's mental health treatment.

Employers should re-examine their employee assistance programs (EAPs) in light of HIPAA's privacy rules to determine whether such programs must be restructured to minimize the rules' impact, according to an official with a leading EAP vendor. In addition, a recent court case suggests that special protections will apply to employee communications made in the course of an EAP's mental health treatment.

Many EAPs offer medical services and are subject to ERISA as employee welfare benefit plans. These EAPs will therefore be subject to HIPAA's privacy requirements as "health plans," said Steve Birek, associate general counsel for ValueOptions Inc., a managed care organization that operates in 20 states. If the EAP is deemed to be a "full-benefit" program subject to ERISA, then the employer must make the same kinds of decisions -- regarding the flow of protected health information (PHI) and the need to amend plan documents -- as apply to the group health plan, he said.

On the other hand, a "referral-only" EAP is not an employee welfare benefit plan or a health plan, and thus is not a covered entity for purposes of HIPAA's privacy rules, Birek said. Industry standards define a referral-only plan as one that offers three or fewer "permissible uses" (services or benefits) per participant per year, he said.

However, if an EAP permits four or more uses, "then it crosses over the line to become a full-benefit plan," Birek said. For purposes of this determination, it does not matter whether the EAP is run by the employer or an outside vendor, he noted.

For employers that are not subject to ERISA, EAPs that provide medical services are likely to meet the definition of a "health plan" under HIPAA. If the EAP is a health plan, the employer must determine whether it is receiving PHI through the program or, if the program is outsourced, what reports the employer gets from the vendor, Birek said. "Protected health information comes in the door many different ways."

For example, an employer may say, "we'll do the second level of the ERISA appeal," but when the employer's human resources (HR) office receives the file for that purpose, it includes PHI, Birek said. Or the employer may obtain PHI from a medical vendor to adjudicate a disability claim, he said. Employers must decide whether such uses of PHI are worth the organizational requirements, such as amendment of plan documents, that HIPAA's privacy rules impose on employers with access to PHI, he said.

EAPs are worksite-based programs designed to help employees identify and resolve personal issues ranging from health, marital and financial problems to substance abuse and emotional problems. EAP counselors often help to resolve issues affecting employee health and well-being by providing comprehensive assessments and short-term counseling, referring clients for appropriate treatment where necessary, and providing follow-up services.

In addition to possibly being a health plan, an EAP may be considered a health care provider, depending on the scope of the services it performs. If the EAP is a provider, and it performs HIPAA-standard transactions, then it generally may not disclose PHI to the employer for use regarding employment-related purposes without the employee's authorization. (However, it could disclose PHI to a group health plan for treatment, payment or health care operations purposes.)

Special concerns may occur if an employer retains a third-party EAP provider, but employs HR staff who serve as intermediaries between employees and the EAP program. For example, in some circumstances, someone on the HR staff may discuss EAP-related issues with employees and refer them to the EAP for treatment. Employers must determine how to continue to provide employee assistance referrals in light of the HIPAA privacy rules.

Some restructuring of the EAP system may be necessary. For example, an employer may wish to create firewalls that require their HR staff who meet with employees on these issues to maintain the confidentiality of the information. It may wish to separate the functions of the HR department so that staff who provide EAP assistance have no role in personnel decisions. If an employer determines that its EAP (both internal and out- sourced) constitutes a "health plan," it will have to adopt protections consistent with the privacy rules.

Special Protection for Mental Health Counseling

In addition to the overall HIPAA requirements that apply to EAPs, special protection applies to employee communications made to an EAP in the course of mental health counseling. A federal appeals court has ruled that the common-law legal protections for psychiatrist-patient communications apply to these EAPs as well, even if the program's counselors are not licensed mental health professionals. The case is Oleszko v. State Compensation Insurance Fund, 243 F.3d 1154 (9th Cir., 2001).

Although the 9th U.S. Circuit Court of Appeals did not rule on or discuss confidentiality of EAP communications in the context of HIPAA's privacy rules, its opinion in Oleszko appears to confirm that the EAP communications involve PHI, and that these communications are subject to the rules.

The case arose when Oksana Oleszko alleged sexual harassment, discrimination and retaliation against her individual supervisors and the California State Compensation Insurance Fund's EAP. Oleszko sought to obtain information from the EAP about counseling provided to other employees, but the EAP refused on the ground that the communications were privileged.

The 9th Circuit filled in some blank spots from a U.S. Supreme Court ruling in Jaffee v. Redmond, 518 U.S. 1 (1996). The Supreme Court in Jaffee held that communications with a psychotherapist are confidential and outweigh any evidentiary benefit that would result from breaching the psychotherapist-patient privilege, and that the privilege also extends to licensed social workers engaged in psychotherapy. The Jaffee court had not faced the issue of whether communications with unlicensed counselors providing EAP services were similarly protected, but the 9th Circuit determined that they are.

The policy reasons for applying the privilege to treatment by psychiatrists or social workers equally apply to EAPs, the 9th Circuit found. Moreover, the court noted, the provision of mental health services has changed significantly in the last 25 years, moving toward a "team" approach.

The 9th Circuit's ruling suggests that the special protections accorded "psychotherapy notes" by HIPAA's privacy rules will apply in the EAP context as well as the traditional clinical psychotherapy context.

Reprinted with permission from the September 2002 newsletter of the Employer's Guide to HIPAA Privacy Requirements, © Thompson Publishing Group, Inc., 2002. All rights reserved.

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.
© 2024, Inc.