Healthcare Information Security

Patient Privacy News

EEOC Proposed Rule May Affect Health Data Security

Workplace wellness programs potentially impact individuals' health data security, but a proposed rule change from EEOC may affect how information is gathered.

By Elizabeth Snell

A recently proposed rule from the Equal Employment Opportunity Commission (EEOC) could potentially impact individuals’ health data security, as the rule would expand the type of data collected through employer wellness programs.

Health data security critical part to workplace wellness programs

The EEOC proposed changes would amend certain aspects of the Genetic Information Nondiscrimination Act of 2008 (GINA), specifically, in six ways.

One change would be that “employers may request, require, or purchase genetic information as part of health or genetic services only when those services, including any acquisition of genetic information that is part of those services, are reasonably designed to promote health or prevent disease.”

However, EEOC adds that there must be a “reasonable chance” of improving an individual’s health or preventing disease to meet this standard. Health data cannot be collected if there is no type of follow-up or advice “designed to promote health or prevent disease.”

Another change proposed by EEOC is that employers may attach financial incentives of up to 30 percent of the cost of a family health plan to encourage wellness program participation.

“The employer also must obtain authorization from the spouse when collecting information about the spouse’s past or current health status, though a separate authorization for the acquisition of this information from the employee is not necessary,” the rule states.  

A covered entity would also be prohibited from “conditioning participation in a wellness program or an inducement on an employee” or the employee’s dependent on “agreeing to the sale of genetic information or waiving protections.” Disclosing genetic information is prohibited, EEOC explained, except in “six narrowly defined circumstances.”

The GINA defines those six circumstances as the following:

1) to the employee or member of a labor organization (or family member if the family member is receiving the genetic services) at the written request of the employee or member of such organization;

(2) to an occupational or other health researcher if the research is conducted in compliance with the regulations and protections provided for under part 46 of title 45, Code of Federal Regulations;

(3) in response to an order of a court

(4) to government officials who are investigating compliance with this title if the information is relevant to the investigation;

(5) to the extent that such disclosure is made in connection with the employee’s compliance with the certification provisions of section 103 of the Family and Medical Leave Act of 1993 (29 U.S.C. 2613) or such requirements under State family and medical leave laws; or

(6) to a Federal, State, or local public health agency only with regard to information that is described in section 201(4)(A)(iii) and that concerns a contagious disease that presents an imminent hazard of death or life-threatening illness, and that the employee whose family member or family members is or are the subject of a disclosure under this paragraph is notified of such disclosure.

An employee’s children are also exempt from having their genetic information revealed. EEOC explained in a statement that there is greater likelihood of an employee being discriminated against when the employer has access to the children’s genetic information rather than a spouse.

“Our goal in developing this proposed rule is to provide clarity for employees and employers," EEOC Chair Jenny R. Yang said in a statement. "We spent considerable time working with our partners at the U.S. Departments of Labor, Health and Human Services, and Treasury to construct a rule that protects workers and their families while encouraging wellness programs that benefit employers and employees alike."

There is a 60-day comment period for the proposed rule. From there, EEOC will evaluate any comments and potentially make changes.

To read the proposed rule, click here.


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks