HIPAA Compliance Checklist for Employee Assistance Programs (EAPs)
HIPAA Applicability to EAPs
Determine first whether your Employee Assistance Program functions as a covered entity or a business associate. An EAP that provides counseling or clinical assessment and handles standard electronic transactions typically operates as a group health plan subject to the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule. Vendor-operated EAPs often act as business associates to the sponsoring group health plan.
Clarify what data you handle. Protected Health Information (PHI) collected for the EAP must be segregated from general HR records, which are not PHI under HIPAA. Limit employer access to enrollment and summary information unless participants authorize more expansive disclosures.
Quick applicability checkpoints
- Does the EAP provide medical care (e.g., counseling, assessment, referrals) and pay for or arrange such care?
- Does the plan or vendor create, receive, maintain, or transmit PHI electronically?
- Will the employer receive PHI beyond enrollment/summary health information?
- Does the EAP handle substance use disorder information subject to 42 CFR Part 2? If so, Part 2’s consent and redisclosure limits apply in addition to HIPAA.
- Is the EAP an ERISA plan? If yes, align HIPAA obligations with ERISA Reporting Requirements (e.g., SPD, claims procedures, potential Form 5500 filings).
Self-Insured EAPs Compliance
Self-insured EAPs are generally group health plans. You, as the plan sponsor, must implement the full HIPAA compliance framework and keep EAP PHI walled off from employment decision-makers.
Operational checklist
- Adopt plan documents and plan sponsor certifications that restrict use/disclosure of PHI and establish a firewall between HR/employment functions and the EAP.
- Designate Privacy and Security Officials; document HIPAA policies, sanctions, and complaint processes.
- Issue and post a Notice of Privacy Practices; track individual rights (access, amendments, restrictions, confidential communications, and accounting of disclosures).
- Execute Business Associate Agreements with all vendors handling PHI (intake lines, counseling networks, TPAs, cloud platforms).
- Apply the minimum necessary standard; require authorizations for disclosures to supervisors or the employer beyond permitted uses.
- Conduct a Security Rule risk analysis; implement administrative, physical, and technical safeguards for ePHI.
- Address 42 CFR Part 2 when applicable (e.g., combine HIPAA-compliant BAAs with Part 2 Qualified Service Organization Agreements and consent language).
- Coordinate with ERISA Reporting Requirements, including maintaining plan documents, SPDs, and any required filings without exposing PHI.
Fully-Insured EAPs Compliance
When an insurer underwrites the EAP, the issuer typically handles core HIPAA obligations for its operations. The plan sponsor may be relieved of several Privacy and Security Rule implementation steps if it does not create or receive PHI other than enrollment and summary health information.
Plan sponsor focus
- Confirm that only enrollment and summary health information flows to the employer unless a participant signs a valid authorization.
- Ensure plan documents restrict employer use/disclosure of any PHI received and certify sponsor compliance where required.
- Verify the insurer’s HIPAA compliance (NPP distribution, Security Rule safeguards, breach notifications) and maintain BAAs only where the sponsor or its vendors receive PHI.
- If the sponsor receives ePHI for operations, adopt appropriate Privacy Rule policies and Security Rule safeguards for that use.
- Address 42 CFR Part 2 limits for any SUD-related information you or your vendors may handle.
Business Associate Agreements
Any service provider that creates, receives, maintains, or transmits PHI for your EAP must sign a Business Associate Agreement. Typical parties include clinical networks, intake/call centers, telehealth platforms, TPAs, data analytics providers, and cloud or ticketing systems.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Essential BAA terms
- Permitted and required uses/disclosures; prohibition on unauthorized uses and marketing/sale of PHI.
- Safeguards aligned to the HIPAA Security Rule; encryption and incident detection requirements.
- Subcontractor flow-down obligations; right to audit or request attestations.
- Timely breach and security incident reporting; cooperation with risk assessments and notifications.
- Access, amendment, and accounting support; return or secure destruction of PHI at termination.
- 42 CFR Part 2 overlay where applicable, often via a combined BAA/QSOA, including redisclosure prohibitions and consent language.
Privacy Rule Requirements
The HIPAA Privacy Rule governs how your EAP uses and discloses PHI, with special care to keep PHI out of employment files. Most EAP uses will fall under treatment, payment, and health care operations; other disclosures generally require a participant’s written authorization.
Core Privacy Rule actions
- Provide a clear Notice of Privacy Practices describing EAP uses/disclosures and participant rights.
- Apply minimum necessary; role-based access; verify requestors before releasing PHI.
- Honor rights to access and receive copies, request amendments, request restrictions, confidential communications, and an accounting of disclosures.
- Use de-identified data or a limited data set with a data use agreement when feasible.
- Disclose to the employer only as allowed (e.g., enrollment information) unless a valid authorization is obtained or a law requires disclosure.
- For SUD-related records, follow 42 CFR Part 2 consent elements and attach the required redisclosure warning on any permitted disclosures.
Security Rule Safeguards
The HIPAA Security Rule requires a documented, risk-based program protecting electronic PHI (ePHI). Your safeguards should reflect how the EAP collects data (phone, web, telehealth), where it resides, and who can access it.
Administrative safeguards
- Enterprise-wide risk analysis and risk management plan with defined risk acceptance criteria.
- Assigned security responsibility; workforce screening, training, and sanctions.
- Contingency planning: backups, disaster recovery, and emergency mode operations testing.
- Vendor due diligence and BAA management; incident response playbooks; periodic evaluations.
Physical safeguards
- Facility access controls; secured file rooms; clean desk/clean screen practices.
- Device/media controls: encryption, tracking, and secure disposal; BYOD restrictions.
- Workstation security for hybrid/remote teams and telehealth counselors.
Technical safeguards
- Unique user IDs, least-privilege access, multi-factor authentication, and timely termination of access.
- Encryption in transit and at rest; secure messaging and telehealth platforms.
- Audit logs, anomaly detection, and regular review of access reports.
- Automatic logoff, patching, vulnerability management, and segmentation of EAP systems from HR networks.
Breach Notification Rule
A breach is an impermissible acquisition, access, use, or disclosure of unsecured PHI that compromises its security or privacy, unless a documented risk assessment shows a low probability of compromise. Assess the nature/extent of PHI, the unauthorized person, whether PHI was actually viewed/acquired, and mitigation performed.
Response checklist
- Identify, contain, and eradicate the incident; preserve logs and evidence.
- Conduct a risk assessment and document findings; consult with relevant vendors via BAAs.
- Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery; include required content and remediation steps.
- Notify HHS within 60 days for breaches affecting 500+ individuals in a state/jurisdiction; for smaller breaches, log and report to HHS annually.
- For 500+ individuals in a state/jurisdiction, notify prominent media as required.
- Coordinate with state data breach laws and 42 CFR Part 2, which may impose additional consent and redisclosure constraints.
- Perform root-cause analysis; implement corrective actions; retrain workforce; update risk analysis and policies.
Conclusion
Effective EAP compliance starts with scoping HIPAA applicability, building Privacy and Security Rule programs proportionate to risk, contracting carefully with vendors, and preparing for incidents under the Breach Notification Rule. Layer 42 CFR Part 2 where SUD data is present and align with ERISA Reporting Requirements to keep protections strong and obligations clear.
FAQs
What HIPAA rules apply to Employee Assistance Programs?
EAPs that function as group health plans or covered providers must follow the HIPAA Privacy Rule, HIPAA Security Rule for ePHI, and the Breach Notification Rule. Many vendor-run EAPs operate as business associates to the sponsoring plan and must meet contractual HIPAA requirements through a Business Associate Agreement. If the EAP handles substance use disorder records, 42 CFR Part 2 adds stricter consent and redisclosure limits.
How do self-insured EAPs ensure HIPAA compliance?
Self-insured EAPs should adopt plan documents and sponsor certifications, appoint Privacy and Security Officials, publish a Notice of Privacy Practices, implement Privacy Rule policies, conduct a Security Rule risk analysis with layered safeguards, and sign BAAs with all vendors handling PHI. They must also maintain strict firewalls from HR uses, honor participant rights, and coordinate obligations with ERISA Reporting Requirements.
What are the requirements for Business Associate Agreements with EAP vendors?
BAAs must define permitted uses/disclosures, require HIPAA Security Rule safeguards, mandate prompt breach reporting, flow down obligations to subcontractors, support access/amendment/accounting requests, and ensure return or destruction of PHI at termination. When substance use disorder information is involved, incorporate 42 CFR Part 2 provisions—often through a combined BAA and QSOA—with explicit redisclosure limitations.
What steps should EAPs take following a breach of PHI?
Immediately contain the incident, preserve evidence, and conduct a documented risk assessment. Notify affected individuals without unreasonable delay and within 60 days, and make required HHS and, if applicable, media notices. Coordinate with business associates, comply with state breach laws and any 42 CFR Part 2 constraints, and implement corrective actions, workforce retraining, and policy updates to prevent recurrence.
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.