HIPAA for Employee Assistance Programs: What Applies, What Doesn’t, with Examples

HIPAA Applicability to EAPs

Overview

Employee Assistance Programs (EAPs) range from short‑term counseling to work‑life referrals. HIPAA applies if the EAP functions as a Group Health Plan that provides “medical care,” such as counseling or treatment, to employees or dependents. When HIPAA applies, information handled by the EAP that identifies an individual’s health status or care is Protected Health Information (PHI).

HIPAA does not govern your company’s general employment records. Files kept solely for employment purposes (for example, fitness‑for‑duty letters held by HR) are outside HIPAA even if they include health details. The key question is whether PHI is created or received by the EAP for health plan operations, payment, or treatment.

What Applies

• HIPAA Privacy Rule obligations for uses/disclosures of PHI, minimum necessary, and individual rights (access, copies, and amendments).
• Security safeguards for electronic PHI (risk analysis, access controls, transmission protection, and contingency planning).
• Business Associate Agreements when vendors handle PHI for the EAP.
• Breach response and required notices if unsecured PHI is compromised.

What Doesn’t Apply

• Purely non‑medical services, such as legal, financial, or daily‑living referrals that do not involve PHI.
• Employer use of non‑PHI aggregated EAP metrics (for example, utilization rates without identifiers).
• Employment records kept by the employer outside the health plan.

Examples

• Applies: An EAP offers up to six counseling sessions per issue; the counselor documents sessions. Those records are PHI under the EAP health plan.
• Applies: An EAP vendor hosts a secure tele‑counseling portal for dependents; the vendor is a business associate and must sign a Business Associate Agreement.
• Doesn’t apply: An EAP hotline gives childcare and eldercare referrals only and collects no health details; no HIPAA obligations attach to those referral interactions.

EAPs as Group Health Plans

When an EAP Is a Group Health Plan

Your EAP is a Group Health Plan if it provides medical care—such as mental health counseling, substance use brief intervention, or clinical crisis support—to employees or dependents. Most counseling‑based EAPs meet this definition even if benefits are short‑term or free to the employee.

Core Privacy Rule Duties

• Provide a Notice of Privacy Practices describing permitted uses/disclosures and individual rights; include where to submit requests and complaints.
• Use and disclose PHI only as allowed by the Privacy Rule or individual authorization; apply the minimum necessary standard for routine uses.
• Honor rights to access and obtain copies of PHI and to request amendments or an accounting of disclosures.

Security Safeguards for ePHI

• Conduct a risk analysis of systems storing or transmitting PHI (e.g., EAP case management and telehealth tools).
• Implement administrative, physical, and technical security safeguards, including role‑based access, audit logs, encryption in transit and at rest where feasible, and vendor oversight.
• Establish incident response and contingency plans, including backups and disaster recovery testing.

Plan Sponsor and Documentation

• Amend plan documents to restrict employer access to PHI and certify the plan sponsor’s permitted uses.
• Train workforce members who administer the EAP on privacy and security policies.
• Execute Business Associate Agreements with EAP vendors and any subcontractors that handle PHI.

Example

A self‑insured EAP covers counseling and manager consults about workplace interventions. The plan issues a Notice of Privacy Practices, limits HR’s access to PHI, executes BAAs with the EAP administrator and telehealth platform, and maintains documented security safeguards.

EAPs Not Covered by HIPAA

When HIPAA Doesn’t Apply

Some EAPs are structured to avoid providing medical care and therefore are not Group Health Plans. If your EAP solely offers referrals to community resources, legal/financial consultations, or concierge services—and does not deliver counseling or collect PHI—HIPAA does not apply to those activities.

Borderline Situations

• Manager coaching lines that discuss workplace scenarios without identifying employee health information are typically non‑HIPAA.
• Critical incident response that provides on‑site debriefs without documenting individual health information may be non‑HIPAA; documenting counseling notes for identifiable individuals likely triggers HIPAA.

Examples

• Not covered: A vendor provides will‑writing webinars and budget coaching with no PHI; no HIPAA duties apply.
• Covered: A vendor provides short‑term therapy via video and maintains case files; the EAP is a Group Health Plan subject to HIPAA.

Employer's HIPAA Compliance

Your Role as Plan Sponsor

The employer itself is not the covered entity; the EAP health plan is. As plan sponsor, you must firewall PHI from employment decisions, update plan documents to restrict PHI uses, and certify adherence to the Privacy Rule before receiving any PHI beyond enrollment or summary health information.

Operational Steps

• Distribute the EAP Notice of Privacy Practices and related confidentiality notices that explain limits (e.g., danger to self/others, legal process).
• Limit employer access to summary health information or de‑identified reports for plan administration and strategy, not for personnel actions.
• Adopt policies for minimum necessary, individual rights, and breach response; train HR/benefits staff who touch PHI.
• Implement appropriate security safeguards if you create, receive, maintain, or transmit ePHI (for example, if HR stores EAP eligibility files).
• Ensure Business Associate Agreements are in place with the EAP administrator, telehealth platforms, secure messaging providers, and analytics vendors.

Example

Your benefits team receives quarterly utilization reports with counts by issue type but no identifiers. HR never receives names or case notes and cannot use PHI for performance or disciplinary decisions.

Fully-Insured EAPs

How Obligations Shift

When an insurance carrier fully insures the EAP and the employer does not create, receive, maintain, or transmit PHI (other than enrollment or summary health information), most Privacy Rule administrative requirements fall on the insurer. The plan sponsor’s duties focus on plan document certifications and limiting PHI access.

Security Considerations

If the plan sponsor maintains no electronic PHI, the Security Rule obligations do not apply to the sponsor. If any ePHI is maintained (for example, eligibility files with diagnoses), the sponsor must implement appropriate security safeguards regardless of insurance funding.

Examples

• Insurer‑managed portal and records; employer receives only aggregate metrics: insurer handles Privacy Rule notices and security controls.
• Employer stores ePHI spreadsheets from the insurer: employer now assumes Security Rule responsibilities for those systems.

EAPs as Excepted Benefits

Qualifying as an Excepted Benefit

An EAP may be an excepted benefit if it: (1) does not provide significant medical care, (2) is not a gatekeeper to other benefits, (3) requires no employee premium or contribution, and (4) has no cost‑sharing. Many EAPs with limited short‑term counseling and referrals meet these criteria.

HIPAA Still Applies to PHI

Excepted benefit status affects ACA market reforms, not HIPAA privacy and security. If your EAP creates or receives PHI in delivering counseling or similar services, the EAP is a Group Health Plan covered by the Privacy Rule and must maintain security safeguards and Business Associate Agreements.

Examples

• Excepted and covered: Three free counseling sessions per issue with documented notes; HIPAA applies to those records.
• Excepted and not covered: Work‑life services only (legal, financial, concierge) with no PHI; HIPAA does not apply.

EAPs and Wellness Programs

Integration Scenarios

Wellness programs often share vendors, portals, and incentives with EAPs. If the wellness program provides medical care (e.g., health coaching tied to biometric results), it is also a Group Health Plan. Coordinate HIPAA compliance across both programs to avoid improper PHI sharing with the employer.

Data Sharing and Authorizations

• Share only de‑identified or summary health information with the plan sponsor unless a valid authorization permits more detailed disclosures.
• Ensure BAAs cover all vendors touching PHI, including wellness coaches, screening labs, and digital platforms.
• Use clear confidentiality notices to set expectations for participants about data flows between EAP and wellness services.

Practical Example

An employee completes a stress‑risk survey in a wellness app and accepts a warm transfer to EAP counseling. The vendors exchange PHI under BAAs for treatment and plan operations. The employer receives only aggregate program metrics, not names or case notes.

Conclusion

Focus first on whether your EAP provides medical care. If yes, treat it as a Group Health Plan, apply the Privacy Rule, implement robust security safeguards, and execute Business Associate Agreements. Being fully insured or an excepted benefit does not remove HIPAA duties when PHI is involved. Keep employer access limited to what the rules allow and communicate protections through clear confidentiality notices.

FAQs.

When does HIPAA apply to employee assistance programs?

HIPAA applies when an EAP provides medical care (such as counseling or clinical crisis support) to employees or dependents, making the program a Group Health Plan. In that case, records that identify an individual’s health status or care are Protected Health Information, and the EAP must follow the Privacy Rule, maintain security safeguards for ePHI, and meet breach notification obligations.

What are the HIPAA compliance requirements for EAP vendors?

EAP vendors that handle PHI for the plan are business associates. They must sign Business Associate Agreements, use PHI only as permitted by the contract and HIPAA, implement administrative, physical, and technical security safeguards (including risk analysis and access controls), support individual rights requests, assist with breach investigations and notices, and flow down obligations to subcontractors that touch PHI.

Are all EAPs considered group health plans under HIPAA?

No. EAPs that only provide non‑medical services (for example, legal or financial referrals) and do not create or receive PHI are not group health plans under HIPAA. However, most counseling‑based EAPs are Group Health Plans—even if they are excepted benefits—and must comply with HIPAA when they create or handle Protected Health Information.