HIPAA Policies for Employee Assistance Programs (EAPs): Requirements, Privacy Rules, and Compliance Tips

HIPAA Applicability to Employee Assistance Programs

Employee Assistance Programs that provide or pay for counseling, assessments, referrals, or similar medical care functions are considered health plans under HIPAA. As such, these EAPs must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule for all Protected Health Information (PHI) they create, receive, maintain, or transmit.

EAPs that only offer general information or referrals without providing or paying for care may fall outside HIPAA. However, most modern EAPs deliver short‑term counseling or case management, which brings them within HIPAA’s scope. Even when an EAP is treated as Excepted Benefits for other federal requirements, if it provides or pays for medical care, HIPAA privacy and security obligations still apply.

A narrow exception exists for a group health plan with fewer than 50 participants that is administered solely by the employer; such a plan is not a HIPAA covered entity. In practice, many EAPs use third‑party vendors or networks, so this exception rarely applies.

Employer Responsibilities for HIPAA Compliance

The employer is typically the plan sponsor—not the covered entity. The EAP itself (the group health plan) is the covered entity. As plan sponsor, you must establish a firewall so employment decisions remain separate from PHI used for plan administration.

• Amend plan documents and certify you will safeguard PHI and limit its use to plan administration purposes.
• Designate a Privacy Official and a Security Official, adopt written policies and procedures, and maintain documentation for at least six years.
• Train workforce members who handle EAP PHI and apply a sanctions policy for violations.
• Distribute a Notice of Privacy Practices (NPP) or coordinate with your insurer or EAP administrator to ensure participants receive it.
• Limit employer access to enrollment/disenrollment and summary health information unless an employee signs a valid authorization.

Privacy Rule Requirements for EAPs

The Privacy Rule governs how an EAP may use and disclose PHI. Core permitted purposes include treatment, payment, and health care operations. For disclosures beyond those purposes, you must obtain the individual’s authorization or ensure a specific permission applies (for example, required by law or to avert a serious threat).

• Apply the Minimum Necessary Standard to uses and disclosures not for treatment, ensuring staff see only the PHI needed to do their jobs.
• Provide participant rights: access and obtain copies of PHI, request amendments, request restrictions, receive an accounting of certain disclosures, and ask for confidential communications (for example, to a personal email or address).
• Issue and honor a clear NPP describing EAP uses/disclosures, participant rights, and how to file complaints without retaliation.
• Limit disclosures to the employer/plan sponsor to what plan documents allow; never share counseling content, diagnoses, or session notes with supervisors without an authorization.

Security Rule Safeguards in EAPs

EAPs must implement risk‑based administrative, physical, and technical safeguards to protect electronic PHI (ePHI). A current, documented risk analysis is the starting point for selecting controls proportionate to your systems, vendors, and data flows.

Administrative safeguards

• Conduct and update risk analysis; implement risk management and security incident procedures.
• Assign security responsibility; train workforce; manage role‑based access and sanction policy.
• Vet vendors, execute Business Associate Agreements, and monitor adherence.
• Develop contingency plans: data backups, disaster recovery, and emergency operations testing.

Physical safeguards

• Control facility access; secure workstations; protect and properly dispose of devices and media.
• Use private spaces for calls; avoid displaying PHI on unattended screens or printers.

Technical safeguards

• Enforce unique IDs, strong authentication, and timely termination of access.
• Encrypt ePHI at rest and in transit; enable audit logs and integrity controls.
• Use secure messaging/telehealth platforms; prohibit unencrypted texting of PHI.

Business Associate Agreements for PHI Handling

A Business Associate Agreement (BAA) is required before sharing PHI with any vendor that creates, receives, maintains, or transmits PHI on your behalf. For EAPs, this commonly includes network counselors, third‑party administrators, teletherapy platforms, cloud or data‑hosting providers, call centers, secure email or portal providers, and analytics vendors.

• Key BAA terms: permitted uses/disclosures; safeguard obligations; breach reporting timelines; subcontractor flow‑downs; access, amendment, and accounting support; HHS audit cooperation; return or destruction of PHI; and termination rights for material breach.
• The employer as plan sponsor is not a business associate of its own EAP; access by the sponsor must be limited and governed by amended plan documents, not a BAA.

Confidentiality and Data Security Practices

Strong privacy practices protect employees and reduce legal risk. You should minimize PHI collection, limit who can see it, and communicate transparently about confidentiality and its narrow exceptions.

• Do not disclose an employee’s EAP participation to supervisors; provide de‑identified, aggregate utilization reports instead.
• Use the Minimum Necessary Standard for internal reports; exclude session details and diagnoses unless specifically authorized.
• Honor requests for confidential communications (for example, personal phone or email) and verify identities before discussing PHI.
• Standardize retention schedules and secure disposal of records, recordings, chat transcripts, and voicemail.
• Prepare scripts for emergencies (imminent harm) and required‑by‑law disclosures to ensure consistent, lawful responses.

Breach Notification Obligations and Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. When an incident occurs, you must perform a documented risk assessment considering the nature of the PHI, the unauthorized recipient, whether the data was actually viewed or acquired, and mitigation actions. If risk is not low, notifications are required.

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery, with plain‑language content describing what happened, the data involved, steps they should take, what you are doing, and contact methods.
• Notify HHS, and if a breach affects 500 or more residents of a state or jurisdiction, notify prominent media as well. For smaller breaches, report to HHS annually within the required timeframe.
• Require business associates to notify the EAP promptly after discovery; many BAAs set tighter timelines than HIPAA’s outer limit.
• Use strong encryption to qualify for “unsecured PHI” safe harbor and reduce breach risk exposure.
• Coordinate with applicable state breach laws and maintain a breach log, mitigation records, and sanction documentation.

Conclusion

Effective HIPAA policies for Employee Assistance Programs hinge on clear role separation, tight vendor management, rigorous Privacy and Security Rule controls, and disciplined breach response. By applying the Minimum Necessary Standard, executing solid BAAs, and operationalizing confidentiality in daily practice, you protect employees and keep your EAP compliant.

FAQs.

What HIPAA rules apply to employee assistance programs?

EAPs that provide or pay for medical care are HIPAA health plans and must comply with the HIPAA Privacy Rule, HIPAA Security Rule, and the Breach Notification Rule. These rules govern how PHI is used and disclosed, how ePHI is safeguarded, and how to notify individuals and regulators when unsecured PHI is breached.

How must EAPs manage confidential employee information?

EAPs should collect only what is necessary, apply the Minimum Necessary Standard to internal uses, restrict employer access to enrollment or summary information, and never share session content with supervisors without an authorization. Provide a Notice of Privacy Practices, honor participant rights, and use secure, encrypted communication channels.

When are business associate agreements required for EAP vendors?

A BAA is required whenever a vendor creates, receives, maintains, or transmits PHI for the EAP—such as counseling networks, TPAs, teletherapy platforms, cloud storage, call centers, or secure email/portal providers. BAAs must specify permitted uses, safeguards, breach reporting, subcontractor obligations, and termination rights.

What are the breach notification requirements for EAPs under HIPAA?

After a suspected incident, perform a four‑factor risk assessment. If risk is not low, notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (and the media for breaches affecting 500 or more residents of a state or jurisdiction), and document mitigation. Business associates must notify the EAP promptly so the plan can meet these deadlines.