HIPAA Security for Employee Assistance Programs: What’s Required and How to Stay Compliant

HIPAA Applicability to Employee Assistance Programs

Whether HIPAA applies to your Employee Assistance Program (EAP) turns on what the program actually does. If the EAP provides, manages, or pays for medical care—such as short‑term counseling, clinical assessment, or referrals—and creates or receives Protected Health Information (PHI), it functions as a group health plan and is a HIPAA covered entity. In that case, the EAP must comply with both the Privacy Rule and the Security Rule.

If your EAP only offers general information, manager consultations, or referrals without providing care or handling PHI, HIPAA may not apply to that program. However, most modern EAPs handle at least some counseling or care coordination, so you should assume HIPAA applies unless you can document otherwise.

Employers themselves are not covered entities simply by sponsoring an EAP. But once the EAP is a health plan, the employer—as plan sponsor—must follow strict rules for receiving and using PHI for plan administration and maintain firewalls that separate plan information from employment records.

EAPs as Excepted Benefits

Many EAPs qualify as “excepted benefits” for purposes of certain health reform mandates. To meet the Excepted Benefits Criteria, an EAP generally must:

• Not provide significant benefits in the nature of medical care or treatment (for example, limit scope and duration of counseling).
• Not coordinate its benefits with another group health plan or condition eligibility on enrollment in another plan.
• Charge no employee premiums or contributions to participate.
• Impose no cost‑sharing (no deductibles, copays, or coinsurance).

Excepted benefits status does not remove HIPAA obligations. If the EAP is a health plan receiving PHI or electronic PHI (ePHI), it must still safeguard that information under the Privacy Rule and Security Rule.

Employer Responsibilities in EAP Compliance

As the plan sponsor, you must structure the EAP so PHI is used only for plan administration—not for employment decisions. Update plan documents to describe permitted uses and disclosures, identify who in your workforce will access PHI, and certify you will protect and segregate PHI from personnel files.

Provide a Notice of Privacy Practices (NPP) to participants, implement policies and procedures, train any staff who perform plan administration, and apply the minimum necessary standard. Without an employee’s written authorization, limit employer‑level information sharing to enrollment/disenrollment data and de‑identified or summary health information when allowed.

Build an incident response and breach notification process, maintain records retention schedules, and periodically audit access to ensure PHI remains separate from HR, ADA, and performance‑management records.

Implementing Business Associate Agreements

Most EAPs rely on vendors—third‑party administrators, telehealth platforms, call centers, cloud hosts, and analytics providers—that create, receive, maintain, or transmit PHI. You must execute a Business Associate Agreement (BAA) with each vendor before any PHI flows.

What every BAA should cover

• Permitted uses/disclosures and prohibition on non‑permitted marketing or sale of PHI.
• Administrative, physical, and technical safeguards aligned with the Security Rule, including encryption, audit logging, and secure software development practices.
• Subcontractor flow‑down, ensuring any downstream vendor also signs and complies.
• Breach reporting timeframes, investigation cooperation, and remediation obligations.
• Support for individual rights (access, amendments, and accounting of disclosures) and return or destruction of PHI at termination.
• Right to receive security attestations and conduct risk‑based assessments or on‑site reviews.

If your EAP handles Substance Use Disorder information, consider whether you also need a Qualified Service Organization Agreement (QSOA) or a combined agreement to address Substance Use Disorder Confidentiality requirements.

Applying HIPAA Privacy and Security Rules

The Privacy Rule governs when PHI may be used or disclosed. For an EAP, this typically includes payment and health care operations—and, if the EAP delivers counseling, treatment—without individual authorization, but always under minimum necessary. For anything beyond these purposes (for example, reporting clinical details to a supervisor), obtain a valid HIPAA authorization from the employee.

The Security Rule requires safeguards to protect ePHI. A practical implementation roadmap includes:

Administrative safeguards

• Perform and update an enterprise‑wide risk analysis; implement a risk management plan with documented remediation timelines.
• Designate a privacy and a security official; formalize policies, sanctions, and workforce training.
• Vendor risk management, BAAs, and ongoing oversight of third parties handling ePHI.
• Contingency planning: data backup, disaster recovery, and emergency mode operations.

Physical safeguards

• Facility access controls for call centers or counseling sites; visitor logs and escort procedures.
• Workstation security and device/media controls, including secure disposal and media re‑use.

Technical safeguards

• Role-Based Access Control with least‑privilege provisioning and periodic access recertification.
• Unique user IDs, strong authentication (preferably MFA), automatic logoff, and session timeouts.
• Encryption in transit and at rest; integrity controls and tamper‑evident audit logs.
• Ongoing security monitoring, vulnerability management, and patching.

Operationalize individual rights: verify identity before disclosures, respond to access requests within required timeframes, and offer confidential communications when employees ask to use alternative addresses or channels.

Ensuring Confidentiality in EAPs

Employee trust is central to EAP effectiveness. Establish clear lines between the EAP and the employer’s HR or management functions. Supervisors may know whether an employee was referred and attended, but they must not receive diagnoses, session notes, or treatment details without the employee’s explicit authorization.

Use confidential communication options (secure portals, verified private email, or mailed correspondence to alternative addresses). Train staff to avoid discussing PHI over speakerphones or unsecured messaging, and to identity‑proof callers before sharing any information.

Define exception pathways—imminent threats, required‑by‑law reporting, or emergency treatment—so your team knows how to act quickly while disclosing only the minimum necessary information.

Handling Substance Use Disorder Information

If your EAP provides Substance Use Disorder screening, diagnosis, treatment, or referral and is federally assisted, it may be subject to 42 CFR Part 2. These rules impose stricter consent and redisclosure limits than HIPAA. As a result, you must segment SUD records, apply Substance Use Disorder Confidentiality requirements, and use tailored consent forms that specify who may receive what information and for what purpose.

Include “prohibition on redisclosure” notices where required, and use QSOAs with vendors that support SUD services. When HR or a supervisor requests information about an employee’s participation, obtain a Part 2‑compliant consent that allows disclosing attendance or compliance status—never clinical details—unless the consent expressly authorizes them.

Conclusion

To keep your EAP compliant, determine whether it is a HIPAA‑covered health plan, confirm excepted benefits status without assuming a HIPAA exemption, lock down PHI sharing between the EAP and the employer, execute robust BAAs, implement Security Rule safeguards with Role‑Based Access Control, and apply stricter procedures for SUD data. These steps protect employees and reduce organizational risk.

FAQs.

When are Employee Assistance Programs subject to HIPAA?

An EAP is subject to HIPAA when it provides, manages, or pays for medical care and creates or receives PHI. Most EAPs that offer counseling, clinical assessment, or coordinated referrals meet this threshold and must comply with the Privacy Rule and Security Rule.

What are the criteria for EAPs to qualify as excepted benefits?

To satisfy Excepted Benefits Criteria, an EAP generally must not provide significant medical care, must not coordinate eligibility or benefits with another group health plan, must charge no employee premiums or contributions, and must impose no cost‑sharing. This status does not eliminate HIPAA obligations if the EAP handles PHI.

How should employers manage Business Associate Agreements with EAP vendors?

Identify every vendor that creates, receives, maintains, or transmits PHI and execute a Business Associate Agreement before data flows. Ensure the BAA covers permitted uses/disclosures, Security Rule safeguards, subcontractor flow‑down, breach reporting, support for individual rights, and data return or destruction. For SUD services, add QSOA terms or a combined agreement as needed.

What safeguards must EAPs implement to protect electronic PHI?

Implement a risk‑based security program that includes administrative safeguards (risk analysis, policies, training, contingency planning), physical safeguards (facility and device controls), and technical safeguards (Role-Based Access Control, MFA, encryption, audit logging, automatic logoff, and integrity checks), all aligned with the HIPAA Security Rule and the minimum necessary standard.