Multiple media reports this week implied that CVS Caremark will be requiring all employees to disclose their weight and other biometric information (glucose readings, blood pressure, cholesterol) to CVS or pay an additional $50 per month for their health insurance, and that this CVS program is the start of a new trend. Only if you read beyond the startling headlines do you find out that this biometric data is being disclosed to a third-party service provider to the CVS group health care plan, not to CVS. By using a third party administrator for this program, CVS is not only keeping this personal information out of CVS's hands from the beginning, CVS is also giving this information privacy and security protection under HIPAA, so that CVS can't have access to the data unless it's necessary for health plan administration (and that would be a tough argument for CVS to make). The third-party service provider only confirms to CVS that the employee has or has not provided the data; there's no permissible disclosure of the data itself to CVS under HIPAA. But that's not much of a story, is it?
Reading on in the various reports also discloses that this isn't, in fact, a new trend at all. Employers have been integrating health risk assessments and biometric screenings requirements into their group health plans for several years now to help focus employees (and for some employers, their spouses) on their own personal health condition. Some group health plans, like the CVS program, do not assess the penalty based on the results of the screenings, only for failing to have the screenings performed. Other employers have incorporated the "next step" into their group health plans' wellness programs and started requiring employees to make increased contributions for their health insurance if their biometric screening results are not within "normal" ranges and the employee (and again, sometimes the spouse as well) does not participate in an employer-funded program to address those potential health issues. So an employee always has the ability to avoid the penalty. These programs are also administered by third parties on behalf of the group health plan, and each employee's personal health information is not available to the employer. The employer is only told whether each employee is or is not subject to the penalty, and that information is shared only so the employer can deduct the correct amount from the employee's paycheck.
Both of these types of wellness programs have been permissible under the Internal Revenue Code and ERISA since 1997. The amount of the penalty assessed under programs like the CVS program, which only requires the employee to complete an action like getting a biometric screening or completing a health risk assessment, is unlimited. But when the penalty is based on the employee's biometric results or other health factor, the program must limit the amount of the penalty and must offer an employee an alternative standard to satisfy to avoid the penalty. The most common example of this is a penalty for employees who smoke(a program CVS appears to be introducing next year). Both the Code and ERISA require that an employee who smokes must be allowed to avoid the penalty by completing a smoking cessation program, even if the employee doesn't quit smoking after completing the program. Comparable "alternative" standards must be offered for other biometric measurements, such as allowing an employee whose weight is above the normal range to avoid the penalty if they join Weight Watchers at work or provide confirmation from their personal physician that the employee is working with the physician to manage the employee's weight.
Oh, and as this article correctly points out, this issue has already been litigated under the Americans with Disabilities Act, and both the federal district court and the federal appeals court found it wasn't a violation of that Act for a group health plan to charge an employee more for health coverage if the employee refused to complete a health screening.