Mitigating COVID-19 Risk With Employee Benefit Programs

Law360 (March 25, 2020, 4:17 PM EDT) --
Eric Schillinger
Eric Schillinger
Anne Hall
Anne Hall
The COVID-19 pandemic, an unprecedented national public health emergency, has roiled financial markets, disrupted the daily routines of millions of Americans, and caused considerable turmoil in the operations of small and large U.S. employers alike.

As Congress and the Trump administration scramble to combat the spread of COVID-19 and its collateral effect on the economy, employers in all industries have implemented their own measures to mitigate the risk of employee exposure to the virus and resulting monetary losses to the business and workers.

The primary levers for employers to manage COVID-19-related risks involve employment policies for social distancing (e.g., mandatory teleworking), a concept with undisputed importance to preventing the spread of the virus. But employers that have properly implemented adequate social distancing measures may be able to use certain employee health and welfare benefit programs as additional means to manage COVID-19 risk and promote the physical and financial well-being of employees.

And although the Families First Coronavirus Response Act[1] (signed into law on March 18) included provisions that mandate the coverage of certain COVID-19 testing by employer-sponsored health plans that are subject to the Patient Protection and Affordable Care Act, other benefit plans and features are potentially available to address COVID-19-related issues.[2]

Employee Benefits Compliance Considerations for COVID-19 Prevention

Employers that seek to utilize these types of benefit programs must navigate myriad federal tax and other laws to avoid potential compliance issues that might arise in the context of COVID-19 prevention and treatment. As described in more detail below, some key compliance considerations include:

  • Nondiscrimination, privacy and security rules for disease management programs for individuals (who may have a higher risk of becoming sick from COVID-19) with chronic medical conditions;

  • Requirements and restrictions in a wellness program and incentives to encourage healthy behavior (e.g., for reducing the likelihood of COVID-19 exposure or complications); and

  • Tax rules for employer-provided fringe benefits to reward safe lifestyle choices (e.g., prizes) or assist with COVID-19 prevention (e.g., hand sanitizer and cleaning supplies).

Disease Management Programs in Group Health Plans

Under a disease management program component of a group health plan (both self-funded and fully insured), the insurance carrier or third-party administrator uses the plan’s claims information to identify and work with at-risk covered individuals (e.g., those with diabetes) and improve their health.

The disease management process might include, for example, where the plan waives deductibles or certain copayments for individuals who have diabetes if they participate in certain educational classes and follow their physician’s recommendations regarding exercise and medication. 

Employer-sponsored group health plans are subject to a variety of federal laws (most notably the Employee Retirement Income Security Act). But as explained below, the requirements under the Health Insurance Portability and Accountability Act implicate important compliance considerations in the context of disease management programs (and group health plans generally) aimed at directly or indirectly addressing COVID-19 risk and exposure. 

HIPAA Portability Rules 

The HIPAA portability rules prohibit a group health plan from discriminating against a covered individual based on a health factor such as diabetes.

The disease management program described above would generally be considered permissible under HIPAA because although the program has targeted individuals based on a health factor (diabetes), its use of rewards (e.g., deductible waivers) to encourage health improvement arguably qualifies as benign discrimination, a permitted exception to the general nondiscrimination prohibition.

In contrast, a disease management program that requires an individual to meet a standard related to a health factor (e.g., a specified body mass index), a practice referred to as intervening discrimination, violates the HIPAA rules. 

HIPAA Portability and COVID-19

In the context of COVID-19, a disease management program may be an option to educate and encourage healthy lifestyle decisions of at-risk participants (i.e., those who are more likely to suffer serious complications if they contract COVID-19). Importantly, individuals who currently participate in a plan’s disease management programs for diabetes and other chronic medical conditions are likely an at-risk population for COVID-19 purposes as a general matter. 

So although an employer may want to consider how new or existing programs can be leveraged as much as possible for COVID-19 prevention and mitigation, the designs of those programs must be carefully considered to ensure that they are not determined to be discriminatory for HIPAA purposes.[3]

For example, it would certainly violate HIPAA to target at-risk participants in existing management programs with additional requirements to receive certain covered services or condition the receipt of a particular benefit on completion of tasks related to COVID-19 prevention (e.g., mandating that they be tested for COVID-19). An alternative to this approach includes an electronic mailer to diabetes patients or patients with existing respiratory illnesses regarding specific health considerations for these individuals and strategies for COVID-19 prevention. 

HIPAA Privacy and Security Requirements

Also of relevance to disease management programs (and group health plans generally) regarding COVID-19 are HIPAA’s privacy and security rules. Those rules place strict limits on the circumstances under which group health plans and other entities subject to HIPAA (referred to as covered entities for this purpose) may use and disclose (without consent) a participant’s protected health information, or PHI, a broadly defined term that includes, among other data, a participant’s claims information (e.g., tests received).[4]

HIPAA Privacy and COVID-19

The U.S. Department of Health and Human Services, which is the agency responsible for enforcing the HIPAA privacy and security rules, issued guidance[5] last month addressing the use and disclosure of PHI related to COVID-19, and the secretary of HHS granted a limited waiver[6] of HIPAA sanctions for PHI disclosures by hospitals concerning COVID-19. 

The HHS guidance discussed, among other pertinent HIPAA rules, potentially applicable exceptions to general use and disclosure rule of an individual’s COVID-19 information that is PHI without first obtaining the individual’s consent. Two key exceptions of note include:

  • PHI may be disclosed to public health authorities (e.g., the Centers for Disease Control and Prevention) that are authorized by law to collect or receive such information for the purpose of preventing or controlling disease, injury or disability.

  • PHI may also be disclosed to persons at risk of contracting or spreading a disease or condition if other law (e.g., state statutes) authorizes the entity to notify such persons as necessary to prevent or control the spread of the disease (or otherwise to carry out public health interventions or investigations).

Importantly, a group health plan can only disclose PHI to an employer under very limited circumstances, and the disclosure can never be for employment-related decisions (e.g., hiring and firing). For example, if an employer adopts a policy that employees who have contracted COVID-19 must self-quarantine, the employer cannot ask the third-party administrator of its self-funded group health plan to review its claims records and see if any employees have tested positive for COVID-19 (and therefore subject such individuals to the self-quarantine employment policy). 

Given the complexity of the HIPAA rules and as a strategy for mitigating exposure to hefty HIPAA noncompliance penalties, employers should consider immediate HIPAA training for those individuals who handle group health plan PHI. Such training should reinforce existing HIPAA disclosure restrictions and specifically provide for a careful review of the limitations that apply to the use and disclosure of COVID-19.

Wellness Programs

Many employers already have a variety of different wellness programs in place, which range from general education services about healthy living to monetary and other incentives (e.g., reduced medical insurance premiums) that are awarded for participation in certain activities (e.g., undergoing biometric screening) or achievement of outcomes related to employee health (e.g., quitting smoking).

Given the serious risks and health implications of COVID-19 exposure, wellness incentives may be a useful tool for employers to educate employees about COVID-19 considerations and provide, on a tax-free basis, benefits that encourage healthy lifestyles generally as well as practices specifically targeted at COVID-19 prevention.

Wellness Programs and COVID-19

Wellness programs that provide such incentives must comply with the HIPAA nondiscrimination rules described above (as modified by the ACA), including regulations that place specific restrictions on a program’s eligibility criteria for, and amounts of, wellness rewards.[7] Under these HIPAA rules, the annual limit on wellness incentive awards unrelated to tobacco is generally 30% of the total cost of self-only coverage (taking into account both the employee’s and employer’s share of the premiums) of the plan coverage. 

Other rules applicable to the design of the wellness program depend on whether the program is activity-only (i.e., where the reward is based merely on performing an activity) or outcome-based (i.e., contingent on attaining or maintaining a specific health outcome such as a certain body mass index):

  • Activity-only: Activity-only programs must provide individuals with a reasonable alternative standard (or waiver of the original standard) for the individual to achieve the award if the original standard is unreasonably difficult due to a medical condition to satisfy the standard (or medically inadvisable to attempt to satisfy the standard). In the COVID-19 context, an employer may consider an employee incentive (e.g., 10% reduction in health insurance premiums or a gift card) for completion of a COVID-19 prevention training.

  • Outcome-based: In contrast, outcome-based programs must provide a reasonable alternative standard (or waiver) to any individual who fails to meet the original standard (regardless of whether it is unreasonably difficult or medically inadvisable for the individual to satisfy or attempt to satisfy the standard). 

Fringe Benefits

The use of fringe benefits may be another option for employers to provide rewards to incentivize healthy behavior in general (and reduce the risk of complications for an employee who contracts COVID-19) or smart decisions related to social distancing or other practices geared toward preventing the spread of COVID-19. 

In addition to incentive-oriented fringe benefits, employers may be interested in providing helpful (and unusually scarce) items related to COVID-19 prevention, such as cleaning supplies and hand sanitizer. 

Fringe Benefits and COVID-19

The federal tax treatment of employer-provided fringe benefits is governed by Section 132 of the Internal Revenue Code. For purposes of COVID-19 prevention, two potentially relevant types of nontaxable fringe benefits under the Code are employee achievement awards and de minimis fringe benefits:

Employee Achievement Awards

An employee achievement award is an item of tangible personal property (i.e., not cash) for the employee’s length of service or safety.[8] The item must be awarded as part of a meaningful presentation, and it cannot be disguised wages.

Lastly, the award must be made under a qualified plan, meaning that there must be a written plan document, the plan cannot discriminate in favor of highly compensated employees, and the total amount of awards from the employer for a year cannot exceed $1,600 ($400 for nonqualified awards).[9]

An interesting question is whether employer prizes to employees for excellence in safe working practices and COVID-19 prevention (e.g., the highest-scoring employees in a COVID-19 training program provided by the company) could be classified as nontaxable safety achievement awards. Given the far-reaching implications of COVID-19 and the genuine interest of employers to prevent the spread of the virus, there appears to be a reasonable argument that certain rewards for achievement of established COVID-19 safety practices would be nontaxable (assuming that the other applicable Code requirements are met).

De Minimis Fringe Benefits

In general, a de minimis benefit is a benefit that, considering its value and the frequency with which it is provided, is so small as to make accounting for it unreasonable or impractical.[10] Common examples of nontaxable de minimis fringe benefits are occasional snacks, nominal gifts for birthdays and holidays, and flowers, fruits and coffee mugs for special occasions.

In the COVID-19 context, employers may want to consider offering additional cleaning items for employee offices to avoid the spread of COVID-19. Under normal circumstances, infrequent gifts of hand sanitizer, cleaning wipes and related supplies — all items of extraordinarily high demand because of COVID-19 concerns — would probably be considered de minimis. Given the severe scarcity and rising prices of those items, however, it is not entirely clear whether they continue to satisfy the de minimums requirements.[11]

Takeaways for Employers

The establishment of and adherence to employment practices that promote social distancing to reduce the risk of COVID-19 exposure are undeniably a top priority for employers. Employers that have succeeded with those practices may want to consider whether further measures are appropriate or advisable, including through utilization of existing employee benefit programs to encourage healthy behavior.

More legislation and subregulatory guidance in benefits-related matters is likely to be issued in the coming weeks, and employers should carefully evaluate their benefit programs for compliance with applicable laws and concerns unique to COVID-19 and consider workforce training to mitigate exposure to costly legal noncompliance penalties.

Eric Schillinger is senior compliance counsel, and Anne Tyler Hall is founder and principal at Hall Benefits Law.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.


[2] In general, employer-sponsored dental, vision and retiree-only medical plans are exempt from the ACA and, as a result, are not required to comply with the COVID-19 testing mandate under the new legislation.

[3] Separate from the HIPAA nondiscrimination rules, a group health plan must provide the no-cost COVID-19 testing coverage required by the Families First Coronavirus Response Act without any preauthorization or medical management requirements. For example, a disease management program could not require participants to undergo utilization review or obtain referrals as a condition for the plan’s coverage of the COVID-19 testing. 

[4] Health information obtained outside of the group health plan, such as from employment records or conversations between an employer and employee, is not considered PHI. For example, where an employee informs an employer that he or she has contracted COVID-19, the information is not PHI. Other Federal and State privacy laws, however, may still apply to the use and disclosure of the information, such as the Americans with Disabilities Act. 



[7] The Equal Employment Opportunity Commission issued regulations in 2016 that also govern wellness incentive limits. In response to a Federal court decision striking down parts of those regulations, however, the EEOC removed the incentive-related sections from its final wellness program rules.

[8] The tax exclusion for employee achievement awards is also unavailable for awards that are vacations, meals, lodging, tickets to theater or sporting events, stocks, bonds, other securities, and other similar items, according to the IRS.

[9] To be non-taxable, safety achievement awards cannot be provided to a manager, administrator, clerical employee, or other professional employee. Safety achievement awards also do not receive favorable tax treatment if more than ten percent of eligible employees previously received safety achievement awards during the year.

[10] There is no specific dollar threshold for whether a benefit is considered de minimis or not. The IRS has provided some examples of specific instances where a benefit of a particular value did not meet the de minimis test under the circumstances, such as a gift worth $100 in 2001. Cash and cash-equivalent gifts such as gift cards are always considered taxable and do not qualify as de minimis fringe benefits. 

[11] Given the importance of these items for purposes of public health, it seems relatively unlikely that the IRS would take issue with an employer’s classification of hand sanitizer and other helpful cleaning supplies as de minimis. In any event, most employers that wish to provide those benefits to employees will probably not be discouraged against doing so simply because the benefits may be taxable.

For a reprint of this article, please contact

View comments

Hello! I'm Law360's automated support bot.

How can I help you today?

For example, you can type:
  • I forgot my password
  • I took a free trial but didn't get a verification email
  • How do I sign up for a newsletter?
Ask a question!