Adopting Informed Consent Standards to Strengthen Your ADA Notice in the Wake of GDPR

The following article does NOT constitute legal advice and should not be used as such. It is for educational purposes only. Readers should retain legal counsel to obtain definitive answers.

The premise behind the General Data Protection Regulation (GDPR) in the European Union (EU) is to ensure that natural persons have rights with regard to the processing of data about them. One of those rights is informed consent. That is, companies who do business in the EU or intentionally process data of persons living in the EU should not be handling that data without the informed consent of the “data subject.”

The United States also has informed consent laws, but they are primarily state-based laws that apply to certain health professions. Informed consent laws in the United States usually require the following elements to be part of the notice:

• Proposed modes of treatment
• Why treatment is necessary
• Risks involved in proposed treatment
• Available alternatives to treatment
• Risks of alternatives to treatment
• Risks involved if treatment refused

The GDPR expands informed consent to include everyone who processes health or biometric data about EU data subjects, not just persons within the health professions. Although the GDPR addresses data processing and not medical treatment, one can analogize the elements of medical informed consent to the processing of wellness data. For example, a wellness data collection informed consent could describe:

• Proposed modes of data collection
• Why data collection is necessary
• Risks involved in data collection (e.g., privacy and security concerns)
• Available alternatives to data collection (obtain wellness data through one’s primary care provider or do not provide information at all)
• Risks of alternatives to data collection at the worksite (going to primary care provider may take longer and require time off from work, the opportunity for data breaches still exist with health care providers)
• Risks involved if data collection refused (not providing data at all may deprive the employee of important knowledge about their health).

Wellness programs that process health or biometric data of data subjects in the EU, or that have a physical presence in the EU, must abide by GDPR. But even programs that are not subject to GDPR compliance may wish to adopt its premise that it is better to inform individuals about the particulars of your program’s data collection than withhold information.

Workplace wellness programs in the United States that collect health information from employees must provide a notice before doing so. That notice must meet certain requirements under the Americans with Disabilities Act (ADA), such as;

• Be understandable
• Describe type of medical information obtained
• Describe specific purposes for which information will be used
• Identify who will receive information
• Identify restrictions on disclosure of medical information
• Describe methods employer will use to prevent improper disclosure (including whether the program complies with HIPAA privacy and security rules).

See 29 CFR § 1630.14(d)(1)(iv).

Although the ADA notice informs individuals about the data being collected and why it is being collected, it does not require explanation of the alternatives to data collection through the workplace wellness program or the downsides to not providing health information through the wellness program. Particularly in the wake of the AARP v. EEOC case which scrutinized the voluntariness of the EEOC’s incentive rules, it will be important for workplace wellness programs to inform potential participants of both the disadvantages as well as advantages of participating in data collection efforts such as through Health Risk Assessments (HRAs) and biometric screens. Including both the disadvantages and advantages of HRA/biometric screen participation not only explains why HRA participation can be helpful, but it fully informs individuals about any risks, which can strengthen the voluntary nature of their participation. An individual whose HRA participation is truly voluntary may lead to better outcomes.

Barbara J. Zabawa

President of the Center for Health and Wellness Law, LLC
wellnesslaw.com