Employee Assistance Programs (EAPs) are one of the most underused, misunderstood benefits in the small and mid-sized business world. Founders often add one because a broker recommended it, then never think about it again, until an employee is in crisis, a manager asks a question they shouldn't, or someone wonders aloud whether HR "knows what's going on" with a struggling team member.

This post breaks down what EAPs actually are, how to protect employee privacy (including where HIPAA does and doesn't apply), and the lines you cannot cross when sensitive issues surface. If you run a startup or SMB, getting this right protects your people and your company.

1. What Is an EAP?

An Employee Assistance Program is a confidential, employer-sponsored benefit that gives employees (and usually their household members) access to short-term support for personal and work-related challenges. Think of it as a front door to help — most issues are either resolved through the EAP directly or referred out to longer-term resources.

A typical EAP covers:

• Mental health and emotional support — stress, anxiety, depression, grief, burnout

• Substance use and addiction — assessment, counseling, referral to treatment

• Financial and legal challenges — debt, budgeting, divorce, basic legal consultations

• Family and relationship issues — caregiving, parenting, marital stress

• Work-related concerns — conflict, performance stress, major life transitions

  
  

Most EAPs provide a set number of free counseling sessions per issue per year (commonly 3–8), available 24/7 by phone, with options for in-person, video, or chat. For an SMB, an EAP is one of the highest-leverage benefits you can offer: the cost is low (often a few dollars per employee per month), and the payoff — in retention, productivity, and showing employees you take their wellbeing seriously — is significant.

2. Protecting PHI and Navigating HIPAA Within EAPs

This is where founders most often get tripped up, so let's be precise.

Does HIPAA even apply to your EAP?

It depends on how the EAP is structured. HIPAA's Privacy Rule applies to "covered entities" (health plans, providers, and clearinghouses) and their business associates. Whether your EAP falls under HIPAA hinges on the services it provides:

• EAPs that provide medical or mental health treatment (counseling, diagnosis, therapy) are generally considered group health plans and are subject to HIPAA.

  
  

• EAPs that only provide referrals — pointing employees to outside resources without delivering treatment — may not be classified as a group health plan, and HIPAA may not apply in the same way.

Because this classification drives your legal obligations, confirm your specific EAP's status with your broker, EAP vendor, and employment counsel. Don't assume.

What is PHI here?

Protected Health Information (PHI) is any individually identifiable health information. In the EAP context, that includes the fact that someone used the EAP, what they discussed, any diagnosis, treatment notes, and referral records. Even confirming that an employee contacted the EAP can be protected information.

How to protect it — practical guardrails for SMBs

Even where HIPAA doesn't strictly apply, treat EAP information as confidential by default. Other laws — the ADA, state privacy statutes (California's are especially strict and relevant to your team), and basic duty-of-care principles — still govern you.

1. Build a wall between the EAP and management. The employer should never receive identifying details about who used the program or why. Reputable EAP vendors only share aggregate, de-identified utilization data (e.g., "12% of employees used the program this quarter"). That's it.

2. Never store EAP records in personnel files. If any EAP-related documentation exists, keep it separate, access-restricted, and out of the general HR file. Medical and disability information must be maintained separately under the ADA regardless.

3. Limit access on a strict need-to-know basis. Even within HR, not everyone needs visibility into a benefit utilization issue.

4. Vet your vendor's compliance. Ask directly: Are you a HIPAA-covered entity? Do you sign a Business Associate Agreement where required? How is data encrypted, stored, and shared? Get the answers in writing.

5. Train managers on what they cannot do. A manager should never ask an employee what they discussed with the EAP, pressure them to disclose, or document a referral as a performance issue. (More on this below.)

6. Get consent before any information moves. If an employee wants you to coordinate with the EAP (for example, in a formal management referral), there should be a signed release specifying exactly what can be shared.

3. When Can You Discuss Issues That Arise — Addiction, Finances, Therapy, Health Conditions?

Founders often feel caught between two instincts: "I want to help" and "I don't want to overstep or create liability." Here's the framework.

The default rule: You don't initiate, and you don't dig.

You generally cannot and should not proactively discuss an employee's addiction, mental health, financial distress, therapy, or medical conditions — even if you learned about it informally, even if you're trying to help. Doing so can violate the ADA, privacy laws, and trust, and can expose you to discrimination and disclosure claims.

What you focus on instead is job performance and behavior, not the underlying personal issue.

When discussion is appropriate or necessary

1. When the employee brings it to you voluntarily. If an employee chooses to disclose, you can listen, express support, and remind them the EAP is available. Keep what they share confidential and resist the urge to share it "to help." Do not promise outcomes you can't control.

2. When you're making a general, non-personal reminder. You can — and should — regularly promote the EAP to the whole team ("Reminder: our EAP offers free, confidential counseling and financial and legal support") without singling anyone out.

3. When performance or conduct is the issue (the safe lane). If someone's work is slipping, you address the performance — missed deadlines, attendance, behavior — through your normal process. You can mention the EAP as a available resource for any employee facing challenges, without diagnosing or speculating about the cause. This is often called a "constructive confrontation" or informal referral: focus on the observable issue, offer the resource, document the performance facts only.

4. When there's a legal duty or safety risk. Threats of violence, safety hazards, or situations triggering legal obligations (a formal accommodation request under the ADA, a fitness-for-duty concern) may require action — but these are handled through defined legal processes, ideally with counsel, not casual conversations.

5. When the employee requests an accommodation. If someone discloses a condition (including addiction in recovery, which can be ADA-protected, or a mental health condition) and requests accommodation, you engage in the ADA "interactive process." Here you can discuss the work-related limitations and possible accommodations — but only as much as needed, and you keep medical details confidential and separate.

A quick reference

Why This Matters for Founders and SMBs

In a small company, everyone knows everyone — which is exactly why privacy discipline matters more, not less. One careless comment, one EAP note in the wrong file, one manager who "just wanted to help" can become a legal claim and a culture-killer.

Done right, an EAP signals something powerful to your team: We've invested in your wellbeing, and we respect your privacy enough to stay out of it. That combination — care plus boundaries — is what builds the kind of trust that retains people through hard seasons.

For California employers especially, where privacy and employment laws are among the strictest in the country, the cost of getting this wrong is real. Build your policies deliberately, train your managers clearly, and treat employee privacy as non-negotiable.

At L.A. Confidential HR, we help small and mid-sized businesses build practical HR foundations that support compliance, operational excellence, and healthier workplaces.

Because protecting your people is good business.

This post is general HR guidance, not legal advice. EAP structures, HIPAA applicability, and privacy obligations vary by program and by state — confirm your specific situation with your EAP vendor and qualified employment counsel before setting policy.

Chinese Version:

员工援助计划（EAP）：每位创始人与中小企业领导者都该了解的隐私、保密与"善待员工"之道

员工援助计划（Employee Assistance Program，简称 EAP）是中小企业领域中最被低估、也最容易被误解的福利之一。创始人往往因为保险经纪人的一句推荐就加上了这项福利，然后便再也没想过它——直到某位员工陷入危机、某位主管问了不该问的问题，或有人开始猜测 HR 是不是"知道"了某个挣扎中的同事的私事。

本文将拆解 EAP 究竟是什么、如何保护员工隐私（包括 HIPAA 在哪些情况下适用、哪些情况下不适用），以及当敏感问题浮现时，哪些界线绝对不能越过。如果你经营的是初创公司或中小企业，把这件事做对，既保护你的员工，也保护你的公司。

一、什么是 EAP？

员工援助计划是一项由雇主出资、保密的福利，让员工（通常也包括其家庭成员）能够获得针对个人及工作相关挑战的短期支持。可以把它想象成一扇"求助之门"——大多数问题要么直接通过 EAP 得到解决，要么被转介到更长期的资源。

一个典型的 EAP 通常涵盖：

• 心理健康与情绪支持——压力、焦虑、抑郁、悲伤、倦怠

• 物质使用与成瘾——评估、咨询、转介至治疗机构

• 财务与法律难题——债务、预算、离婚、基础法律咨询

• 家庭与人际关系问题——照护、育儿、婚姻压力

• 工作相关困扰——冲突、绩效压力、重大人生转变

• 
  

大多数 EAP 会提供每年针对每个问题的若干次免费咨询（通常为 3 至 8 次），全天候电话支持，并提供面对面、视频或在线聊天等选项。对中小企业而言，EAP 是你能提供的回报率最高的福利之一：成本很低（通常每位员工每月仅几美元），而回报——在员工留存、生产力，以及向员工表明你重视他们的福祉方面——却非常可观。

创始人要点： EAP 不是"HR 的心理热线"。它是一项独立、保密的资源。一旦员工认为领导层能看到他们谈论的内容，这个计划就完全失去了价值。

二、在 EAP 中保护 PHI 并应对 HIPAA

这正是创始人最容易出错的地方，所以我们要讲得精确。

你的 EAP 是否真的适用 HIPAA？

这取决于 EAP 的架构方式。HIPAA 隐私规则适用于"受监管实体"（健康计划、医疗服务提供者与清算机构）及其业务伙伴。你的 EAP 是否落入 HIPAA 范围，关键在于它提供的服务类型：

• 提供医疗或心理健康治疗的 EAP（咨询、诊断、治疗）通常被视为团体健康计划，因此受 HIPAA 监管。

• 仅提供转介的 EAP——只是把员工指引到外部资源、并不直接提供治疗——可能不会被归类为团体健康计划，HIPAA 的适用方式也会有所不同。

由于这一分类直接决定了你的法律义务，请务必就你具体的 EAP 状态向你的保险经纪人、EAP 供应商以及劳动法律顾问确认。不要想当然。

这里所说的 PHI 指什么？

受保护健康信息（PHI）是指任何可识别个人身份的健康信息。在 EAP 语境下，这包括某人"使用过"EAP 这一事实、他们谈论的内容、任何诊断、治疗记录以及转介记录。即便只是确认某位员工"联系过"EAP，也可能属于受保护信息。

如何保护它——中小企业的实用防护措施

即使在 HIPAA 并不严格适用的情况下，也应默认将 EAP 信息视为机密。其他法律——《美国残疾人法》（ADA）、各州隐私法规（加州的法规尤其严格，与你的团队高度相关），以及基本的注意义务原则——依然约束着你。

1. 在 EAP 与管理层之间筑起一道墙。 雇主绝不应收到关于谁使用了该计划、以及为何使用的可识别信息。信誉良好的 EAP 供应商只会分享汇总后、去标识化的使用数据（例如"本季度有 12% 的员工使用了该计划"）。仅此而已。

2. 绝不要把 EAP 记录存入人事档案。 如果存在任何与 EAP 相关的文档，应单独保存、限制访问权限，并置于一般 HR 档案之外。根据 ADA，医疗与残疾信息无论如何都必须单独存放。

3. 严格按"需知"原则限制访问权限。 即便在 HR 内部，也并非每个人都需要了解某项福利的使用情况。

4. 审查供应商的合规性。 直接询问：你们是否为 HIPAA 受监管实体？在需要的情况下，你们是否会签署业务伙伴协议（BAA）？数据如何加密、存储与共享？把答案落实到书面。

5. 培训主管，明确他们不能做什么。 主管绝不应询问员工与 EAP 谈了什么、施压要求其披露，或把一次转介记录为绩效问题。（下文详述。）

6. 任何信息流动前都要取得同意。 如果员工希望你与 EAP 协调（例如在正式的管理层转介中），应有一份签署的授权书，明确规定哪些内容可以共享。

   
   

创始人要点： 你的职责是出资并推广这个计划，然后退到一旁。领导层对个人使用情况知道得越少越好——无论从法律还是道德角度都是如此。

三、何时可以讨论浮现出来的问题——成瘾、财务、心理治疗、健康状况？

创始人常常被两种本能拉扯：一边是"我想帮忙"，一边是"我不想越界或制造法律风险"。以下是判断框架。

默认原则：你不主动发起，也不刨根问底。

通常你不应、也不能主动讨论员工的成瘾、心理健康、财务困境、心理治疗或医疗状况——即使你是从非正式渠道得知的，即使你是出于好意想帮忙。这样做可能违反 ADA、隐私法律并破坏信任，还可能让你面临歧视与信息披露方面的索赔。

你应当聚焦的，是工作绩效与行为表现，而非背后的个人问题。

哪些情况下讨论是恰当或必要的

1. 当员工主动向你倾诉时。 如果员工选择主动披露，你可以倾听、表达支持，并提醒他们 EAP 随时可用。对他们所分享的内容保密，并克制住"为了帮忙"而转述的冲动。不要承诺你无法掌控的结果。

2. 当你做的是面向全员、非针对个人的普遍提醒时。 你可以——也应该——定期向整个团队推广 EAP（"提醒：我们的 EAP 提供免费、保密的心理咨询，以及财务与法律支持"），而不针对任何个人。

3. 当问题在于绩效或行为时（这是安全地带）。 如果某人的工作开始下滑，你通过常规流程处理绩效问题——错过的截止日期、出勤、行为表现。你可以向任何面临困难的员工提及 EAP 这一可用资源，而不去诊断或揣测原因。这通常被称为"建设性面谈"或非正式转介：聚焦可观察的问题、提供资源、只记录绩效事实。

4. 当存在法律义务或安全风险时。 暴力威胁、安全隐患，或触发法律义务的情形（如 ADA 下的正式便利安排请求、适岗能力方面的顾虑）可能需要采取行动——但这些应通过明确的法律流程处理，最好有法律顾问参与，而非随意的对话。

5. 当员工请求合理便利安排时。 如果某人披露了某种状况（包括处于康复期的成瘾，这可能受 ADA 保护，或某种心理健康状况）并请求便利安排，你需进入 ADA 的"互动流程"。在此你可以讨论与工作相关的限制及可能的便利安排——但仅限于必要范围，且须对医疗细节保密并单独存放。

快速参考

创始人要点： 以同理心为先，但守住自己的本分。谈论工作，提供资源，保护隐私。把个人问题本身交给 EAP 和持牌专业人士处理。

为什么这对创始人与中小企业如此重要

在一家小公司里，人人相熟——而这恰恰是隐私纪律更重要、而非更不重要的原因。一句不经意的评论、一份放错档案的 EAP 记录、一位"只是想帮忙"的主管，都可能演变成法律索赔，并成为侵蚀企业文化的杀手。

做对了，EAP 会向你的团队传递一个有力的信号：我们为你的福祉投入了资源，而且我们足够尊重你的隐私，不去打探。 这种组合——既有关怀，又有界限——正是能让员工在艰难时期依然愿意留下来的那种信任之源。

对加州的雇主而言尤其如此。加州的隐私与劳动法律位居全美最严格之列，把这件事做错的代价是实实在在的。审慎地构建你的政策，清晰地培训你的主管，并把员工隐私视为不可妥协的底线。

本文为一般性 HR 指导，并非法律意见。EAP 的架构、HIPAA 的适用性以及隐私义务因计划与州别而异——在制定政策前，请就你的具体情况咨询你的 EAP 供应商及有资质的劳动法律顾问。