EAP integration with Nova, adding an AI support layer without disrupting vendors or escalation pathways

Adding an AI mental health tool to an existing EAP without disruption usually comes down to three operational decisions: (1) identity and eligibility (SSO and who can access), (2) triage boundaries (what AI supports vs. what the EAP owns), and (3) warm handoffs and crisis escalation (who responds, when, and how it’s documented). Nova can sit in front of your EAP as an always-available entry point for navigation and early support, while your EAP remains the counseling provider and crisis escalation owner. A lower-risk path is to minimize data, codify responsibilities in workflows, and run vendor coordination as a weekly working session with Nova, the EAP, and your HRIS/IdP owners, with a shared change log.

• Treat Nova as a front door, not a replacement. AI supports navigation and early support; the EAP remains the counseling provider and crisis escalation owner.
• SSO is typically required by security reviewers. Use SAML or OIDC through your IdP to keep identity governance centralized.
• Eligibility should match EAP rules. Define covered populations, regions, languages, leave status, and termination grace periods, then implement via directory groups or just-in-time (JIT) claims. If you need dependents who don’t authenticate via the corporate IdP, plan a separate eligibility feed.
• A warm handoff is a workflow. Define consent points, after-hours routing, what context (if any) can be shared, and the system of record for documentation.
• Default to aggregated or de-identified reporting; avoid collecting or sharing sensitive content with the employer.
• Crisis escalation needs a single responder. The EAP answers urgent calls; Nova displays the protocol and routes to the right EAP path, 911, or local equivalents by region. Test with tabletop exercises.
• Put a RACI, reporting cadence, and change control in place across Nova, the EAP, and internal teams so handoffs don’t get dropped.
• Track incremental utilization, referral appropriateness, engagement quality, and operational health, without over-claiming clinical outcomes or doing ROI math.
• Employee comms should state confidentiality boundaries and reinforce that AI does not replace human care.

Most sources on AI mental health tools are either academic (high-level) or vendor marketing (promise-heavy). This is a coexistence blueprint you can take into an HR/Benefits evaluation, an EAP clinical governance meeting, and a security/privacy review.

Imagine an employer that already has a single EAP vendor and does not want to renegotiate the EAP contract or alter crisis pathways. They may operate across multiple countries and time zones, with SSO through an existing enterprise IdP. Constraints are typical:

• Security: SSO required through the existing IdP, no new identity silo, strict admin access controls.
• Legal/Privacy: clear employee notice on what HR can and can’t see, retention schedule, cross-border considerations.
• EAP clinical leadership: EAP remains the counseling provider, crisis escalation stays with the EAP, after-hours rules must be explicit by region.
• HR/Benefits: improve discoverability and reduce friction without confusing employees or straining the EAP vendor relationship.

Integration decisions that could unlock the rollout

What could almost break adoption Manager messaging can drift into “AI replaces counseling.” Correct quickly with one approved line used across comms, manager scripts, and HR helpdesk responses:

“Nova helps you find the right next step; the EAP remains your route to counseling and crisis support.”

At a conceptual level, you’re designing four flows.

1) Identity and access (SSO)

• Employee authenticates via your IdP using SAML 2.0 or OIDC.

• Nova receives only what it needs to establish access and basic routing (for example, region and language).

Centralizing authentication in the IdP reduces credential sprawl, supports conditional access, and keeps joiner/mover/leaver controls consistent with other enterprise tools.

2) Eligibility (who can use Nova)

You need an eligibility model that mirrors your EAP coverage rules.

• Directory-based eligibility: HRIS to IdP groups to Nova access (scheduled provisioning)
• Just-in-time eligibility: IdP asserts eligibility at login via claims (no separate user directory sync)

JIT often ships faster and reduces stored personal data, especially in complex global orgs. It can be harder if your IdP claims are inconsistent across regions, or if you need dependents who do not authenticate via the corporate IdP.

3) Support and navigation (in Nova)

Employees use Nova for early support and navigation. Configure Nova to:

• Offer self-guided support and skills where appropriate
• Recommend an EAP connection when the employee needs counseling-level support
• Present crisis instructions when urgent help is needed, based on your agreed protocol

4) Referral and escalation (handoff to EAP)

• When the employee chooses to connect, Nova routes them to the correct EAP pathway (region-specific).
• The EAP remains responsible for clinical intake, counseling, and crisis response.

This keeps the EAP as the clinical system of record and avoids parallel documentation across vendors.

Safety and clarity come from boundaries you can explain quickly and enforce in workflows.

Nova is for (non-clinical, early support and navigation)

• Finding the right resource quickly (EAP, internal resources, self-guided tools)
• Everyday skills and coping support (non-diagnostic, non-treatment positioning)
• Encouraging appropriate help-seeking, including EAP use

The EAP is for (clinical counseling and crisis escalation)

• Counseling/therapy services (per your EAP contract)
• Clinical assessment and clinical documentation (where applicable)
• Crisis escalation and after-hours protocols

Codify it in a “Triage + Escalation One-Pager”

Minimum fields to include:

• What Nova will not claim to do (diagnose, replace counseling, guarantee outcomes)
• Referral triggers (what prompts “consider EAP” vs. “offer EAP now”)
• Crisis pathway (who answers, where it routes, after-hours rules)
• System of record boundaries (for example, EAP intake notes stay in the EAP system; Nova retains only referral events)
• Who approves workflow updates

A warm handoff is an agreed operational handshake with consent points and responsibilities, not a button that says “Call the EAP.”

A workable enterprise definition of “warm handoff”

A warm handoff includes:

Consent and context sharing, default to minimal

For coexistence, a lower-friction model is:

• Share referral events only (offered/accepted), not content
• If context sharing is desired later, make it explicitly opt-in, limited, and purpose-bound

Most implementation risk is governance gaps: data minimization, consent language, retention, auditability, and incident readiness.

Privacy (PIA/DPIA)

• Purpose limitation: document what Nova is used for (navigation/early support) and what it is not (diagnosis, therapy replacement).
• Data minimization: collect the minimum needed for access, routing, and aggregated program insights.
• Consent language: ensure employees understand confidentiality boundaries and any optional sensitive inputs.
• Retention/deletion: define retention for product events and deletion processes (including offboarding).
• Cross-border transfers: document hosting regions, subprocessors, and transfer mechanisms where applicable.

Security (vendor risk review)

• SSO (SAML/OIDC) through your IdP
• RBAC for admin/reporting, plus audit logging for admin actions
• Encryption in transit/at rest (aligned to your standards)
• Incident response and notification expectations
• Subprocessor list and change notification process

Clinical safety and escalation governance (EAP coexistence)

• Crisis pathway and after-hours rules by region
• Tabletop testing (simulate “urgent help” scenarios and confirm routing)
• Change control for workflow/content updates that could affect escalation behavior
• Documentation boundaries (EAP clinical records remain with the EAP)

A rollout usually follows a predictable sequence: align boundaries, implement identity/eligibility, operationalize handoffs, then launch with clear comms and measurement.

Phase 0 Pre-alignment (1–2 weeks)

• Confirm the coexistence model: Nova front door; EAP clinical owner
• Approve the Triage + Escalation One-Pager
• Establish RACI and change control
• Align on reporting principles (aggregated/de-identified)

Phase 1 Identity and eligibility build (2–4 weeks)

• Implement SSO (SAML/OIDC) via IdP
• Choose eligibility model (directory vs. JIT claims, plus a plan for dependents if needed)
• Validate access controls for reporting/admin roles

Phase 2 Referral and crisis workflow build (2–4 weeks)

• Configure EAP referral paths by region/language (including phone trees if applicable)
• Define warm handoff steps and consent points
• Implement after-hours routing rules
• Run a crisis escalation tabletop test with the EAP clinical lead

Phase 3 Pilot launch (2–4 weeks)

• Launch to a defined population (one region, BU, or phased global)
• Weekly operational reviews (SSO issues, comms confusion, handoff failures)
• Tight feedback loop with EAP vendor and internal helpdesk

Phase 4 Scale and steady state (ongoing)

• Expand coverage
• Monthly reporting cadence with a shared KPI glossary
• Quarterly governance review (privacy, security, escalation readiness)

A practical RACI outline:

• HR/Benefits (Program Owner), accountable for goals, rollout, comms, measurement, vendor alignment
• EAP Clinical Lead, accountable for counseling pathway and crisis escalation; consulted on triage boundaries
• InfoSec, responsible for security review, SSO requirements, admin access controls, incident readiness
• Legal/Privacy, responsible for PIA/DPIA, consent language, retention, cross-border transfer terms
• Procurement/Vendor Risk, responsible for contracting, subprocessor review, ongoing vendor governance
• Internal Comms, responsible for employee messaging and manager enablement
• Nova Implementation Lead, responsible for configuration: SSO/eligibility, workflows, reporting setup (as agreed)
• HR Helpdesk / People Ops, informed/consulted on support scripts and routing (not a clinical intake point)

Measure operational health and appropriate routing, then improve the experience, rather than trying to prove therapy outcomes from an access tool.

What to track

• Incremental utilization: unique users, repeat engagement
• Referral signals: referrals offered vs. accepted
• Engagement quality: return rates, completion of self-guided pathways, in-the-moment feedback prompts
• Operational health: SSO failure rate, support tickets, time-to-resolution, uptime
• Governance health: audit log reviews, change control adherence, incident drills completed

Guardrails (what not to do)

• Don’t claim diagnosis, treatment, or guaranteed clinical improvement from an AI front door.
• Don’t pressure deflection from the EAP; the goal is appropriate referral, not avoidance of care.
• Don’t provide employer reporting that identifies who is struggling or exposes personal content.

Privacy and reporting

• Stakeholders ask for individual-level insights (“who is struggling?”). Set the boundary: employer reporting is aggregated/de-identified, and limit admin access accordingly.
• Sensitive data over-collection slows approvals. Default to data minimization; make sensitive inputs optional with clear consent language and retention limits.

Clinical safety

• Crisis handling is unclear, especially after hours. Keep one responder (EAP or designated crisis provider), document after-hours rules by region, and test with tabletop exercises.
• Warm handoff is claimed but undefined. Define routing, consent, after-hours instructions, and what gets documented where.

Adoption and comms

• Employees assume AI replaces human care and disengage. Use consistent language everywhere: AI for navigation and early support; humans for counseling and crisis. Train managers and HR helpdesk on the same script.
• One-time comms leads to invisibility again. Reuse the same message in onboarding and benefits enrollment.

Vendor coordination

• The EAP vendor feels displaced and becomes a blocker. Keep clinical work and crisis response with the EAP, and use Nova to reduce friction and improve routing. Use joint reporting and change control.

Global/localization

• A single workflow doesn’t fit every country. Maintain a global template with local appendices (crisis resources, consent language, hosting/transfer constraints, language support).

EAP + AI coexistence readiness checklist

• Scope
• [ ] What employee populations are in scope (employees, dependents, contractors)?
• [ ] Which regions/languages are supported on day one?
• Identity + eligibility
• [ ] SSO method selected (SAML or OIDC) and IdP owner identified
• [ ] Eligibility model selected (directory vs. JIT claims, plus dependents approach if needed)
• [ ] Eligibility rules documented (LOA, termination, regional coverage constraints)
• Triage boundaries
• [ ] One-page boundary statement approved (Nova vs. EAP vs. crisis)
• [ ] After-hours routing rules documented by region
• Warm handoff
• [ ] Definition of “warm handoff” agreed (routing + consent + expectations)
• [ ] System-of-record boundaries documented (EAP clinical documentation stays with EAP)
• Governance
• [ ] Data minimization decisions documented
• [ ] Consent language drafted and approved
• [ ] Retention/deletion schedule agreed
• [ ] Audit logging and admin access controls defined
• [ ] Incident response expectations agreed (including vendor coordination)
• Operations
• [ ] RACI signed off (Nova + EAP + internal teams)
• [ ] Support model defined (who answers what questions)
• [ ] Change control process established (workflow updates, content updates)
• Launch + measurement
• [ ] Pilot plan and comms calendar built
• [ ] Manager script approved
• [ ] KPI glossary and reporting cadence agreed (weekly to monthly to quarterly)

Q1) Can we integrate Nova with our EAP without changing our EAP vendor contract?

Yes, if Nova is implemented as a front door for navigation and early support and your EAP remains the counseling provider and crisis escalation owner. Document boundaries and routing workflows so the EAP pathway stays intact.

Q2) What’s the safest way to handle SSO for an AI mental health tool?

Use your existing IdP with SAML or OIDC, and apply the same access governance you use for other enterprise apps (RBAC for admins, conditional access where required). This keeps identity controls centralized.

Q3) How do we ensure eligibility matches our EAP coverage rules?

Write eligibility rules first (regions, employee types, dependents, LOA, termination). Then implement via directory groups or just-in-time claims. If dependents are off-IdP, plan a separate eligibility method.

Q4) What does “warm handoff” mean in practice?

The employee is routed to the right EAP pathway with clear next-step expectations, with explicit consent if any information is shared beyond the referral event, and with clear after-hours instructions. It is not just a link.

Q5) Who handles crisis escalation in an AI + EAP model?

Your EAP (or designated crisis provider) should remain the single responder for crisis escalation. Nova’s role is to surface the agreed protocol and route appropriately, especially after hours and across regions.

Q6) What data should HR/Benefits expect to see?

Aggregated, de-identified program insights (adoption, engagement patterns, referral events at a high level, operational health). HR should not receive individual-level mental health content or “who is struggling” reporting.

Q7) How do we avoid over-claiming outcomes during measurement?

Measure operational and program health outcomes (utilization, engagement quality, referral signals, SSO reliability) and avoid claims about diagnosis, treatment efficacy, or guaranteed clinical improvement from an AI front door.

Q8) What’s the most common reason these rollouts fail?

Misalignment on boundaries and comms. If employees or managers believe AI replaces counseling, or if crisis handling is unclear, trust drops and adoption stalls. Fix it by codifying workflows, publishing confidentiality boundaries, and enabling managers with a simple script.