HR Urged to Protect Wellness Program Data

Specify what wellness providers can and cannot do with health information

By Steve Bates March 12, 2015

HR professionals are being encouraged to review contracts with wellness program providers to ensure that the providers do not disclose employees’ health information.

The federal Health Insurance Portability and Accountability Act (HIPAA) forbids release of an individual’s personal health information without his or her authorization. But legal experts say health information that does not include the names of employees or that aggregates the medical data of multiple workers falls into a gray area. That opens the door for such information to be sold by unscrupulous wellness providers. “HIPAA doesn’t prevent the practice of disclosing aggregate data,” said Eric S. Boos, an attorney with Shook, Hardy & Bacon in Miami. “It doesn’t really speak to that.”

Legal and wellness program experts told SHRM Online that they have no direct knowledge of wellness providers selling or sharing employee health information. But they noted that if any financial incentives exist, the data is at risk. Health care corporations’ regional and national marketers “can do a lot with aggregate data,” observed Boos.

“There are (wellness) companies that do protect the data. There are companies that play fast and loose with the data,” said Jonathan Edelheit, president of the Corporate Health & Wellness Association in Palm Beach Gardens, Fla. “It exposes employers to tremendous liability.”

Employer wellness programs have collected millions of data points about employees’ personal lives as they seek to help workers become healthier and to curb employers’ health care costs. Through evaluations that workers fill out, the providers learn the prevalence of certain health issues, said David Chenoweth, Ph.D., president of wellness provider Chenoweth & Associates Inc., in New Bern, N.C. For example: What percentage of the company’s workers have diabetes or want assistance to stop smoking or lose weight? However, wellness providers “don’t need to know the names” of the employees who reported such concerns, he stated.

Given the amount of data being collected, the potential for its misuse and the constant threat from hackers, “There is just so much risk now,” said Chenoweth.

Legal experts say HR professionals should initiate reviews of existing wellness program contracts and should insist that their organizations perform due diligence when considering new programs. Contracts should specify that wellness providers may not share health data except in circumstances spelled out by the employer.

“Companies need to protect their brand and protect their employees. They need to vet their contracts,” said Adam C. Solander, an attorney with Epstein Becker Green in Washington, D.C.

Edelheit said most employers do a good job of following HIPAA rules internally. However, when it comes to arrangements with business associates such as wellness providers, “They don’t always think to look at the terms and disclosures and other language.” Wellness providers considering selling health information probably will not disclose that intent in the fine print of their contracts with employers. “There will be only vague language such as ‘we respect your privacy,’ ” noted Edelheit.

“There’s always a significant potential for misuse of this information,” said Andrew B. Wachler, managing partner of the law firm Wachler & Associates in Royal Oak, Mich. “Be clear in any business associate agreement that health information is for the employer’s health care operations and not for the benefit of the business associate.”

Wachler added that employers should segregate wellness program data from other employee information. There should be no opportunity for managers to use health information when making employment decisions, which could lead to costly litigation.

“The onus is really on the employer,” said Boos. He urged HR professionals to develop a clear idea of what they want to accomplish with their wellness programs and to specify what the wellness provider can and cannot do with health information.

Edelheit stated that the volume of personal medical data will continue to grow as more Americans use wearable devices that measure their heart rate and other health conditions. Now used primarily for fitness, such devices are expected to become a big part of mainstream medical care, sending health information electronically to users’ doctors. “These devices will collect a lot of data,” he said. “No one is asking the question: What are they doing with the data?”

Experts suggest that HR professionals address the issue of medical information security proactively with workers. “Be really transparent with employees,” said Edelheit, who noted that if employees don’t trust their employer to protect their data, they won’t participate in wellness programs.

Any indication that workers’ health information has been sold or shared “could really adversely affect employee morale,” said Solander.

Chenoweth said severe penalties for violating HIPAA and other privacy laws should act as a deterrent to wellness providers tempted to sell individuals’ or companies’ health data. He added that most reputable wellness firms won’t jeopardize their reputation by sharing such information. “We don’t have a lot of charlatans” in the wellness industry, he stated. “The regulatory landscape is making companies of all sizes more vigilant.”

Steve Bates is a freelance writer in the Washington, D.C., area and a former writer and editor for SHRM.

Quick Links:

SHRM Online Safety & Security page

Subscribe to SHRM’s Safety & Security HR e-newsletter


Hire the best HR talent or advance your own career.


HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.