Wellness Programs Raise Privacy Concerns over Health Data

An old New Yorker cartoon jokes that on the Internet, no one knows if you're actually a dog. If you were, though, health data companies would know it. They are able to synthesize streams of information about employees to compile very personal details.

Employees participating in a company’s wellness program may unwittingly be sharing too much information when they undergo health screening tests, for example, or wear a fitness tracker. Wellness program vendors can analyze the data to ferret out personal life developments, such as an employee trying to get pregnant.

Ensuring the privacy of employees’ personal health information, and tracking how wellness providers, health insurers and employers may use it, can be a tricky prospect for HR, given the different types of wellness programs and various laws covering them.

As wellness programs prompt employees to fill out online health surveys, wear Internet-connected fitness trackers, take biometric exams and even send in genetic material, privacy advocates are raising concerns about data mining and confidentiality of workers’ information.

“You cannot automatically assume that wellness programs are neutral programs designed to help employees manage and improve their health,” the World Privacy Forum (WPF) said in comments to a federal government agency earlier this year. “Wellness programs often collect and disseminate personal health information to an unknown and unknowable number of marketers, database companies, and other data profilers.”

The group, concerned about “the privacy of personally identifiable information collected and used in wellness programs,” noted that “much wellness program information” falls outside the protections of federal and state privacy laws.

“It is a serious concern that remains unaddressed at all levels,” according to World Privacy Forum Executive Director Pam Dixon.

Few employees truly understand the risks to their personal data as a result of participating in some corporate wellness programs, and HR professionals may not realize the privacy implications, she said.

“The bottom line is, there are pieces of this that are not regulated,” Dixon told SHRM Online.

Is Big Brother Watching?

As CNN reported last year, employees of the city of Houston balked when asked to provide a wellness vendor information about their medical and drug history and other private matters. The authorization form noted that the company could share the data with third-party vendors and that the information might cease to be protected by privacy law. Employees could choose not to participate in the health-risk assessment, but it would cost them an additional $300 a year for health coverage, CNN reported, noting that the objections prompted the city to choose a different program.

The Wall Street Journal reported recently that some employers are using firms to gather a variety of data to predict which employees are at risk for certain conditions. Employees might then receive messages encouraging them to take steps to prevent health problems.

One wellness firm predicts which employees might be trying to get pregnant, in part by checking for those who have searched for fertility information on its app, the paper reported.

The subsequent customized health messages from wellness firms don’t always go over well.

The World Privacy Forum has heard complaints from women whom vendors have contacted with pregnancy-related messages “in the creepiest ways,” Dixon told SHRM Online, noting that some received prompts asking if they wanted to buy prenatal vitamins or schedule a doctor’s appointment. Some received such messages after having had a miscarriage, she said.

HIPAA and Wellness Plans

A labyrinth of regulations covers (or doesn’t cover) wellness programs and employers’ responsibilities surrounding these offerings. As an example of how confusing the rules can be, the sweeping U.S. medical privacy law—the Health Insurance Portability and Accountability Act, or HIPAA—doesn’t cover all wellness programs, but it does apply to those that are offered as part of an employer’s group health plan.

Personal health information collected by wellness programs offered through employer health plans is not allowed to be used or shared for employment-related decisions or other purposes prohibited by HIPAA, such as marketing without the employee’s express permission, according to the Department of Health and Human Services. Wellness programs offered directly by the employer, not through a health plan, aren’t covered by HIPAA privacy protections but may be subject to other laws.

If a worker participates in a wellness program offered through the company’s health plan, “the health plan will be running that under HIPAA, so that’s a good thing, but you still really need to watch everything because the wellness programs are really complicated,” with lots of moving parts and different arrangements, Dixon said.

The Affordable Care Act, the Americans with Disabilities Act and the Genetic Information Nondiscrimination Act (GINA), as well as state laws, also apply to wellness programs. The U.S. Equal Employment Opportunity Commission (EEOC) is currently considering changes to its GINA regulations governing the programs.

In addition, the federal government distinguishes between different types of wellness programs, with different regulations applying depending on the classification.

The Affordable Care Act allows group health plan wellness programs to provide substantial financial rewards, up to a point, for employees who participate or meet certain health milestones. Employers are increasingly offering incentives for workers to complete health-risk assessments or biometric screenings for information such as body mass and blood pressure, Kaiser Family Foundation Senior Fellow Karen Politz told SHRM Online.

“It has raised questions among some people about how much are wellness companies engaged in data mining,” she said.

If a health plan wellness program gives an employee $50 to use a fitness tracker, the information on the device should be HIPAA-protected but the health insurer may track the worker’s activity, Dixon said. On the other hand, if a program administered through a company benefits department gives a worker $50 to buy the same device, the data may not be HIPAA-protected but the health plan probably won’t track it, she said.

Wellness Programs Proliferate

In efforts to promote health and reduce costs, most big companies that provide health insurance to employees also offer some kind of wellness program, and many offer incentives to participate, the Kaiser Family Foundation noted in an issue brief posted earlier this year that details the various federal laws and proposals governing workplace wellness programs.

The wellness industry is booming, growing from a reported $1.8 billion in revenue five years ago to $8 billion and 5,600 vendors now, according to the foundation.

Federal law requires that employer wellness programs be voluntary and generally prohibits employers from asking about workers’ health status, the Kaiser Family Foundation notes on its website. There are exceptions, however: Medical exams and inquiries about employees’ health status are allowed if they are part of an employer’s voluntary wellness program.

The voluntariness of wellness programs “is an area that is up for profound review” by the EEOC, Dixon said. The EEOC in 2014 “brought enforcement actions against several employers that penalized workers who would not participate in wellness programs that included medical inquiries,” the Kaiser Family Foundation noted.

“What is truly voluntary? This question is at the heart of the EEOC proposed rulemaking,” Dixon said.

Privacy advocates are concerned about what happens to employees’ personally identifiable health information in the workplace and beyond. Employees must give consent before a wellness program may view their health claims, “but many employees do give consent routinely,” according to Dixon.

While firewalls are supposed to prevent employers from seeing workers’ identifiable health data, information can spill into the workplace anyway, she said.

“The way a lot of health information leaks into the employment context is through fitness devices [and] competitive wellness programs where social media is used to keep tabs on steps or improvements,” Dixon said. “The social media items are done with consent, but the issue is how voluntary these things really are when everyone is doing them.”

Management attorney Kate Bischoff, SHRM-SCP, of Zelle LLP wrote on her firm’s blog that, besides posing potential legal issues for employers, intrusive programs can hurt employee morale.

“Offering a wellness program does not require an employer to gather or use employee health information. Employee health information gathered from any source, for any reason, must be kept separate and secure,” Bischoff wrote. Data collected by a wellness program, she said, “should, whenever possible, be kept by the wellness program vendor and inaccessible to the employer.”

Dinah Wisenberg Brin is a freelance writer based in Philadelphia. Reach her on Twitter @dinahwbrin.