How Wellness Programs Threaten Privacy

Would you be comfortable sharing sensitive health and lifestyle information with a representative of your employer? Would you tell them about your sexual activity, seeing a psychotherapist, sources of professional and personal stress, or potential violations of the law such as driving without a seatbelt or after having had a couple of glasses of wine? This, and more, is the information employers ask their employees to disclose to vendors managing employer-sponsored wellness programs. In some cases, employees who decline to provide such information must pay penalties or the full cost of health insurance that employers subsidize for their more compliant colleagues.

On December 16, 2014, Bloomberg published an article about employees’ privacy concerns with wellness programs. Supporters of wellness in the workplace respond to such concerns predictably and somewhat disingenuously. They say that the HIPAA Privacy Rule protects the information, that wellness vendors have strong security controls, and that employers get only aggregated data. Unfortunately, these responses do not address the variety of privacy threats that arise from the data being collected in wellness programs. Let us examine several of them.

Privacy versus the wellness vendor(s)

When employees disclose health information to wellness vendors, they no longer have privacy with respect to the vendor. As Kimberly Blockett of Penn State University pointed out, “For me, discussing my reproductive plans with an unknown entity at an insurance company does not constitute private.”

Once collected, the information becomes available to wellness vendor employees, contractors and business partners, including data analysts, health coaches, disease managers and nurse advisors. If the wellness program includes mobile apps and wearable fitness trackers, the data also goes to app and device makers and a variety of companies that analyze the behavior of apps, trackers and their users. It is not clear exactly how many companies might get some or all of this data because wellness program privacy policies describe the flow of data only in most general terms. (Most people don’t read privacy policies, but that’s a separate issue.) Simple references to HIPAA and security controls fail to address this privacy threat.

Privacy versus the employer

When wellness programs are part of the employer’s health plan, the information is subject to the HIPAA Privacy Rule, which imposes some limits on use and disclosure of health data. Among the most important of these in the employment context is the requirement that an individual provide specific authorization for disclosure of HIPAA-covered data for employment-related decisions.

Nevertheless, employers have ways of gaining information about participation in wellness programs without violating HIPAA. Some of the more popular wellness “engagement” strategies these days are gamification and social influencing. Social components, such as challenges or competitions between co-workers or departments can allow employers to identify employees who are not “team players.” This can create an atmosphere in which individuals feel pressure to participate or face the possibility of social and professional sanctions.

In August 2014 the EEOC filed suit against Orion Energy, claiming that Orion fired an employee because she declined to participate in Orion’s wellness program. Orion claims that the dismissal had nothing to do with the wellness program, and it may be difficult to prove a direct connection. Nevertheless, this does not mean that unwillingness to participate in wellness programs does not influence the way managers view and rate employees.

Privacy versus non-wellness third parties

Once collected, data becomes available for purposes unrelated to its initial collection. As I wrote in an earlier post, wellness programs can build an exceptionally detailed picture of an individual life. Subject to some legal limitations, these new data pools may be accessed by law enforcement, divorce and personal injury lawyers, and others who discover their existence. Requests can be made through legal processes, and the vendors who hold the data may be required to provide it. When similar data is collected within the doctor-patient relationship, patients get some privacy protection as a result of the doctor-patient privilege, but there’s no similar privilege for wellness vendors.

Privacy versus unauthorized users and the public at large

When wellness vendors mention their security controls, they say, in effect, that they protect the data from hackers and prevent it from becoming public without authorization. However, these assurances ring rather hollow in view the many highly-publicized security breaches in the past couple of years. As the Bloomberg article points out, medical information is of higher value than purely financial information, so hackers have greater incentives to go after it. And they have. Such incentives will only increase as the amount and richness of wellness data increases.

Wellness programs and privacy risks

So what does all this tell us? Wellness programs present a variety of privacy risks that employers and wellness vendors ignore, minimize, or fail to discuss. People decline to participate in such programs because they are concerned about their privacy, not because they are paranoid or because they are bad corporate citizens. They simply consider the risks unacceptably high.

Originally published on LinkedIn on January 1, 2015