Wellness programs are coming to life insurance. These programs are structured similarly to programs offered by employers and health insurers. The individual who wants to buy and maintain one of these policies fills out a questionnaire about lifestyle and habits, submit to a screening for cholesterol, Body Mass Index (BMI) and other potential health risk factors, and set up a fitness tracker to upload information about exercise to the life insurance company’s wellness vendor. Screenings are annual, but policy holders wear fitness trackers continuously. As long as the individual meets the goals set by the wellness vendor , she can enjoy rewards and premium discounts.

An applicant for life insurance completes an application and signs several data release authorizations. To make sure that the applicant is a good credit risk, a life insurer asks for an authorization to obtain a credit report. To verify information in the application and confirm generally good character, the insurer may order one or more consumer reports. To learn about the health risks associated with the potential insured the insurer asks for a physical exam and for an authorization to obtain medical records. These actions have been standard in individually underwritten life insurance for a long time.

Insurers use this information to evaluate the risk presented by the applicant and to determine the premium charged for the policy, the process known as underwriting. Wellness programs introduce a change in the traditional approach. Instead of relying on information collected during the underwriting process, the life insurer has continuing access to the information about the policy holder, including information about daily behavior and changes in health. Premiums will be adjusted to reflect the risks suggested by that new information.

Some people think that because life insurers collect health-related information, this information is protected under the Health Insurance Portability and Accountability Act (HIPAA). They don’t realize that HIPAA regulates specific types of organizations that hold the data, not the data itself. Life insurers are not “covered entities” under HIPAA, so HIPAA does not apply to them. Instead, they are financial institutions and must comply with the federal Financial Services Modernization Act of 1999, commonly known as the Gramm-Leach-Bliley Act (GLB) after its Congressional authors. GLB applies to insurance products obtained primarily for personal, family or household use. It requires insurers to protect nonpublic personal information of their customers, limit sharing of such information, and provide policy holders with annual privacy notices and the ability to restrict some information sharing. Life insurers regulated at the state level must also comply with state laws and regulations modeled on GLB.

GLB regulates personally identifiable information provided by a consumer to a life insurer, information that results from a consumer transaction or service, such as premium or claim payment, and information otherwise obtained by the life insurer. GLB does not regulate public personal information, like information available in a phone book or a public record. The law only regulates information derived from nonpublic information. For example, the law’s protections apply to a list of an insurer’s customer names and addresses. GLB also protects medical, financial and other information that an insurer collects during the underwriting process or during the life of the policy.

GLB permits financial institutions to disclose nonpublic personal information to other companies, but requires financial institutions to notify customers about the disclosures in their notice of privacy practices. The notices also tell customers how to request the financial institution not to make some disclosures about them, known as opting out. Because the federal law and different state laws implement these provisions somewhat differently, the exact requirements depend on where the consumer lives.

In order to share information with a wellness vendor, the life insurer takes advantage of the GLB provision permitting disclosure “necessary to effect, administer, or enforce a transaction authorized by the consumer.” The consumer who agrees to participate in a life insurer’s wellness program authorizes the sharing of information between the life insurer and the wellness vendor. The wellness vendor faces limits on further disclosure of the information it receives from the life insurer, but the details of this also vary by state.

Although both GLB and HIPAA protect health information, they do not give people the same rights. Under HIPAA, individuals have the right to request a copy of their records, to request and amendment if the record is wrong or incomplete, and to request a list of those to whom the information has been disclosed. The individual also has a right to request confidential communication, such as having test results sent to a different address or being contacted in a different way. GLB provides none of these rights.

Of course, when someone signs up for a wellness program connected with life insurance, the data flows to more than the insurer and the wellness vendor. Data from a fitness tracker or app goes to the tracker or app maker and to everyone with whom that company shares data. As I have written before, the device or app maker or the wellness vendor can combine data from trackers and apps with other public or private data. This other data might come from gyms (to verify attendance and workouts), supermarkets (to verify food purchases), or from companies that have historical weather data or list locations of restaurants and other types of businesses. By combining the data from various sources, the device or app maker or the wellness vendor can give feedback to the user about workouts, eating and exercise patterns, or notify the user about rewards for which she qualifies. If the makers of devices or apps combine the data, they are unlikely to be subject to any privacy rules except the ones they set for themselves in their privacy policies, if they have one. If a wellness vendor combines the data, it might be subject to GLB if it is under contract from a life insurer or to HIPAA if it is under contract to a health insurer or an employer’s health plan.

It is also important to remember that when one company discloses data to another, both have copies of the same data. Because different types of companies must comply with different laws, different regulations (or no regulations) can apply to different copies of the data. For example, the manufacturer uses and disclosures device or app data only limited, if at all, by its privacy policy. A copy passed to a wellness vendor might be subject to GLB if the wellness vendor acts on behalf of a life insurer, HIPAA if the wellness vendor acts on behalf or a health plan, or only to the wellness vendor’s privacy policy.

Of course, the privacy discussion focuses only on data uses and disclosures permitted under the law or described in a privacy policy. GLB requires financial institutions, including insurers, to protect their customers’ information from hacking or other unauthorized disclosure. Recent history shows, however, that no organization is immune from data breaches.

Holders of individual life insurance policies have the opportunity to reduce their premiums, at least temporarily, by participating in the life insurer’s wellness program. In exchange, the insurer and its wellness vendor will be able to build up a detailed picture of the individual’s health and daily activities. Everyone offered this program must decide whether the tradeoff between the privacy risk and life insurance discount is worth it.