Whether it’s a wrist-worn activity tracker or an app on your telephone that counts your daily caloric intake, it is axiomatic that technology is an essential part of our everyday lives. All the while, these technologies are compiling data about our eating, exercise, and sleeping habits; data which can be analyzed to identify deficiencies and formulate plans for a healthier lifestyle. A trend has emerged in the workplace where, in an effort to reduce skyrocketing healthcare costs, companies are utilizing such data in an effort to implement wellness programs for their employees. These companies are also providing incentives to employees, usually in the form of additional contributions towards a Health Savings Account or insurance deductible. Some companies even reward employees with gift if their respective data demonstrates an improvement in a pre-determined health module such as blood pressure or weight-to-height ratio.
These programs and incentives are not without legal issues. Of paramount concern, the privacy of the employees’ health data must be protected. This is especially important for those instances where certain data is requested that could be deemed “sensitive,” such as alcohol consumption and pregnancy plans. In order to comply with federal law, third-party providers who facilitate these programs generally share the data they compile with the companies that retain them. This becomes absolutely necessary should the company provide incentives for meeting certain health criteria to identify which employees were successful. Moreover, many of these third-party facilitators sell the data they compile to advertisers. Whether this data is protected by HIPAA is largely dependent upon the health plan administering the wellness program. See The Wall Street Journal, Tuesday, February 12, 2019, page A11, “Your Company and Your Fitness Data.”
The privacy concerns impact employer and employee alike. While wellness programs are designed for positive outcomes, both for health benefits and cost reductions, individual data is potentially exposed. The responsibility falls on both sides of the ledger — the employee should monitor personal data, just like a credit report should be periodically reviewed for accuracy, while the employer needs to take reasonable steps to protect the employee’s privacy and thus avoid legal exposure.