They Said What?

Home » privacy » Achieving wellness should not mean sacrificing personal privacy and security

Achieving wellness should not mean sacrificing personal privacy and security

Do you know whether heartburn pills are safe for long-term use?

Quizzify knows. Click to learn more.

Al and I are very pleased to present our first guest post. This insightful essay, by privacy expert Anna Slomovic, explores a vital issue that, like so many important and complex things in wellness, gets ignored or dismissed. Our thanks to Anna for allowing us to post her work.

data-backup-571157_1280Most American companies, particularly large employers, now have wellness programs. These programs can have many different components, including detailed health risk assessments (HRAs) and biometric screenings, wearable fitness devices that count steps, and mobile apps that track what food employees buy or eat. When employees ask about the rules that govern use and disclosure of wellness data, the typical response is that the data is “kept private” and is “safe and secure.” Unfortunately, such general reassurances hide the complexity of the privacy rules for data in wellness programs.  In fact, the data may travel more widely than wellness proponents may want us to know, and employees are unlikely to understand all the allowable uses and disclosures of the data.

One complication comes because wellness programs may be part of a health plan or may be separate from a health plan. Different rules apply, depending on a program’s structure. Another complication is that wellness data exists in different databases controlled by different companies. The privacy rules that apply depend on who holds the data.  The same data may be under different protections in different places.

Let’s start with HRAs and biometric screenings for cholesterol or blood sugar, blood pressure, and weight. These wellness initiatives are most likely part of a health plan because they meet the definition of “medical care” in federal law. When data is part of a health plan, it is subject to the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), the main health privacy law in the United States. HIPAA permits many uses and disclosures for health-related purposes without requiring individual consent, including data analysis for health plan sponsors, outcomes evaluation, and development of treatment guidelines. Nevertheless, the HIPAA Privacy Rule imposes some meaningful use and disclosure protections for individuals. Among the most important in the employment context is the requirement that an employee must specifically authorize use of HIPAA-covered data for employment-related decisions. Employers comply with HIPAA requirements by hiring vendors to collect and analyze individual-level data and by having the vendors deliver only aggregate or statistical results.

Not all wellness initiatives meet the definition of “medical care,” and these initiatives can be offered inside or outside a health plan. For example, many employers have programs that offer employees discounts on wearable fitness devices, or points and rewards for taking a specific number of steps, using an app that tracks what food they buy or eat, or working out at a gym. These activities are not “medical care,” and can be offered as part of benefits unrelated to health, where HIPAA does not apply.

For non-HIPAA data collected through wellness programs, the only privacy rules that apply are what participating companies and employers devise.  The privacy framework is even less robust for many fitness-related devices and apps.  Many do not have privacy policies. Several studies show that even in cases where privacy policies exist, they often permit broad uses and disclosures, including operations, personalization, improvements to apps, devices and services, research, and marketing and promotion, all performed by the companies themselves or their partners.

Quizzify 4

Quizzify is the ONLY wellness program that does ask employees for personal health information

Of course, the story does not end with data collected by individual companies. Data from apps and devices can be combined with other public or private data, and many device and app features depend on this. The other data might come from gyms (to verify attendance and workouts), supermarkets (to verify food purchases), vendors of rewards catalogs where rewards points can be redeemed for merchandise, or from companies that have historical weather data or list locations of restaurants and other types of businesses. By combining data from various sources, the device or app maker might be able to give feedback to the user about their monitored eating and exercise patterns, or notify the user about rewards for which she qualifies. Although all these companies collect, use and disclose data related to a wellness program, none is subject to the HIPAA Privacy Rule or probably to any other privacy law.

Privacy regulations in the US apply to specific sectors of the economy like healthcare or finance. When data is disclosed, the recipient gets a copy while the disclosing company keeps its copy. Therefore, if data legally moves between sectors, different rules (or no rules) apply to different copies of the data, depending on who has them. For example, several companies would have data from a fitness tracker or app linked to a wellness program. One copy would remain with the device or app manufacturer, who could use and disclose the data in accordance with its privacy policy. A copy passed to a wellness vendor might be subject to the HIPAA Privacy Rule if the wellness vendor is acting on behalf of the health plan, or may be subject only to commercial rules if it is not.

Robust wellness programs can build a detailed picture of an individual life by combining data collected via HRAs, biometric screenings, devices, apps, activity on health portals, health claims, attendance records provided by employers, and public data.  Employees will rarely know who has the data, what privacy rules apply, or what rights, if any, the employer has.

Simple reassurances that the data is “kept private” and is “safe and secure” are not nearly enough. Wellness programs need much greater transparency about their structure, participating companies, and data flows, policies, and practices. Only then can employees understand the true stakes of seemingly innocuous wellness programs. Employees also need the right to opt out of any wellness program, without penalty, on the grounds that they refuse to give up their privacy.

Anna Slomovic is a privacy consultant and scholar. She was formerly a Chief Privacy Officer of several companies in health and financial services. You can learn more about her at



  1. Jon says:

    Great article – thanks guys – Jon


  2. Mitch says:

    Great post on an important topic. Anything digital is not secure. The only question is when the hack, leak, theft or whatever will come.


    • whynobodybelievesthenumbers says:

      Staywell already had one. They weren’t exactly forthcoming about it, in keeping with their usual standard of integrity. Fortunately people tend to lie to wellness vendors, so whoever hacked into Staywell would be very disappointed.


  3. John R Baruffi Sr says:

    Great article… As long as those of us who are in the wellness field remember our primary purpose is that of educating, the privacy of another should never be an issue.


    • whynobodybelievesthenumbers says:

      Thank you and I’ll pass along to Anna to check the comments — this is our first guest post and I’m glad you and others are appreciating it. If you have an interesting viewpoint on an aspect of wellness that hasn’t been well-covered, we would be happy to consider it as well. (Next week it’s back to our usual snarky whistleblowing. So many scoundrels, so few electrons on the internet…)


In the immortal words of the great philosopher Pat Benatar, hit me with your best shot.

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: