Al and I are very pleased to present our first guest post. This insightful essay, by privacy expert Anna Slomovic, explores a vital issue that, like so many important and complex things in wellness, gets ignored or dismissed. Our thanks to Anna for allowing us to post her work.
Most American companies, particularly large employers, now have wellness programs. These programs can have many different components, including detailed health risk assessments (HRAs) and biometric screenings, wearable fitness devices that count steps, and mobile apps that track what food employees buy or eat. When employees ask about the rules that govern use and disclosure of wellness data, the typical response is that the data is “kept private” and is “safe and secure.” Unfortunately, such general reassurances hide the complexity of the privacy rules for data in wellness programs. In fact, the data may travel more widely than wellness proponents may want us to know, and employees are unlikely to understand all the allowable uses and disclosures of the data.
One complication comes because wellness programs may be part of a health plan or may be separate from a health plan. Different rules apply, depending on a program’s structure. Another complication is that wellness data exists in different databases controlled by different companies. The privacy rules that apply depend on who holds the data. The same data may be under different protections in different places.
Let’s start with HRAs and biometric screenings for cholesterol or blood sugar, blood pressure, and weight. These wellness initiatives are most likely part of a health plan because they meet the definition of “medical care” in federal law. When data is part of a health plan, it is subject to the Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA), the main health privacy law in the United States. HIPAA permits many uses and disclosures for health-related purposes without requiring individual consent, including data analysis for health plan sponsors, outcomes evaluation, and development of treatment guidelines. Nevertheless, the HIPAA Privacy Rule imposes some meaningful use and disclosure protections for individuals. Among the most important in the employment context is the requirement that an employee must specifically authorize use of HIPAA-covered data for employment-related decisions. Employers comply with HIPAA requirements by hiring vendors to collect and analyze individual-level data and by having the vendors deliver only aggregate or statistical results.
Not all wellness initiatives meet the definition of “medical care,” and these initiatives can be offered inside or outside a health plan. For example, many employers have programs that offer employees discounts on wearable fitness devices, or points and rewards for taking a specific number of steps, using an app that tracks what food they buy or eat, or working out at a gym. These activities are not “medical care,” and can be offered as part of benefits unrelated to health, where HIPAA does not apply.
For non-HIPAA data collected through wellness programs, the only privacy rules that apply are what participating companies and employers devise. The privacy framework is even less robust for many fitness-related devices and apps. Many do not have privacy policies. Several studies show that even in cases where privacy policies exist, they often permit broad uses and disclosures, including operations, personalization, improvements to apps, devices and services, research, and marketing and promotion, all performed by the companies themselves or their partners.
Of course, the story does not end with data collected by individual companies. Data from apps and devices can be combined with other public or private data, and many device and app features depend on this. The other data might come from gyms (to verify attendance and workouts), supermarkets (to verify food purchases), vendors of rewards catalogs where rewards points can be redeemed for merchandise, or from companies that have historical weather data or list locations of restaurants and other types of businesses. By combining data from various sources, the device or app maker might be able to give feedback to the user about their monitored eating and exercise patterns, or notify the user about rewards for which she qualifies. Although all these companies collect, use and disclose data related to a wellness program, none is subject to the HIPAA Privacy Rule or probably to any other privacy law.
Robust wellness programs can build a detailed picture of an individual life by combining data collected via HRAs, biometric screenings, devices, apps, activity on health portals, health claims, attendance records provided by employers, and public data. Employees will rarely know who has the data, what privacy rules apply, or what rights, if any, the employer has.
Simple reassurances that the data is “kept private” and is “safe and secure” are not nearly enough. Wellness programs need much greater transparency about their structure, participating companies, and data flows, policies, and practices. Only then can employees understand the true stakes of seemingly innocuous wellness programs. Employees also need the right to opt out of any wellness program, without penalty, on the grounds that they refuse to give up their privacy.
Anna Slomovic is a privacy consultant and scholar. She was formerly a Chief Privacy Officer of several companies in health and financial services. You can learn more about her at www.annaslomovic.com.