Data Privacy and Workplace Wellness

The following article does NOT constitute legal advice and should not be used as such. It is for educational purposes only. Readers should retain legal counsel to obtain definitive answers.

You may have heard me say repeatedly that securing and maintaining the privacy of any employee health information wellness program professionals collect should be a priority. Employees care about the privacy of their information. Any doubt about a wellness program’s privacy and security capabilities can undermine an employee’s willingness to participate in the program.

A recent Issue Brief by the Kaiser Family Foundation found that in 2016, only 41% of workers at large firms that offer a health risk assessment (HRA) actually participated in the screening. One commonly cited reason for the lack of participation is employee concern for the privacy of their personal information.

According to the Issue Brief, wellness program HRAs typically include questions about health risks or conditions which people may consider sensitive, especially in a workplace context. For example, HRAs commonly ask whether and to what extent individuals feel stress, anxiety or depression, whether and how frequently individuals consume alcohol or use illicit drugs, information about current prescription drug use and other medical treatments, and, for women, whether they are pregnant or contemplate pregnancy in the coming year.

Despite employee concern about their health information privacy in the workplace wellness context, overall the legal community has paid little attention to the risks involved with collecting and storing employee health information by workplace wellness programs. The Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules do not always apply to workplace wellness programs. In particular, the federal Office of Civil Rights (OCR) considers workplace wellness programs that function outside a group health plan to not be subject to HIPAA privacy and security rules. Regardless of whether OCR’s assessment is accurate, it is the enforcement agency for HIPAA privacy and security compliance, so adhering to its guidance is a good idea.

Privacy is important, and addressing it can be essential to workplace wellness program success. Investing the time and resources to ensure that employees are comfortable with your wellness program protections may make the difference between an employee’s participation and opting out.

What this means is that there are gaps in the law with regard to protecting employee health information collected and stored by workplace wellness programs. True, the Americans with Disabilities Act (ADA) and Genetic Information Nondiscrimination Act (GINA) apply to workplace wellness programs that collect employee health information regardless of group health plan status. However, those laws mainly require the employer to keep employee health information confidential and stored in a file separate from the employee’s other personnel information. See e.g., 29 CFR § 1630.14(d)(4); 29 CFR § 1635.9(a)(1). They do not contain robust security protections for unauthorized uses and disclosures like the HIPAA privacy and security rules.

This leaves the workplace wellness industry to its own willingness to adopt privacy and security policies and procedures that will address employee privacy concerns. Even though many workplace wellness programs are not subject to HIPAA privacy and security rules, they can use those rules as a guide in developing such policies and procedures. But, I think employers should go even further. HIPAA only protects “protected health information” or “PHI.” It does not protect de-identified health information. Yet, with all the data that is being collected from various sources such as Google searches, social media, wearable technology, mobile apps, government websites and others, it is getting easier and easier for those who work with assembling data from these sources to re-identify information. These “data brokers” then sell the data sets to marketers, government entities, lenders, technology companies, to name a few.

So, what should workplace wellness programs do to adequately protect employee health information? Here are a few suggestions:

1. Don’t collect employee health information. There are alternatives to traditional HRAs that do not ask employees to answer personal health questions. Quizzify offers one example.
2. If capturing baseline employee health information is important to your wellness program, however, adopt relevant HIPAA privacy and security policies and procedures, even if the law does not technically apply to your program.
3. Once you do adopt HIPAA policies and procedures, make sure you follow through on what those policies and procedures say. The Federal Trade Commission Act (“FTC Act”) prohibits most organizations, including most organizations with wellness programs, from engaging in deceptive or unfair acts or practices. This means that companies must not mislead consumers about what is happening with their health information. See https://www.ftc.gov/tips-advice/business-center/guidance/sharing-consumer-health-information-look-hipaa-ftc-act.
4. Tell employee participants in workplace wellness about your privacy and security practices. Let them know you take the privacy and security of their health information very seriously. Do not bury your commitment to privacy in small print or hidden places. Take pride in your commitment.

Privacy is important, and addressing it can be essential to workplace wellness program success. Investing the time and resources to ensure that employees are comfortable with your wellness program protections may make the difference between an employee’s participation and opting out.

Barbara J. Zabawa
President of the Center for Health and Wellness Law, LLC
wellnesslaw.com