Employees face significant privacy risks when invited to participate in an employer-sponsored wellness program, according to reports airing in October on CNN and NPR. The CNN report, prepared by Kaiser Health News, begins with a description of the dilemma encountered by employees of the City of Houston when compelled to participate in a new program or pay an extra $300 per year for health insurance. It also notes that a web of entities besides wellness provides may receive employee health information, including rewards companies, employers, health insurers, fitness app companies, wearable device makers, medical test labs, fitness centers, advertisers and unidentified third parties and agents. HIPAA privacy laws generally do not protect information generated via wellness programs. Uncertainties about who will has access to wellness data and what limitations exist upon their use and further disclosure of that data are also highlighted in the NPR report entitled “7 Questions to Ask your Boss about Wellness Programs.”
The privacy risks involved with increasingly trendy health-related wearables, which are often one of the components of wellness programs, were also underscored during October, when the Consumer Electronics Association (CEA) released its 5-page Guiding Principles on the Privacy and Security ofPersonal Wellness Data. These voluntary guidelines for private-sector organizations that handle the type of data produced by wearable technologies include recommendations in eight areas: security; policy and practice; concise notice; unaffiliated third party transfers; fairness; personal data review, correction and deletion; advertising communications; and law enforcement response. In spite of the potential benefits of wearable devices, a variant of long-familiar consumer advice is appropriate: Wearer Beware.