Employee wellness programs are hyped as a perk for employees and a cost-saver for employers. But a privacy advocate urges HR executives to proceed with caution.
Once a rarity, workplace wellness programs have become commonplace over the last decade. They are especially popular within the healthcare industry, with 99% of healthcare employers offering some kind of program.
Typically, these programs include physical and/or mental health screenings, smoking cessation programs, and yearly flu shots. Employees who are willing to participate are usually offered incentives, such as free gym memberships or discounted on health insurance premiums.
Employers like wellness programs because they promise lower costs on health insurance and a potentially happier, healthier workforce who will take fewer sick days.
But there's a dark side. "One of the big problems is that workplace wellness programs believe themselves to be outside of any kind of laws," says privacy advocate Deborah Peel, MD, founder and chair of PatientPrivacyRights.org. The group advises companies on how to keep sensitive information private.
Given the downright personal nature of the information these programs gather on their participants, the lack of protections is astonishing.
1. Wellness Programs Not Covered by HIPAA
"The programs ask all kinds of things about how you live your life," says Peel. This may include smoking and drinking habits, whether or not participants are sexually active (and if so, how many partners they have had in recent years), medical history, and what medications have been prescribed.
While most of us are used to having such personal information protected by confidentiality laws, that's not the case when it comes to wellness programs. "It's very important to understand that most health information is not covered by the HIPAA. The HIPAA laws cover information you share with your doctor, but not workplace wellness programs."
Should an employer expect employees to bare their souls and answer very personal questions about their relationships and activities outside of work in exchange for no promise of privacy?
Relinquishing such information could create the opportunity for employees to claim that the data was later used against them in a discriminatory fashion. And employees who refuse to participate potentially create an additional concern for HR.
2. Data at Risk / Data Sharing
Here's a disappointing story from the front lines of the data security wars: The names, birth dates, and contact information of more than 14,000 wellness program participants administered by the StayWell Company was hacked earlier this year. While no medical or financial information was leaked, it's still unsettling news.
Don't let the lack of big headlines around security breaches at these companies fool you: While there have been few stories of wellness programs being hacked, that is partly because they are not required to report security breaches, as they are not governed by HIPAA, explains Peel.
Additionally, many wellness companies have repackaged the employee data they have been entrusted with and resell it, unbeknownst to the employees or their employers. "They believe they can do what they want with the information," she adds. Employers should read the contracts carefully.
3. No Trust, No Disclosure
There's no way to sugar coat this: If employees don't trust the workplace wellness program, they won't be honest about their habits, medical conditions, or lifestyle choices.
"A lack of privacy has big effects," says Peel. "When people know things are not private, they actually lie, or delay, or avoid treatment, and the public is growing more and more aware that they can't trust these systems."
What is the point of promoting a smoking cessation program if employees are lying about quitting? What is the point of offering counseling for stress management if employees are afraid to take advantage of it?
Why survey employees on how many medications they take or what chronic conditions they have if their reward for candor will be, at best, getting inundated with ads targeted to people who suffer from the same conditions, or potentially having their personal information leaked on the Internet?
Organizations determined to use a wellness program should ask the provider to prove that its data security practices is sound. "At very least," says Peel, "the company should provide proof of an external audit showing level of security they have, that intrusion testing has been done. Make any companies you use divulge the exact details of the intrusion testing."
They should also be able to meet HIPAA standards, even if they don't technically apply to them," she suggests.
Ultimately, Peel advises that human resources leaders ask themselves whether a break on insurance costs or other benefits truly outweigh the potential for damage to employees' privacy. "The violation of trust—that's the big thing," she says.
Lena J. Weiner is an associate editor at HealthLeaders Media.