Are Workplace Wellness Programs a Privacy Problem?
What you must know about these perks and your personal information
Workplace wellness programs—promoted as a way to foster healthy behavior and encourage preventive care—are having a moment.
Last year, 84 percent of larger companies (those with 200 employees or more) and 50 percent of smaller ones offered some type of wellness program, according to the Kaiser Family Foundation’s 2019 survey of workplace benefits. By some estimates, workplace wellness is an $8 billion industry.
And having access to a wellness program at work—one that may help you lose weight, get in shape, quit smoking, or otherwise improve your health—sounds like a welcome benefit. Especially if it comes with financial incentives, such as gift cards, merchandise like fitness trackers, cash, contributions to health-related savings accounts, or a discount on your health insurance. The 2019 Kaiser survey found that of firms with wellness programs, 41 percent of large companies and 15 percent of small companies offered employees a financial enticement to participate in or complete the program.
Some companies offer lunchtime walking groups and on-site exercise or nutrition classes. They may also provide employees with wearable fitness trackers to record information such as daily steps and hours of sleep.
How Do the Privacy Laws for Workplace Wellness Programs Work?
In many cases, wellness programs are run by the health insurance plan an employer offers its employees. But some companies hire outside vendors to set up and oversee their wellness offerings.
And when it comes to your privacy, there’s a big difference. If a program is run through your company’s health insurance plan, HIPAA (Health Insurance Portability and Accountability Act of 1996) privacy rules apply. (Other federal or state laws may also apply.)
This means that just like your doctor’s office, the health insurance company running the program is legally required to keep your personally identifiable health information—info that can be linked to you or used to identify you—private.
If your company is self-insured (common for larger workplaces) and offers a wellness program through that self-administered health plan, it’s also subject to HIPAA rules. (One exception: if the plan has less than 50 participants.)
But if the program is run by an outside vendor, as many are, HIPAA rules don’t apply. “Independent wellness vendors aren’t really regulated at all,” says Dara Smith, an attorney with the AARP Foundation. “You are basically trusting them not to share your health data with your employer.”
In addition, if an independent vendor is running your company’s wellness program, that vendor can legally share or sell your data to advertisers or other companies.
What this might mean: Say, for instance, you noted in your health questionnaire that you’re trying to get pregnant. You may start receiving pop-up ads or email for products like ovulation prediction kits. This is legal but might feel like an invasion of privacy to some.
Will These Programs Help Your Health?
But while these kinds of studies can make associations, they can’t prove that one thing (participating in a wellness program at work) causes another (such as lower cholesterol levels).
Studies where people are randomly assigned either to a wellness program or not may give us better evidence about effectiveness. One such study, published last August in The Quarterly Journal of Economics, found that participating in a workplace wellness program brought little in the way of benefits.
For the study, researchers developed a wellness program called iThrive at the University of Illinois at Urbana-Champaign. When they evaluated it based on 42 health, financial, and work-related outcomes, they found positive effects in only two areas: Participating employees were more likely to report that they’d ever had a health screening and that their employer prioritized their health and safety. The latter benefit disappeared after a year.
As the authors write, “The iThrive wellness program increased lifetime health screening rates but had no effects on medical spending, health behaviors or employee productivity after 30 months.”
Another 2019 workplace wellness program study, this one published in JAMA last April, looked at almost 33,000 employees at BJ’s Wholesale Club over 18 months.
It found that in workplaces with a wellness program, 8.3 percent more employees reported exercising regularly and 13.6 percent more said they were actively managing their weight. But the research didn’t find any positive effects on health measurements such as blood glucose or blood pressure, spending on healthcare, or absenteeism rates.
There may have been an issue with this research, too. The study was too short for results to be meaningful, according to Ron Goetzel, Ph.D., vice president at IBM Watson health and a senior scientist at Johns Hopkins Bloomberg School of Public Health in Baltimore. “The time horizon was 18 months, which, historically is not long enough,” he says. “In many of the studies we’ve done, it typically takes three to five years to see an impact on risk reduction, disease incidence, healthcare costs, and productivity.”
What About Financial Incentives?
Getting a “bonus” of some kind for taking part in a wellness program seems like a motivating factor. But some experts say that connecting such programs to, say, discounts on insurance muddies the waters of what’s truly voluntary.
“If employees want to participate and share their health information, it has to be a free choice, not a coerced decision,” says Smith at the AARP. “If the penalty for not participating is that your health insurance premiums will be higher, employees may feel like they have to share their health information in order to save money.”
What Should You Do?
That depends, in part, on what you’re hoping to achieve. Taking advantage of activity-based offerings like worksite exercise classes or healthy-eating talks has few, if any, downsides. But if you are signing up for any program that involves sharing detailed health information or taking medical tests, or it has a financial incentive tied to the outcome, experts urge caution.
“The first question to ask is whether the program is covered [or a covered entity] under HIPAA,” Dixon says. “And that means ‘covered,’ not just HIPAA-compliant.” The latter isn’t meaningful as a privacy protection, she says.
Dixon also suggests determining whether the program is activity-based (like yoga or cooking classes) or outcome-based, meaning it uses your data for health risk assessments, tests, or questionnaires. The latter has far more potential to cause privacy problems, she explains.
Be cautious about programs that are competitive, such as workplace “Biggest Loser”-type offerings, Goetzel says. “I’m also wary about pure incentive programs, which are becoming much more popular, like those that pay you to lose weight,” he adds. “Money can get your attention, but there’s not a lot of research on how it works long-term to get people to lose weight, quit smoking, or manage stress.”
It’s reasonable to check the program’s privacy policies, too, and to know that if you choose to participate, you don’t have to answer every question asked of you or take every test.
And last, the goals and recommendations of a wellness program may not align with your personal healthcare decisions. “If something you’re being asked to achieve in your workplace wellness program is unhealthy in your doctor’s opinion, you shouldn’t be required to do it,” Kirkland says. “Wellness programs should never replace or supersede your doctor’s advice.”