The World Privacy Forum filed comments about wellness programs and privacy impacts to the Equal Employment Opportunity Commission (EEOC). Many Americans take part in employer wellness programs, and they are increasingly and justifiably concerned about the sensitive information these programs are gathering, sometimes in return for incentives such as discounts on pricing for health insurance.

In our comments, we supported the portions of the proposed EEOC rules that are positive and privacy protective, and we expressed concerns and made suggestions for areas that need attention. Our comments focused on fairness, privacy and sensitive personal information, due process, voluntariness, and the impact of the Internet of Things.

Most wellness information is not covered under HIPAA

One concern we addressed in the comments was about the privacy of personally identifiable information that is collected and used in employer wellness programs. Much wellness information falls outside of the protections of the privacy and security rules of the Health Insurance Portability and Accountability Act (HIPAA). Much wellness program information also falls outside of the protections of other federal and state privacy laws.

Individuals often erroneously think that the HIPAA rules protect the privacy of any health information, and they may let their privacy guard down as a result. This is particularly true of wellness programs, and it is a serious concern that remains unaddressed at all levels. We urged the Commission to address this issue.

Programs may not be truly voluntary

We agreed with the Commission’s concerns that wellness programs may not be truly voluntary. WPF is concerned that a certain percentage of individuals will be unable to meet wellness program requirements for valid reasons such as pregnancy, disability, allergy, temporary illness, family emergencies, or travel. But some individuals will also opt to not participate for non-medical reasons, such as religious objections.  We therefore supported the Commission’s proposal to include participation-based incentives in the 30 percent overall limit on wellness incentives.

Additionally, because we believe that incentives for participation in wellness program should only be positive ones, we recommended that the Commission rules should ban negative incentives that impose additional costs on non-participating employees. If all incentives are positive, then the problem of offering incentives to employees who cannot participate in wellness programs for medical (or religious) reasons is a smaller concern.

Notifying people about how their sensitive information is used

In it’s proposal, the Commission discussed new rules for notification to wellness program participants that the wellness information may be used by secondary parties. We urged the Commission to provide notice, and to go further and privacy true agency and rights to individuals.  We wrote:

The best outcome would be a rule that all non-program uses and disclosures require the informed and affirmative consent of each affected individual, including spouses and children who can lawfully have a say in their own health care.

Internet of Things and wellness programs

We also urged the Commission to think about the way devices are interacting with wellness programs, as well as the Internet of Things. The IoT promises to connect sensors to smartphones to smart homes to smart cars and other sensor-rich items such as health and fitness monitoring devices. As such, the IoT is set to become a way that health monitoring can be seamlessly integrated into an individual’s daily life, and fitness and health-related wearables as part of this equation are forecast to grow substantially, driven in part — some research indicates driven largely — by wellness programs.

As the IoT rolls out, wellness programs could be expanded in both the scope and precision of tracking. As the IoT rolls out, wellness programs could be expanded in both the scope and precision of tracking. It is reasonable to forecast that some wellness programs tied to IoT platforms will develop both as part of health plans and independently of health plans.

For the full comments, see WPF Comments to EEOC on wellness programs and privacy (PDF)