Corporate wellness vendors are on track to become a $12 billion industry by 2020, according to research firm IBISWorld. With employers increasingly utilizing these vendors' wellness programs, pushback has emerged from some employees and privacy experts over employees being asked to share health data with companies that may or may not be bound by HIPAA who may potentially use or share the data with other vendors for other purposes.
“Whether or not that information stays private is anything but clear,” according to research by Kaiser Health News.
It reports wellness programs offered independently from an employer’s group health plan are not covered by HIPAA, and even under HIPAA-covered programs, some designated managers at a workplace may be authorized to view health reports that include identities.
It is appropriate that attention is being drawn to the issue, say both legal experts and some wellness industry insiders.
“There are valid privacy concerns with corporate wellness programs, and the case law is evolving,” Caleena Svatek, a healthcare attorney in the Dallas office of Chamblee Ryan, told Healthcare Dive.
She notes wellness programs are increasingly seeking more specific and detailed health data from participants, and agrees this raises concern about how that data is being used--for example, whether it might impact personnel decisions or be shared by the wellness company with other third-party vendors.
“To allow a wellness program to circumvent HIPAA is likely going to be problematic and could expose employers to litigation,” Svatek suggested.
A key issue is whether an employer’s program is truly voluntary, which can become a murky area when major financial incentives are involved, or workers fear unofficial repercussions for lack of participation. If employees are essentially forced into participating, that raises questions about their consent to share personal health information, Svatek said.
She added the additional sharing of data increases security risks for healthcare data. “Given the vulnerabilities of cyberhacking, and that the medical record may contain personally identifiable information such as a Social Security number, the identity theft dangers can snowball,” she said.
Fred Charlot, director at Berkeley Research Group, LLC, suggests more regulation may be in order.
“These concerns are not being overblown and could drastically impact the lives of the individuals dealing with sensitive mental and physical health issues,” he said. He suggests individuals may be too preoccupied with program incentives to ask the right questions about the risks associated with the management of their health data.
“Some claim there are other state and federal laws protecting the employee, but I would contend none are as clear as those specified in HIPAA,” Charlot added. He believes HIPAA regulations should be extended to companies that directly offer wellness programs separately from group health plans. “This would firewall the individuals managing these programs from the rest of the company,” he said.
Some stakeholders are looking to address the concerns from within the wellness industry, notes Cathy Kenworthy, CEO of Interactive Health, which describes itself as an independent provider of workplace wellness programs.
“I personally believe these are vital issues,” she said.
Kenworthy points toward industry associations already equipped to articulate industry positions around these topics and to provide credentialing. With just a few clicks using the National Committee for Quality Assurance's (NCQA) online Wellness & Health Promotion Report Card, employers can see how a wellness vendor is performing. She calls NCQA's process exhaustive and says it covers issues including privacy and third-party data management. “I think that’s an easy and very transparent resource,” she said.
Kenworthy added Interactive Health is credentialed by the American Hospital Association (AHA), one of many associations she says can play a role in setting industry standards, and her company supports the Health Enhancement Resource Organization (HERO), a think tank working on an industry position on these topics.
“I think there is so much good that is done through these programs,” Kenworthy says. “We truly save people’s lives, and we change people’s lives in ways that are truly significant, and it’s important there’s high integrity instead of guardrails and parameters around the work that we do.”