- On April 16, 2018
Wearable wellness devices, like FitBits and other fitness trackers, are making a big difference in improving people’s health and activity levels, and they are also a hot trend in employer-sponsored wellness programs. However, employers that incorporate wearable technology that collects biometric data from employees into their group health benefit plans need to be cognizant of privacy and data security concerns and potential liabilities.
A 2017 survey of 8000 employers revealed that 35% of companies include wearable fitness devices as part of their wellness programs already. In addition to those employers that have already incorporated the technology into their plans, 48.6% of the remaining respondents were considering purchasing wearable devices for their employees within the next 12 months. Wearable technology, unlike other fitness programs, has a steady compliance rate, even with older employees, and many employers like how using the devices for workplace challenges, and programming can spark employee engagement. In many cases, employers don’t even actually need to purchase the accessories for their employees, since about one in three people owns and use fitness-tracking technology already.
With benefits and statistics like that, it is likely that your company may be considering the use of wearable technology in the workplace for wellness purposes or are doing it already. If this is true, then make sure you have thought through privacy concerns. In addition to motivating healthier behavior, wearable devices collect a lot of data, including activity levels, GPS location, heart rate, calorie consumption, height, weight, sleep levels and more. Depending on how this biometric data is collected, stored and used, as well as how the wellness program is structured, your employer group health plan may have a responsibility to protect it. Even if you do not have direct responsibility, your company should be prepared to answer questions about who might have access to employee data.
While the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) privacy and data security requirements do not apply to employers directly, employer-sponsored health plans are covered entities and have a responsibility to protect and protected health information (PHI) accessible to them. If a wellness program that collects and stores biometric data from employees using wearable devices is part of an employer group health plan, then HIPAA/HITECH privacy and data security rules likely extend to that data. If it sounds like your company’s plan may fit this criterion, please reach out to your Kistler Tiffany Benefits consultant for assistance. Your company may need to consider business associate agreements with related vendors, the content of your privacy notices and if your group health plan’s internal procedures and risk assessments address the PHI that is collected by wearable devices. Additionally, if the wearable technology is part of an employer group wellness program and it receives medical information, the EEOC’s wellness rules and their privacy notice requirement may apply.
Recognizing that HIPAA and other privacy laws and requirements were written before wearable technologies were envisioned, state legislatures have been starting to enact greater protections for biometric data. Fifteen states have passed data security breach laws for employers that include protections for biometric data when accompanied by a first name or first initial and last name. One local state law is a new measure that went into effect in Delaware on April 14, 2018. It extends data breach requirements for employers to biometric data, including data procured by wearable devices. Other states have gone even farther, such as the Illinois Biometric Information Privacy Act, which limits what kind of information employers may collect and dictates how they may obtain it.
Even if federal or state laws do not directly impact your company when it comes to biometric data collection, you should be prepared to respond to employee privacy questions, since survey data shows that 45 percent of wearable wellness technology users have privacy concerns. Make sure that your employer clients vet any vendors or technology programs they use, that the clients and vendors have procedures in place to keep employee information confidential and that employee data will not be sold or shared with others without authorization. Additionally, make sure that employees know that participation in any wellness activity is voluntary and that involvement or lack thereof will not impact any employment matters. Finally, obtain employee permission to track any biometric data, and do not keep or store any of this data beyond the bounds of what is necessary for the wellness activity at hand.
By Jessica Waltman, Special Contributor
Jessica Waltman is a health reform strategist, with more than 20 years of experience in health insurance markets and health policy. She is the former Senior Vice President, Government Affairs, for the National Association of Health Underwriters.