Last fall the city of Houston required employees to tell an online wellness company about their disease history, drug and seat belt use, blood pressure and other delicate information.
The company, hired to improve worker health and lower medical costs, could pass the data to "third party vendors acting on our behalf," according to an authorization form. The information might be posted in areas "that are reviewable to the public." It might also be "subject to re-disclosure" and "no longer protected by privacy law."
Employees could refuse to give permission or opt not to take the screen, called a health risk assessment -- but only if they paid an extra $300 a year for medical coverage.
"We don't mind giving our information to our health care providers," said Ray Hunt, president of the Houston Police Officers' Union, which objected so strongly along with other employees that the city switched to a different program. "But we don't want to give it to a vendor that has carte blanche to give that information to anybody they want to."
Millions of people find themselves in the same position as that of the Houston cops. As more employers grasp wellness as the latest promised solution to soaring health costs, they're pressuring workers to give unfamiliar companies detailed data about the most sensitive parts of their lives.
But whether or not that information stays private is anything but clear, an examination by Kaiser Health News shows.
In many workplace wellness programs, "it seems by taking the health risk assessment you are waiving your privacy rights," said Jennifer Mathis, director of programs at the Bazelon Center for Mental Health Law.
How wellness programs work
At worst, shared information about sensitive conditions could support discrimination by employers, banks, life insurance companies and others. Wellness data is already escaping into what one expert calls "the great American marketing machine" that pitches products according to your diseases and lifestyles, privacy scholars say.
Wellness vendors charge employers a per-person fee to assess workers' health and motivate them to exercise, eat well, see doctors and take pills. Companies push workers to participate with gift cards, insurance discounts and other rewards or penalties.
As employers flock to the wellness parade, corporate wellness vendors make up what research firm IBISWorld predicts will be a $12 billion industry by 2020 -- six times
its estimated size in 2011.
Privacy advocates see a void of regulation or even voluntary standards to ensure the information is used as intended. By all accounts the amount of worker wellness data being collected — through the Web, company surveys, wearable devices, gym records and lab tests — is exploding.
"The privacy issues are profound," said Pam Dixon, executive director of the World Privacy Forum, an advocacy group. "If people are being asked to wear a biometric electronic device, or use a mobile app or work within a wellness program, that data can be used in ways that may be very, very surprising to people."
Numerous wellness vendors say flatly that privacy is critical to their reputation and that they don't share information on individual workers with employers, data brokers or marketing companies. But as the Houston employees found out, the fine print isn't so plain or reassuring.
- Few workers know that wellness contractors are often unbound by the strict privacy law, known as the Health Insurance Portability and Accountability Act (HIPAA), that restricts doctors and hospitals.
- A review of privacy policies shows that many wellness vendors adopt policies allowing them to share identifiable data with unidentified "third parties" and "agents" working to improve employee health.
- Wellness companies and their contractors routinely share almost completely unregulated "de-identified" data showing group heath results with employers, researchers and others. Scientists have shown such information can be "re-identified" and used for marketing, potential credit screening and other purposes.
Reading the fine print
Wellness vendor Audax Health, whose work with Houston resulted in "an overwhelming number of employees who were uncomfortable with the privacy statement," according to a city statement to employees, said it keeps information strictly confidential. Audax's online portal for employees is called Zensey.
"We do not sell or resell personal health information to anyone," including marketing companies and data brokers, David Sclar, Audax's chief privacy officer, said through a spokesman. "We do not allow third parties to market to Zensey users."
But Audax's own fine print
contradicts the second part of his statement, saying the vendor may direct marketing pitches from third parties to wellness members based on "attributes" it collects from those employees. Audax is majority-owned by insurer UnitedHealth Group.
Other big wellness vendors, including venture-capital backed Welltok, include similar language in their disclosures. Welltok says its CaféWell portal
might "target certain advertisements to your browser," without identifying the user.
That permission "may be broader than needed," said Welltok spokeswoman Erica Morgenstern. Welltok does not target ads at users and might change the language the next time it revises the disclosure, she said.
Welltok co-founder Jeff Cohen said the company doesn't "use and sell and share the data from our platform about users to third parties."
Primary wellness vendors such as Audax and Welltok aren't the only ones collecting employee health data. Wearable device makers, test labs, gym chains, data centers, workout-app publishers are also part of the gold rush.
As frequent partners of employers and wellness providers, each of those companies also gathers worker information of varying sensitivity — often with employers pushing workers to participate -- in what amounts to a widening wellness data web.
The most advanced employee wellness programs can even "ping your cell phone when you're at the gym" to record your visit through a geo-location app, said Erick Hathorn, a consultant to wellness companies and contractors. "Or they can ping it 30 minutes later to know you stayed."
Lose It!, one of the most popular diet apps for smartphones, works with employee wellness plans to track your calories and weight via a wireless scale.
assures users of Apple products that information on their weight and eating habits won't be used for "advertising or other use-based data mining purposes" except for health research. Results for non-Apple users, on the other hand, might be given to "advertisers and potential business partners" with the identities removed.
That's a lower level of protection, even without identification, lawyers said.
Nobody at Boston-based Lose It! was available to answer questions about corporate wellness and privacy, a spokeswoman said.
"What are the vendors doing with the data they collect? They aren't telling us," said Ifeoma Ajunwa, who teaches health law at the University of the District of Columbia. "Are they selling it? I would be surprised if they're not selling it, because it's valuable."
What the data tells advertisers
Two years ago Under Armour bought MapMyFitness, another app promoted for use in corporate-wellness programs, and turned it into an ad vehicle for its athletic apparel.
The app records workout routes, times and speeds and shares data with wellness vendors and Under Armour itself, according to a disclosure statement
. Users see ads for Under Armour gear and other products on their smartphones and computers.
Data from MapMyFitness and other apps bought by Under Armour "is going to be extraordinary," company CEO Kevin Plank told industry analysts this year. "This will help us sell more shirts and shoes," he has repeatedly said.
An Under Armour spokeswoman referred a reporter asking about data policies and wellness programs to MapMyFitness' privacy statement.
More than 13 million Fitbits and other wearable health devices will be used in corporate wellness plans by 2018, ABI Research has projected
. Data gathered by the Fitbit can include height, weight, heart rates and sleeping and exercise patterns.
"Now Fitbit has that information and the wellness program has it," said Robert Gellman, a privacy consultant and former congressional staffer. "I don't know of any best practices from wellness industry [to handle the data]. It's the Wild West."
Fitbit did not respond to several requests to discuss privacy. The company won't "sell any data that could identify you" and shares information only when necessary to provide the service, when the data are anonymous or with user permission, its written policy says
Employer wellness programs even follow you to the supermarket.
A firm called NutriSavings
assigns health grades to thousands of food products and lets grocers record member shopping. Stores report scores -- but not specific purchases -- to the wellness vendor, says NutriSavings. Members get rewards from their employer based on what they buy.
Wellness information isn't just valuable for selling stuff. Privacy advocates especially worry that the results might be shared with data brokers who crunch information and sell it to banks and other financial firms.
"That's where the data then moves into other parts of the economy — lending decisions, credit decisions, mortgage decisions," said Scott Peppet, a law professor and privacy specialist at the University of Colorado. "Once these data are in the hands of a data broker, they can be blended into any kind of formula."
Credit-card companies could raise rates for employees that wellness programs reveal to be couch potatoes, inferring that they are more likely to default. Life insurers could deny coverage or raise prices based on unhealthy wellness results. Insurer John Hancock has already started offering discounts
to life insurance customers who agree to wear a Fitbit, share data and attain certain scores.
What privacy laws don't protect
No one knows whether data brokers are getting workplace wellness information. But despite what many employees believe, not all wellness information is protected by HIPAA
, which authorizes only doctors, insurance plans and others close to a patients' care to see their medical data.
"People assume all their health information is covered by HIPAA and that's just not true," Gellman said. "Wellness programs are on the border. Some are and some aren't. How can a mere mortal tell? A lot of information can escape into the great American marketing machine, which is desperate to get information on a person's health."
Wellness vendors are supposed to obey HIPAA restrictions if they're part of an employer's insurance plan
. But it's far from clear what that means.
The National Committee for Quality Assurance, a respected health care certification group, asks workplace wellness groups it accredits to observe HIPAA rules and require the same from third parties they work with.
But NCQA recognizes only about 30 wellness vendors
out of hundreds. Even a "HIPAA-compliant" program could induce workers to waive their rights without knowing it, consumer advocates said.
Nor does HIPAA protect the de-identified health information that wellness providers routinely share with employers and other, unidentified outside parties, according to their privacy policies. De-identified data might include blood pressure, cholesterol, drug use and disease history.
Researchers have shown that such information can be linked to the subject by combining it with voter lists, credit-card records and other databases. Harvard investigators used birthdays and zip codes in a de-identified genetics survey two years ago to figure out who more than a fifth
of the participants were.
Until recently, Audax's policy stated that the company could use de-identified employee data "for any business purpose." It removed that language after KHN inquired about privacy.
Fitbit and Limeade, a wellness provider in Bellevue, Wash., forbid third parties
using their anonymized data from trying to re-identify the users.
But that policy -- the kind recommended by Federal Trade Commissioner Julie Brill
and others -- is unusual among wellness providers, KHN's review shows.