Last fall the city of Houston required employees to tell an online wellness company about their disease history, drug and seat belt use, blood pressure and other delicate information.
The company, hired to improve worker health and lower medical costs, could pass the data to "third party vendors acting on our behalf," according to an authorization form. The information might be posted in areas "that are reviewable to the public." It might also be "subject to re-disclosure" and "no longer protected by privacy law."
Employees could refuse to give permission or opt not to take the screen, called a health risk assessment -- but only if they paid an extra $300 a year for medical coverage.
"We don't mind giving our information to our health care providers," said Ray Hunt, president of the Houston Police Officers' Union, which objected so strongly along with other employees that the city switched to a different program. "But we don't want to give it to a vendor that has carte blanche to give that information to anybody they want to."
Millions of people find themselves in the same position as that of the Houston cops. As more employers grasp wellness as the latest promised solution to soaring health costs, they're pressuring workers to give unfamiliar companies detailed data about the most sensitive parts of their lives.
But whether or not that information stays private is anything but clear, an examination by Kaiser Health News shows.
In many workplace wellness programs, "it seems by taking the health risk assessment you are waiving your privacy rights," said Jennifer Mathis, director of programs at the Bazelon Center for Mental Health Law.
How wellness programs work
At worst, shared information about sensitive conditions could support discrimination by employers, banks, life insurance companies and others. Wellness data is already escaping into what one expert calls "the great American marketing machine" that pitches products according to your diseases and lifestyles, privacy scholars say.
Wellness vendors charge employers a per-person fee to assess workers' health and motivate them to exercise, eat well, see doctors and take pills. Companies push workers to participate with gift cards, insurance discounts and other rewards or penalties.
As employers flock to the wellness parade, corporate wellness vendors make up what research firm IBISWorld predicts will be a $12 billion industry by 2020 -- six times
its estimated size in 2011.
Privacy advocates see a void of regulation or even voluntary standards to ensure the information is used as intended. By all accounts the amount of worker wellness data being collected — through the Web, company surveys, wearable devices, gym records and lab tests — is exploding.
"The privacy issues are profound," said Pam Dixon, executive director of the World Privacy Forum, an advocacy group. "If people are being asked to wear a biometric electronic device, or use a mobile app or work within a wellness program, that data can be used in ways that may be very, very surprising to people."
Numerous wellness vendors say flatly that privacy is critical to their reputation and that they don't share information on individual workers with employers, data brokers or marketing companies. But as the Houston employees found out, the fine print isn't so plain or reassuring.
- Few workers know that wellness contractors are often unbound by the strict privacy law, known as the Health Insurance Portability and Accountability Act (HIPAA), that restricts doctors and hospitals.
- A review of privacy policies shows that many wellness vendors adopt policies allowing them to share identifiable data with unidentified "third parties" and "agents" working to improve employee health.
- The industry boom has drawn a widening network of fitness centers