Wearable technology continues to do a full court press on the marketplace and in the process, the step counters of the world and health apps tied to devices capable of tracking real-time biostatistics, are revolutionizing the way companies think about wellness. Wearables are the latest in workplace fads and they’ve got the numbers to back it up: sales are likely to hit $4 billion in 2017 and 125 million units are likely to be shipped by 2019. Wearable technology has transformed the workplace just as more and more employers are utilizing wellness programs to improve employee motivation and health. As the popularity of these technologies soars, so too will concerns around the associated privacy and data security risks. In this blog post, we discuss just a few of the legal implications for employers who run wellness programs embracing this new fad.
Overview of Workplace Wearables
Wearable devices have revolutionized technology and fitness as new models and fad-hungry consumers fuel the market. By 2015, estimates suggest that 33 million consumers already owned wearable devices from the likes of Fitbit, Jawbone, and Nike, and growth in the market is expected to increase 35% by 2019. Employers have quickly picked up on the trend and incorporated wearables into their corporate wellness programs. As a result, employers gain the payoffs of improved employee health—higher productivity, lower healthcare costs, and overall greater wellbeing—and companies do not even have to purchase or subsidize the hardware! However, what many employers don't realize is that there are significant legal implications and risks associated with these technologies.
Four in five consumers have privacy-related concerns about wearable technology. If only Duke’s field-goal attempts had been as consistent! What is likely driving consumer anxiety is the fact that the data collected from wearables are generally considered sensitive and private—such as health statistics, financial information, and location data. The problem is employers are collecting this data as part of their wellness program and failing to protect and safeguard the information as they would sensitive employee data collected for purposes of reviewing prospective employee applications, facilitating payroll and benefits administration, or collecting facts about workplace disputes and disciplinary action. As a result, companies are holding more personal information about employees in less secure environments, which raises more than a few concerns. Let’s get down to the X’s and O’s and draw up a couple of scenarios.
For example, an employer might sponsor a workplace competition during which employees are encouraged to track and report their progress using fitness devices that collect data related to heart rate, blood pressure, sleep patterns, calories burned, and other biostatistics. Once personal data of this kind is transmitted to the employer, whether by electronic or manual means, it becomes susceptible to hacking, and exposes an employer to the data breach notification statutes in each and every state where its employees reside. Already fourteen states (AR, CA, FL, IL, IA, MO, NE, NC, ND, OR, RI, TX, WI and WY) as well as Puerto Rico consider medical/health information and/or biometric data in combination with an individual’s first name or first initial and last name to be “personal information,” and if compromised, an employer with employees in multiple states could have significant and costly remediation and notification obligations under a patchwork of state statutes. This would be a flagrant foul, folks, and employers need to monitor their data collection and implement appropriate security features to play it safe.
Another issue is HIPAA. And we are not talking about a fancy new statistic that ESPN just rolled out for player efficiency. The Health Insurance Portability and Accountability Act (“HIPAA”) and its Privacy, Security and Breach Notification Rules (the “HIPAA Rules”) are also in the mix when it comes to wearable technology in the workplace. Depending on how the wellness program is structured, personal information collected by wearables and passed to employers may be protected under HIPAA. At companies where the wellness program is offered through a group health plan, the individually identifiable health information collected or created about participants is protected health information (“PHI”) and thus protected by the HIPAA Rules. While the HIPAA Rules do not directly apply to employers, a group health plan sponsored by an employer is a covered entity under HIPAA, and thus PHI must be protected accordingly. HIPAA also protects PHI held by the employer as plan sponsor on the plan's behalf when the plan sponsor is administering aspects of the plan, including wellness program benefits offered through the plan. The Office for Civil Rights of the Department of Health and Human Services has issued guidance on workplace wellness plans and HIPAA. In contrast, if a workplace wellness program is offered by an employer directly and not as part of a group health plan, the health information collected is not protected by the HIPAA Rules. (But even this exception must be used with care, since it is possible for a stand-alone wellness program to itself be a regulated covered entity.) In addition, other federal or state health privacy laws may apply even in instances in which a wellness plan is structured so as to avoid being subject to HIPAA.
Recommendations for Employers
For employers excited about incorporating wearable technologies into their wellness programs, we recommend the following steps to up the privacy game:
- Inform. Communicate to employees that participation in a wellness program is voluntary and will not impact employment decisions.
- Consent. Ask employees for their affirmative and explicit consent to collect their personal information during participation in a corporate wellness or fitness program. Disclose what personal data will be collected and how it will be used, and advise employees if information will continue to be collected automatically outside of work hours.
- Protect. Make sure that medical/health data and biostatistics collected during the wellness program are stored on secured servers, segregated from other non-sensitive information, and encrypted if possible.
- Manage Your Vendors. Fully vet potential vendors before starting a wellness program. There are many of them trying to jump into this space as quickly as possible and not all are thinking carefully about security. If a vendor provides wearable technologies as part of their program or platform, require them to confirm what personal data is collected and how they will store, use, and distribute this information in accordance with its policies. Also make sure to have qualified legal counsel review your vendor contracts to ensure that appropriate safeguards and risk allocation are in place.
- Enforcement. Enforce policies that prohibit supervisors and decisions-makers from accessing personal information collected by wearable technologies to make certain that employment-related decisions are not based on an employee's health status.
- Clean House. Avoid the collection of any personal information unrelated to the goals of the wellness program. Purge personal information as soon as the wellness program concludes or you no longer have a use for it.
- Employers should keep privacy concerns top of mind when putting in place a technology-driven wellness program, and seek legal advice when needed. Mintz Levin’s experienced privacy and data security team has logged a lot of minutes in this game and are available to provide bench strength in this critical area.
Kate Stewart and Alden Bianchi also contributed to this post.