Do you collect personal data for your wellness program? Do you know how your wellness vendor uses the data they collect? Learn how to tighten your data protection and information security in this post.
Wellness programs often require employees to provide their personal data through biometric screenings and health risk assessments (HRA). In some cases, particularly those with group health plans, insurance claims data may also become available to HR teams, third-party wellness programs, and company executives.
This is one reason some companies have low employee participation rates, and these concerns are understandable. The Department of Health and Human Services’ Office for Civil Rights reported 3,705 healthcare data breaches of 500 or more records between 2009 and 2020, resulting in the loss, theft, exposure, or impermissible disclosure of 268,189,693 healthcare records.
What’s concerning is that some employers are unaware of their responsibilities and obligations when it comes to information security. Health data collection can place employees’ privacy and employment at risk if the program does not follow proper necessary protocols.
What’s the extent of the data collection? What safety protocols should be in place? These are some of the questions that must be answered by all stakeholders.
What is HIPAA?
HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a set of standards that governs how health information is handled and protected. It dictates a set of safeguards (administrative, technical, and physical) that covered entities are required to ensure, and indicates how these standards must be enforced.
What is Personal Data?
The European Commission defines personal data as “any information that relates to an identified or identifiable living individual.” The collection of information that results in identifying a person also falls under personal data.
Some examples of personal data include:
- First name and last name
- Home address
- Email address with first and last names
- IP address
- ID card number
- Cookie ID
- Smartphone advertising identifier
- Health records
For most wellness programs, HR teams and providers may ask employees to provide their full names, home addresses, email addresses, and health records. As part of HRAs, employees may also undergo biometric assessments, wherein they will need to provide additional health data, such as body mass index (BMI), cholesterol and blood sugar levels, and blood pressure. These biometric data help in determining potential risk factors for chronic conditions.
HIPAA Compliance and Wellness Programs
In general, employee wellness programs are run by third-party providers. The unfortunate reality is that to be covered by HIPAA, your workplace wellness program must be part of a group health plan. According to the Department of Health and Human Services (HHS), HIPAA privacy and security don’t apply to those outside this category.
For those covered by HIPAA, insurance providers are legally bound to keep personally identifiable information (PII) private and secure. But either way, it is in the best interest of both employers and employees to ensure that data protection and information security are in place.
According to IBM Security’s 2021 Cost of a Data Breach Report, healthcare data breaches are the most expensive of all, costing the industry a staggering $9.42 million per incident.
This large increase is due to the sudden operational shift brought by the COVID pandemic as organizations had to launch technology without proper preparation. While it’s part of the reason for the increase in data breaches, technology is also a way to mitigate risks. Organizations must have a committed security plan to help secure information and data. In some cases, this extends beyond the organization—they must also ensure that the wellness technology providers they work with comply with HIPAA requirements.
Aside from the financial cost of a breach, employers also risk their brand reputation. Companies involved in data breaches often face low trust ratings from employees and even potential partners and investors.
How Employees Can Mitigate Risks
Workplace wellness programs offer tons of benefits for employees, and ideally, fear of data leaks shouldn’t stop them from enjoying the health benefits. How can employees help keep their data safe?
Employees should carefully read consent forms. They must thoroughly understand what personal data will be collected and how it will be used, stored, and destroyed. They should also take time to read through the program’s privacy policies, including how much control they have over the data they wish to provide and refrain from providing unnecessary information.
The Role of Employers
Employers offering employee wellness programs must understand the legal liabilities and vulnerabilities they may face. Employers should ensure their employees retain complete control of their health data and remain the primary decision-makers of how their data will be used. Start by getting an employee's informed consent and offering a thorough explanation of health data collection and the associated risks of joining a wellness initiative.
Employers should also refrain from requesting PII unless required for program administration. According to the HHS, employers must justify the need to receive an individual’s medical record, which must be included within the program's policies and procedures.
While wellness programs remain unregulated, working with vendors who follow stringent standards for data security should be employers’ top priority. 
Aside from being HIPAA-compliant, CoreHealth has demonstrated its commitment to data protection and information security by achieving ISO/IEC 27001 Information Security Management Certification. This means all of CoreHealth’s partners can enjoy the benefits of wellness programs and the peace of mind that their data is safe and secure.
If you want to learn how our wellness technology can provide your employees with the utmost security, contact us.
About CoreHealth Technologies
CoreHealth Technologies Inc. is a total well-being company trusted by global companies to power their health and wellness programs. Our wellness portals help maximize health, engagement, and productivity for 3+ million employees worldwide. We believe people are the driving force of organizations and supporting them to make behavior changes to improve employee health is in everyone’s best interest. With the most flexibility, customizations, and integrations of any software in its class, CoreHealth’s all-in-one wellness platform helps achieve great wellness outcomes. Simple to sophisticated, based on you. For more information, visit the CoreHealth website.
