Corporate Wellness Programs Best Practices: ensuring the privacy and security of employee health information

Corporate Wellness Programs Best Practices: ensuring the privacy and security of employee health information

Nationwide, corporate wellness programs are on the rise. In 2016, the corporate wellness industry is projected to exceed $2.9 billion; by 2020 corporate wellness is projected to be a $12 billion dollar industry. One reason for growth is due to the intended purpose of corporate wellness programs: to get employees involved in their own health care, thereby reducing absenteeism and insurance claims.

Recently there have been reports stating that corporate wellness programs may put employee privacy at risk. One reason for potential risk to the privacy of employee health information may be due to wellness contractors not being bound by the HIPAA Privacy Rule, and not all wellness information is protected by HIPAA. One report takes it a step further stating the potential risk to the privacy and security of shared employee health information could support discrimination by employers.

To help you to protect the privacy of employee health information we have put together the following list of best practices if you choose to participate in a corporate wellness program.

  1. Determine what wellness data is shared and who the data may be shared with

Wellness programs commonly screen employees for health risks through health risk assessment (HRA) surveys and biometric screening. Find out from the corporate wellness vender who the results of the HRA will be shared with. Both employers and employees should read and understand the corporate wellness vendor's privacy policy to determine what language is included regarding who they are permitted to share data with labs, gyms, app publishers, etc. You deserve a clear explanation of what companies view or receive your data, how the information may be used, and how it is protected.

  1. Understand who has access to lifestyle management information

Following your HRA, employees may be asked to participate in the lifestyle management program, which uses coaching and support materials to help employees engage in more healthful living. As part of the lifestyle management process, interventions including smoking cessation, weight managements, nutrition, stress management and others may be recommended. In addition, the wellness program vendor analyzes employee health care claims to identify employees with chronic conditions: asthma, CAD, atrial fibrillation, CHF, stroke, hyperlipidemia, hypertension, diabetes, low back pain, and chronic obstructive pulmonary disease. Employers and employees should understand what lifestyle management information may be shared, and who the health information with be shared with. Moreover, employers and employees should determine how employee health information obtained and analyzed during the lifestyle management process is safeguarded.

  1. Ensure that results are safeguarded

A third party vendor administers the HRA and compiles the results of the biometric screening. Reports on findings are provided on a companywide and site level, and employees are mailed their individual results from the biometric screenings. The information provided in the group reports is de-identified; however, it may be easy for managers or smaller organizations to match worker identities with results from group reports. Because there is a potential for identification, these group reports should be properly safeguarded. Further, the information contained in the group reports should only be used as a snapshot of how your organization is doing as a whole and never as a tool to evaluate a worker's job performance. More importantly, these reports must never support discrimination. The Equal Employment Opportunity Commission which enforces laws against discrimination also proposed some safeguards for employees. Those include limits on the size of financial incentives, confidentiality of employee medical information and prohibitions against firing workers who decline to participate or denying them access to the company health plan

  1. Do not force or coerce employee participation

Although wellness programs among employers are popular, assurances that the screening results remain confidential are not being accepted by a large percentage of employees. According to a survey by the Economist Intelligence Unit more than half of workers said they are hesitant about sharing their health information, and a quarter said they wouldn't share their data under any circumstances. More than one-quarter of employees said they were concerned their personal information wouldn't remain confidential. Because of this many organizations are using financial incentives (including reduced insurance premiums) to raise participation levels in their corporate wellness program. Incentives to participate in wellness programs are permitted by law if the maximum incentive for participating doesn't exceed 30 percent of the total cost of coverage.

Example of Participation Coercion: One employee said her concerns about the privacy of her medical data cost her more than an elevated insurance premium. She declined to participate in the company wellness program's health screening. She reports being invited to a meeting with management to "quash any potential attitude of hers." Legal findings report that this employee was fired a month later in retaliation for her decision. She was out of work for over a year. The EEOC sued, contending the company violated federal law by requiring its employee to disclose health information that wasn't job-related and firing when the employee objected.


Participation in corporate wellness programs are on the rise. The surge in corporate wellness program participation requires employers and employees to determine how to ensure the privacy and security of employee health information. As healthcare professionals, HIPAA provides us with the necessary framework to protect patient health information. However, a corporate wellness program offered separate from an employer's group health insurance plan is not protected by HIPAA.

We recommend determining what wellness data will be obtained and analyzed as part of the corporate wellness program, and who that information will be shared with. Group reports are useful as a snapshot to see how your organization is doing as a whole. However, these reports must be safeguarded and there should be no attempts at re-identifying individuals. Employees' participation in corporate wellness programs should be at will. Individuals should also be afforded assurances their employee health information will be safeguarded; and any results that may be learned or discovered, will never be used to discriminate against them.