After I signed up for my insurance plan, I got an email with a link to a “wellness program” that, if I traded some health data — such as steps from a pedometer or smartwatch exercise data — could earn me a small monthly payout and some gift cards. But the second I logged in, I felt paranoid about the whole thing.
If you work for a company with employer-sponsored health insurance, there’s a chance you’ve come across wellness programs such as UnitedHealthcare Motion, Humana Go365, Attain by Aetna, and Vitality (The New York Times offers Vitality to its employees).
Each program works similarly, offering some type of discount or financial incentive in exchange for reaching goals, usually verified by requesting health data collected by a phone or fitness tracker. Insurance companies offer these programs to encourage people to begin or maintain healthy habits, like eating well and exercising, thus reducing health care costs. Employers offer them as a way to provide financial rewards you can use toward the cost of insurance or gift cards.
Financial rewards and gift cards are tantalizing incentives, but you shouldn’t make the choice to trade away your health data without considering the potential issues first.
What laws protect my health data?
The laws surrounding health data are complex, and your wellness program may not include the data privacy you expect.
The health information you share with insurance companies, H.M.O.s, health care providers, or company health plans is protected by the Health Insurance Portability and Accountability Act (HIPAA), which helps keep your data private. But not all workplace wellness programs are covered by HIPAA.
If a program or wearable tracking device is covered by HIPAA, your employer will never have access to the data collected, but if HIPAA doesn’t apply, you’re trusting those entities to not share the data with your employer, third-party ad agencies, or anyone else. Without HIPAA, a wellness program (or, more accurately, the operator or administrator behind it) may sell the health information it collects, which could put you at risk of having your data used against you or unlawfully in some way.
Pam Dixon, executive director of the World Privacy Forum, told me, “The best thing to do is take a close look at the privacy policy for that program. If it is a HIPAA-covered program, they’re going to have something called a Notice of Privacy Practices.” Look for phrases like “your rights under HIPAA,” “Notice of Privacy Practices,” or “NPP” in the privacy policy.
“If you see the term ‘we are HIPAA-compliant,’ the basic rule of thumb is the program does not fall under HIPAA,” Ms. Dixon added.
Yes, it’s confusing — although a program may call itself compliant, that doesn’t mean it’s regulated, she said. If it’s not covered by HIPAA, that opens the door for any data you provide to potentially be shared with third parties for advertising and marketing purposes.
The U.S. Department of Health and Human Services also adds this distinction: If a wellness program is offered as part of a group health plan, your information is protected by HIPAA rules; if the wellness program is offered directly by an employer, the information is not protected.
When I asked Anna Slomovic, Ph.D., a data management and policy consultant, about this, she told me, “You have to remember when data is shared between organizations, what is happening is the data is copied and the copy is handed over. So one copy may be covered by HIPAA and the other copy may not be.” This could include data from the devices you track activity with, like a Fitbit, where the data is covered only by Fitbit’s privacy policy — unless it gets moved over to a HIPAA-covered entity or someone acting on its behalf.
What are the problems with this type of data sharing?
Health data is some of the most private data you have, so it’s worth being mindful of where that information is shared and how it could be used. You may not have an issue sharing the number of steps you take on your pedometer, but consider what other data your fitness tracker might gather.
Referencing a chapter from the 2017 book, “Under Observation: The Interplay Between eHealth and Surveillance,” Dr. Slomovic showed how much data wearable devices, apps, and health portals collected. Even in 2014, this information ranged from location history to the modes of transport wearers tend to use.
As to how your health data could be used, we can all imagine the worst-case scenarios of sharing info about our eating, dieting, and exercising habits (or lack thereof) with insurance companies, but it’s what we haven’t thought of yet that’s more worrisome.
“You don’t think this data means anything, and then all the sudden somebody else takes the data and rearranges it, and all the sudden it’s a big deal,” Dr. Slomovic pointed out. We’ve already seen some surprising ways that fitness data can be repurposed, like when Nathan Ruser, a student at Australian National University, used data from the fitness app Strava to reveal the locations of military bases.
Many wellness programs ask you to complete surveys and risk assessments to earn points. These surveys may also ask questions you’re not comfortable answering, like whether you plan to get pregnant in the next year or two. There’s not much to gain from sharing this type of info, and you should avoid doing so — you don’t have to answer every question.
If your family is covered by your health plan, it’s important to consider their privacy as well, especially your children. Make sure your children don’t fill out any health surveys that aren’t covered by HIPAA, and watch out for programs that overreach for their data (and your partner’s, too).
Even if you trust all these companies to never share your health information, don’t forget about the possibility of data breaches.
In a paper published in the Annals of Internal Medicine (subscription required), researchers found that 71 percent of 1,461 reported data breaches at hospitals between October 2009 and July 2019 included sensitive info, such as patient names, addresses, email addresses, or other personal identifiers. These breaches exposed millions of people to the risk of identity theft or financial fraud.
What should I do?
Wellness programs are often marketed as a way for you to earn money, but you can also view your participation as a cost.
[Like what you’re reading? Sign up here for the Smarter Living newsletter to get stories like this (and much more!) delivered straight to your inbox every Monday morning.]
Still, the financial benefits are hard to ignore. Though it’s important to consider the potential issues, participating in a wellness program is not universally bad. Aside from considering HIPAA coverage, it’s best to steer clear of participating in programs that ask for more info than you’re comfortable sharing (like genetic test results) or that pay based on specific outcomes, like weight loss.
Beyond that, Dr. Slomovic suggested considering two questions: Do you have a choice in the first place, whether you can afford to not be in these programs, both financially and in terms of being seen as a team player? And if you can afford to choose, do you care what’s going to happen to that data?
If you don’t like the potential that your data could be used in ways you don’t like, you should avoid these programs. If you’re still undecided, Ms. Dixon recommended using what she calls the “five analysis” to decide whether a program is worth it for you: “How does it impact you five days from now, five months from now, and five years from now?”
Even if you’re comfortable assuming data security risks — and you consider yourself “healthy” — there’s always the possibility that your health status could change during the course of your participation in any wellness program.
Sign up for the Wirecutter Weekly Newsletter and get our latest recommendations every Sunday.
A version of this article appears at Wirecutter.com.