Wearables, Wellness and Privacy

Bloomberg BNA recently reported that this fall the Center for Democracy & Technology (CDT) will be issuing a report on Fitbit Inc.’s privacy practices. Avid runners, walkers or those up on the latest gadgets likely know about Fitbit, and its line of wearable fitness devices. Others may know about Fitbit due to the need to measure progress in their employers’ wellness programs, or even whether they qualify for an incentive. When participating in those programs, employees frequently raise questions about the privacy and security of data collected under such programs, a compliance issue for employers. Earlier this month, FitBit reported that its wellness platform is HIPAA compliant.

fitbit, charge HR, wearable technology, fitness tech, exercise, step counter, weight loss deviceFitBit’s Charge HR (the one I use) tracks some interesting data in addition to the number of steps: heart rate, calories burned, sleep activity, and caller ID. This and other data can be synched with a mobile app allowing users to, among other things: create a profile with more information about themselves, to track progress daily and weekly, and to find and communicate with friends also using a similar device.

Pretty cool stuff, and reasons why FitBit is the most popular manufacturer of wearables with nearly 25 percent of the market, as noted by Bloomberg BNA. But, of course, FitBit is not the only player in the market, and the same issues have to considered with the use of wearables regardless of the manufacturer.

According to Bloomberg BNA’s article, one of the concerns raised by CDT about FitBit and other wearables is that the consumer data collected by the devices may not be protected by federal health privacy laws. However, CDT’s deputy director of the Consumer Privacy Project stated to Bloomberg BNA that she has “a real sense that privacy matters” to FitBit. This is a good sign, but the laws that apply to the use of these kinds of devices depend on how they are used.

When it comes to employer-sponsored wellness programs and health plans, a range of laws may apply raising questions about what data can be collected, how it can be used and disclosed, and what security safeguards should be in place. At the federal level, the Health Insurance Portability and Accountability Act (HIPAA), the Americans with Disabilities Act (ADA), and the Genetic Information Nondiscrimination Act (GINA) should be on every employer’s list. State laws, such as California’s Confidentiality of Medical Information Act, also have to be taken into account when using these devices in an employment context.

Recently issued EEOC proposed regulations concerning wellness programs and the ADA address medical information confidentiality. If finalized in their current form, among other safeguards, the regulations would require employers to provide a notice informing employee about:

  • what medical information will be obtained,

  • who will receive the medical information,

  • how the medical information will be used,

  • the restrictions on its disclosure, and

  • the methods that will be used to prevent improper disclosure.

Preparing these notices for programs using wearables will require knowing more about the capabilities of the devices and how data is accessed, managed, disclosed and safeguarded.

But is all information collected from a wearable “medical information”? Probably not. The number of steps a person takes on a given day, in and of itself, seems unlikely to be medical information. However, data such as heart rate and other biometrics might be considered medical information subject to the confidentiality rule. Big data analytics and IoT may begin to play a greater role here, enabling more detailed pictures to be developed about employees and their activities and health through the many devices they use.

Increasingly wellness programs seek to incentivize the household, or at least employees and their spouses. Collecting data from wearables of both employee and spouse may raise issues under GINA which prohibits employers from providing incentives to obtain genetic information from employees. Genetic information includes the manifestation of disease in family members (yes, spouses are considered family members under GINA). The EEOC is currently working on proposed regulations under GINA that we are hoping will provide helpful insight into this and other issues related to GINA.

HIPAA too may apply to wearables and their collection of health-related data when related to the operation of a group health plan. Employers will need to consider the implications of this popular set of privacy and security standards including whether (i) changes are needed in the plan’s Notice of Privacy Practices, (ii) business associate agreements are needed with certain vendors, and (iii) the plan’s risk assessment and policies and procedures adequately address the security of PHI in connection with these devices.

Working through plans for the design and implementation of a typical wellness program certainly must involve privacy and security; moreso for programs that incorporate wearables. FitBits and other devices likely raise employees’ interest and desire to get involved, and can ease administration of the program, such as in regard to tracking achievement of program goals. But they raise additional privacy and security issues in an area where the law continues to develop. So, employers need to consider this carefully with their vendors and counselors, and keep a watchful eye for more regulation likely to be coming.

Until then, I need to get a few more steps in…

Article By Joseph J. Lazzarotti of Jackson Lewis P.C.

Still Waiting for ADA and GINA Guidance on Wellness Incentives

Jackson Lewis P.C.

March is here. The EEOC’s perspective on wellness program incentives is not. Yet again.

In its Fall 2014 regulatory agenda, the EEOC stated it would be issuing in February 2015 amended regulations concerning the size of incentives an employer may offer, yet still have a “voluntary” wellness program under the ADA and GINA.  The EEOC listed these same amendments on its Spring 2014 regulatory agenda. The regulatory agenda is a preliminary statement of priorities under consideration and is not a binding commitment to issue the regulations on the stated date.

The EEOC noted on its agenda that these amendments were needed to address whether an employer’s compliance with HIPAA rules concerning wellness program incentives, as amended by the Affordable Care Act (ACA), also complies with the ADA. The EEOC added that an amendment would also address the size of inducements allowed under GINA “to employees’ spouses or other family members who respond to questions about their current or past medical conditions on health risk assessments.”

The allowed size of wellness incentives matters to the growing number of employers with wellness programs. The ACA has a clear compliance standard for such incentives.  Until 2014, the EEOC had stayed on the sidelines of the wellness incentive debate, not offering any guidance beyond its general view that if the incentive was too large, the program was not “voluntary.”

In 2014, the EEOC sued three employers, claiming the size of their wellness incentives (or penalties, depending on your perspective) transformed otherwise voluntary wellness programs into involuntary programs. In the third case, the EEOC sought to enjoin the company from continuing the incentives in its wellness plan. There was no claim that the incentives violated the ACA standard. Our report on that case is here.

At the oral argument on the injunction hearing, the court asked the EEOC numerous times to define the line between a lawful and unlawful incentive under the ADA and GINA. The EEOC declined to define a specific line. The court denied the EEOC’s injunction request.

More than a year ago, we posted that waiting for the EEOCs guidance on incentives under wellness programs is like waiting for Beckett’s Godot, where Estragon and Vladimir lament daily that Godot did not come today, he might come tomorrow. The waiting continues.

ARTICLE BY

OF