Data Privacy and Workplace Wearables: Can Employee Fitness Lead to Employer Pitfalls?
As the popularity of wearable fitness trackers increases and new models constantly hit the market, consumers continue to jump onboard the fitness gadget bandwagon. By the end of 2015, an estimated 33 million consumers owned wearable fitness devices from manufacturers such as Fitbit, Jawbone, Nike, and a host of others.
With worldwide shipments of wearable devices expected to reach 110 million by the end of 2016,
many employers are taking notice of this trend and turning to fitness trackers to ramp up their corporate wellness programs. Companies are encouraging participation in workplace competitions or challenges that allow employees to report their progress in exchange for various incentives. Employers are hopeful these efforts will result in the payoffs typically associated with improved employee health – lower healthcare costs and higher employee productivity. Technological efforts to move employees toward improved fitness, however, could walk employers into potential legal landmines.
Threats to Health Data Collected
Recent high-profile data breaches have created a heightened focus on data security and privacy threats, particularly related to financial data. Similar threats to data captured by fitness trackers and smartphone health applications also demand attention. Encouraging employees to use these devices and apps could unknowingly expose them to a myriad of privacy risks. The data collected by fitness devices could include GPS coordinates, heart rates, blood pressure, calories burned, sleep patterns, and other activity. Users often set up profiles in fitness devices' companion mobile apps or websites by adding their names, addresses, telephone numbers, genders, dates of birth, pregnancy status, eating habits, and other health-related information. This personal data is eventually stored in servers and, therefore, susceptible to hackers.
For example, cybercriminals hacked into a fitness tracker company's servers in an attempt to steal user warranty information to obtain replacement devices. As part of the breach, hackers reportedly gained access to personal data, including users' GPS history and data showing when users typically went to sleep every night.
Cybercriminals could also use data stored in servers to commit medical identity theft, which involves stealing names and personal information to fraudulently obtain access to healthcare and other medical services. Victims of medical identity theft face profound and expensive consequences that could thwart efforts to receive future healthcare and insurance.
Although information captured and maintained through fitness monitors and apps is susceptible to cybercrime, the data generally is not regulated by the Federal Trade Commission (FTC),
nor is it protected under the Health Insurance Portability & Accountability Act (HIPAA) aside from limited circumstances (e.g., a wearable manufacturer partnering in some way with a HIPAA-covered entity as a business associate).
Fitness tracker companies generally have significant discretion with respect to the use and disclosure of user data provided that such uses and disclosures are referenced in the companies' applicable terms and conditions, and the companies abide by such terms.
In addition to threats of cyberattacks, consumers also face inherent privacy risks in the way their information is shared by mobile health app companies. The FTC revealed in a 2014 study that 12 mobile health apps transmitted information to 76 different third parties. Some of the data transmitted could be linked back to names and email addresses belonging to specific users. Another study revealed that data transmitted from fitness devices to related apps and websites have certain identifiers that could be leaked to third parties through Bluetooth technology. These identifiers allow third parties to monitor user locations and other data.
Some privacy advocates have also expressed concern that health app companies may sell user information to data brokers and advertising companies.
Employer Exposure to Liability under Antidiscrimination Laws
In addition to concerns related to unauthorized access to employees' personal information, employers must also carefully consider legal issues that could arise from their companies' internal use of employee health data. Companies that have incorporated fitness wristbands into their employee wellness programs typically set up a mechanism to allow employees to report their health progress by syncing their devices or user profiles to a portal. Improper handling of data collected from fitness devices could lead to potential liability under various laws prohibiting discrimination. For example, the Americans with Disabilities Act (ADA) places certain limitations on medical exams and disability-related inquiries, such as questions likely to elicit information about a disability. According to the Equal Employment Opportunity Commission, a "procedure or test that seeks information about an individual's physical or mental impairments or health" could violate the ADA. An exception exists, however, in the context of voluntary wellness programs. Data related to an employee's family health history may also expose companies to liability under the Genetic Information Nondiscrimination Act, which prohibits employers from considering genetic information in making employment decisions. Further, to the extent data collected is used to reward healthy fitness behaviors (e.g., with a health premium discount or contribution to a health savings account), the underlying wellness program must comply with HIPAA nondiscrimination rules. HIPAA's nondiscrimination provisions require that company wellness programs allow a reasonable alternative, or waiver of the requirement, for employees unable to complete a health-related activity facilitated by use of a fitness tracker.
Steps Employers Should Consider
Due to potential privacy and antidiscrimination law implications, employers should exercise caution when incorporating fitness trackers and related technology into workplace wellness programs. With respect to fitness tracker vendor selection, employers should fully vet vendors before entering into a wellness program partnership. Due to the nature of information involved, employers should require the vendor to confirm what personal data the vendor will collect, and how the vendor will store, use, and distribute it. Employers should also examine the vendor's encryption procedures, especially pertaining to the data transferred from the fitness devices to related smartphone apps. To avoid exposing unsuspecting employees to unnecessary privacy risks, employers should conduct a careful review and assessment of the vendor's data policies, preferably with the assistance of a data security and privacy professional.
Employers should also carefully review and examine their own internal policies to ensure that their practices and procedures do not run afoul of antidiscrimination laws. An employer's use of health-related data must be strictly limited to the administration of the workplace wellness program and cannot be used to make employment decisions. Therefore, companies seeking to incorporate wearable fitness devices into wellness programs should continue to follow standard guidelines and consider the following recommendations:
Avoid the collection of personal information and health data unrelated to wellness program goals.
Enforce policies that prohibit supervisors or other decision makers from accessing health data reported via fitness devices to ensure that employment-related decisions are not based on any employee's health status.
Whenever possible, consider contracting the administration of a workplace wellness program to a third party vendor so that the employer only receives aggregate information that does not identify individual employees.
Notify employees in writing that any participation in the company's wellness program is voluntary, and offer employees reasonable alternatives to receive the incentives or rewards offered for completing health-related activities or achieving certain health outcomes.
Since certain fitness devices collect GPS information, ensure that this data is not used in a manner that violates employees' reasonable privacy expectations.
Consider obtaining employees' consent to collect personal data reported via wearable devices.
Create policies to ensure that employees are well-informed regarding the information to which the employer will have access, and how the employer intends to use such information.
Fitness trackers are revolutionizing the way companies think about wellness. As demonstrated by the popularity of these devices, wearables could motivate employees in a way that significantly improves employee health and companies' bottom lines. In taking steps to modernize wellness programs, however, employers must not lose sight of the inherent risks associated with utilizing this type of technology. Employers would be well-advised to seek legal counsel to ensure that their steps to increase employee fitness are moving in the right direction.
For more information, contact Ice Miller's Data Security and Privacy practice
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
Depending on the nature of a wellness program arrangement between an employer and fitness tracker vendor, the vendor may be a business associate to the employer's group health plan. In that instance, HIPAA privacy and security laws would apply, requiring a business associate agreement.