This article was originally posted to Seyfarth’s Global Privacy Watch blog.

Employers looking to enhance their suite of employee benefit programs, and focused on lessons learned during the pandemic on wellbeing, are interested in providing greater access to wellness tools. And, the vendors who support those tools are more than happy to provide them. Global spend in the health and wellness market would be around $24.8 billion in 2023 according to a study by Kilo Health. Wellness apps and wearables abound in all sorts of areas — from counting steps to nutrition to mental health to physical fitness to financial fitness. These tools are relatively inexpensive to provide and easily accessible to the workforce – many times with just a simple download to a smartphone. And, best of all they’re completely private with no middle man, and only the employee seeing their own data and progress. Right?  Well — not so fast. 

Federal Law

HIPAA is the federal statute that protects the privacy and security of individually identifiable health information, called Protected Health Information or PHI. Many people (plan sponsors and covered participants alike) assume that the wellness apps and the data they contain are protected by HIPAA. However, HIPAA does not address all types of health information.  For HIPAA to apply, the information must be created or maintained by a “covered entity”.  Covered entities are generally health care providers (e.g., doctors, hospitals, pharmacies) and health plans. 

Where the developer or license holder of a health application is a covered entity, and that entity maintains the application and the data that it collects, the underlying data will receive the protections of HIPAA. For example, a pharmacy may be the entity who is supplying patients with the access to the online application to manage their medications. In that case, the provider will have to design its security systems and protocols to meet HIPAA’s high standards.

However, many times the developer of a wellness application is not a health care provider and the application is not utilized by a provider for detecting, curing, mitigating, treating or preventing diseases. Common examples of these types of applications are those that track individuals’ walking steps or offer a tracker for weight or blood pressure. In this case, reviewing the privacy policy of the application and making an informed decision before loading personal information is critical.

On the other hand, where an employer is considering enhancing its benefits offering to include access to a wellness application or device, that benefit may be offered under and as part of its health plan. A clear example of this could be a heart monitor used for an individual complaining of an irregular or racing heartbeat. But, also a fitness tracker provided as part of the health plan’s wellness benefit could fall into this category. In that case, the wellness vendor will likely be functioning as a business associate to the health plan, and the individually identifiable health data collected on the app or device will be HIPAA PHI. This means that the vendor and the health plan will need to enter into a HIPAA compliant business associate agreement that lays out the possible uses of the PHI and how it is to be secured.

State Law

Where an ERISA health plan is not involved, and HIPAA therefore would not apply, employers should still consider the implications of state law. A number of states are getting into the privacy game by passing their own privacy laws. As part of these initiatives, the states are attempting to plug the holes around health data privacy which are present in the scope of HIPAA. For example, California, Texas, and Florida all endeavor to regulate the use of health data when used for purposes of “profiling”. Washington State passed a privacy statute directly pointed at health information.

However, almost all states’ privacy laws, with the exception of California’s, have an exclusion for information collected in the scope of an employment relationship. While providing benefits (and collecting information) related to workforce well-being is definitely an interest to the employer, the scope of the exclusion in these state privacy laws has not been litigated. As such, it is not clear if work place-adjacent activity, like the provision of wellness apps, would be covered by the employee exception in any given state.

Effectively, what this means is that even if HIPAA doesn’t apply to the employer’s provision of wellness apps or wearables, it is possible that a state law will apply. Therefore, it is possible that the employer will need to have its own privacy compliance program related to the collection and use of the wellness data.

Ultimately, employers who are deploying wellness apps need to consider the privacy implications at both the federal and state level before roll-out. If not, it is possible that the employer may generate privacy law liability without fully understanding its risk.