From Seyfarth Shaw LLP, by Diane Dygert:
- Employers are increasingly interested in providing wellness tools, such as apps and wearables, to enhance employee benefits. These tools, which cover various areas like mental health, physical fitness, and financial fitness, are relatively inexpensive and easily accessible.
- The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy and security of individually identifiable health information. However, this only applies to data created or maintained by a “covered entity”, usually healthcare providers or health plans. Many wellness apps are not developed by such entities, and therefore, their data may not be protected by HIPAA.
- If a wellness app is provided as part of an employer’s health plan, the underlying data collected may be considered HIPAA Protected Health Information (PHI). In such cases, the wellness vendor and the health plan must enter into a HIPAA compliant business associate agreement outlining the uses and security measures for the PHI.
- State laws may also impact the privacy of health data collected through wellness apps. Several states are passing their own privacy laws to cover health data privacy gaps in HIPAA’s scope. However, most of these laws exclude information collected in the scope of an employment relationship, and the extent of these exclusions is not yet clear.
- Employers deploying wellness apps should consider privacy implications at both federal and state levels before implementation. Failure to do so could potentially lead to privacy law liability.