Wow, our group health plan premiums are crushing us. Wait a minute—what if we ramped up our company’s wellness program, using cool technology to help get our workforce in shape? Let’s get all our employees to use those wearable fitness tracker gizmos! We can fold those into our BYOD program, offer a device subsidy, and then have our employees report their stats and progress in some kind of fitness competition, with cool stuff as motivating rewards. Premium costs down, flab down, fitness up, profits up… what could possibly go wrong?
Plenty will go wrong, unless the company takes a breather and checks the pulse of information-related risks and compliance issues. So, let’s run a quick information governance circuit drill.
What information is involved, owned by whom, and in whose custody?
- Wearable fitness trackers have exploded into the marketplace. FitBit, Jawbone, Nike+ FuelBand, and other trackers collect reams of data, including a person’s heart rate, calories burned, activity levels, and distances traveled.
- Fitness tracker data obtained by the company (either through employer ownership of the devices or through employee reporting of personal data) will be information in the employer’s control or custody. And depending on how access to the data is handled within the company, the information could also be deemed to be in the control or custody of the company’s self-funded health plan.
- If the devices are employee-owned but governed by the company’s BYOD policy (rather than a tailored, stand-alone policy), the terms of the BYOD policy will apply to the data. Fitness tracker data (personal fitness information) is fundamentally different than the device data contemplated back when the BYOD policy was originally crafted for smartphone use (company business communications and the like), and so unintended consequences may result. Company policies should clearly address ownership, custody, and access rights for the fitness information involved.
What employment requirements and risks are involved?
- Fitness trackers can house information that is protected under the Genetic Information Nondiscrimination Act (GINA). Some fitness trackers ask users to submit health-related information, and employees could provide responses revealing genetic information. GINA prohibits employers from considering genetic information in making employment decisions. Under GINA, “genetic information” is broadly defined to include an employee’s family medical history and genetic tests.
- Use of fitness trackers can also capture information about disabilities or perceived disabilities that entitle an employee to protection under the Americans with Disabilities Act (ADA). The ADA prohibits an employer from conducting a medical exam or asking disability-related questions of current employees unless the employer can establish the exam or inquiry is job-related and consistent with business necessity. Employers are prohibited from asking questions that are “likely to elicit information about a disability.” The Equal Employment Opportunity Commission (EEOC) broadly construes a “medical examination” to include a “procedure or test that seeks information about an individual’s physical or mental impairments or health.”
- The ADA does include a wellness program exception that allows employers to conduct “voluntary” medical examinations that are part of a wellness program. To qualify as a “voluntary” wellness program, employers cannot require participation in the program or penalize employees for non-participation, including the refusal of health coverage. The EEOC has proposed federal regulations and pursued enforcement actions and lawsuits against employers for imposing financial penalties on employees who chose not to participate in a wellness program. Employers should be careful to abide by both the non-discrimination and accommodation requirements under the ADA.
- Employment law considerations for including fitness trackers or other wearables in a wellness program include:
- Do not collect health-related information not essential to the objective of the wellness program;
- Maintain any health-related information collected from participation in the wellness program separate from the employee’s personnel file;
- Do not allow supervisors or decision-makers access to employees’ health-related information;
- Review policies and procedures to ensure only individuals with a need-to-know basis have access to an employee’s health-related information;
- Do not consider health-related information in making employment decisions;
- Distribute a notice that clearly states participation in the wellness program is purely voluntary and provide information on the use and collection of the employee’s data from the program; and
- Do not disclose health-related information to third parties, unless allowed by applicable law.
What privacy requirements and risks are involved?
- The information is personal fitness data, not business data, so there’s likely a heightened expectation of privacy by employees. If any fitness information will be received by the company through employee reporting, then company policies should clearly set forth the rules for access to and use of the fitness information.
- If the fitness trackers are owned by the company, then it follows that the company may also own the data residing in the trackers. This scenario raises all sorts of issues, but on the privacy front, it is imperative for company policies at the outset to clearly advise employees of the data ownership and of the rules for access to and use of the information.
- If location data is involved, several states require notice and consent by employees for electronic tracking or monitoring by employers.
What data security requirements and risks are involved?
- HIPAA data security requirements apply to electronic Protected Health Information (ePHI) of HIPAA-covered entities, which in the workplace setting include a self-funded group health plan. If the employer’s self-funded health plan has custody of employee fitness data in electronic format, the data could constitute ePHI, which is subject to the HIPAA Security Rules. And regardless of data medium, the self-funded group health plan must comply with the HIPAA/HITECH rules for PHI breach notifications.
- Several states’ breach notification statutes include individual health information, which when combined with individuals’ names, is within the definition of Protected Information subject to breach notification requirements.
What records and information management requirements and risks are involved?
- If the company has custody of fitness tracker information, it should be retained pursuant to the company’s Records Retention Schedule and be kept no longer than needed for business purposes.
- Location of and access to the information should be controlled consistent with the employment law, privacy, and security considerations mentioned above.
- There should be clarity regarding who is responsible for the information during its lifecycle, and the information must be securely and effectively disposed of when its retention period expires, subject to any applicable legal hold.
What litigation preservation and discovery repercussions and risks are involved?
- Information stored on wearable technology can be relevant to a party’s claims or defenses in litigation, and thus discoverable. For example:
- Wearable fitness devices can monitor and track an employee’s activity and location. Some fitness trackers have GPS capabilities to identify where an employee was located at a specific time. This information could be relevant in wage and hour disputes to establish if an employee was at the workplace during working hours. Employee’s location could also be relevant in litigation involving the employer’s vicarious liability for an employee’s actions, such as whether at the time of an incident the employee was on a “frolic” or merely a “detour” from business activities.
- Employees’ physical activity levels may also be relevant to determine whether an employee was in fact not engaged in any physical activity at the time of an alleged workplace injury, or conversely, relevant to the extent of an employee’s continuing physical limitations due to an earlier alleged workplace injury.
- Accordingly, legal hold processes should account for how relevant data in wearable fitness devices will be obtained and preserved for litigation.
- Company policies should address data ownership and privacy expectations in a way that dovetails with how such data will be obtained and preserved for litigation.
This is a quick exercise of the IG perspective, but as you can see, it surfaced a variety of issues, requirements, and risks. Fitness is a great thing, but the value of incorporating wearable fitness trackers in your company’s wellness program must be balanced against information compliance, cost, and risk. The IG perspective helps your company make an informed decision on how such issues will be handled, before the company feels the burn.