How workplace wellness programs can expose employee health data

According to the Workplace Wellness Programs Study, approximately half of US employers with 50 or more employees now offer wellness programs, and 80% of those screen employees for health risks, including clinical biometric data such as blood pressure and blood glucose levels. A 2024 survey by the Society for Human Resource Management (SHRM) found that 88% of employers rate health-related benefits as very important. A Washington Post investigation found that around 20% of employers who offer health insurance were already collecting data from employees' wearable devices.

Together, these data points build a detailed record of a person's health, a record that can reveal chronic conditions, substance use, reproductive health status, mental illness, and more. What makes wearable data sensitive, as the Washington Post reported, is that real-time fitness information is routinely combined with records of past doctor visits and hospitalizations to build health snapshots of individual employees.

Who holds the data?

Most workplace wellness programs are not run by employers directly. They are delivered through third-party vendors such as specialized apps, health tech companies, and benefits platforms that operate under their own privacy policies, not the employer's.

These vendors frequently retain the right to use aggregated or de-identified data for product development, research, and in some cases, sale to data brokers. The Washington Post reported that fitness data from wearable devices flows not just to the device manufacturer, but potentially to the health insurer, the employer, and a wellness plan administrator. Fitbit's own privacy policy, as noted in that report, states that the company shares user information with corporate affiliates, service providers, and unspecified "other partners." As Sanket Shah, a senior director at Blue Health Intelligence, told the Washington Post, major tech companies are "taking all these troves of data, and starting to provide a holistic view of population health and individual health", data he described as handle-with-care sensitive.

In many jurisdictions, health data collected through employer wellness programs does not fall under the same legal protections as data collected in a clinical setting. In the United States, the Health Insurance Portability and Accountability Act (HIPAA) governs data held by healthcare providers and insurers but wellness apps and fitness platforms often do not qualify as "covered entities" under HIPAA. As Anna Mizzi argues in Profiting on Your Pulse: Modernizing HIPAA to Regulate Companies' Use of Patient-Consumer Health Information, the law as currently interpreted regulates the channels through which health data flows, not the data itself.

Mizzi further notes that companies in this space routinely pass user data to third-party aggregators and consumer-facing platforms, often without the user's knowledge. A study of 24 top health mobile apps found that 19 shared user data with major tech companies despite having no direct connection to them, and that users could be identified through metadata alone.

Where regulations falls short

An article by Rachel Zheliabovskii published in the Society for Human Resource Management (SHRM) makes clear that even well-intentioned employers can find themselves in violation of multiple overlapping laws without realizing it. Three pieces of legislation are relevant;

• The Employee Retirement Income Security Act (ERISA) applies whenever a wellness program provides medical care, and the definition of medical care under ERISA is broad. A program featuring a trained health coach offering individualized guidance, for example, may cross into medical care regardless of whether the employer intended it to.
• HIPAA's wellness program rules are triggered when an employer ties an incentive to an employee's health status. Nicotine addiction is classified as a health status, which means smoking-cessation incentive programs fall squarely under HIPAA's nondiscrimination provisions. The SHRM article notes that more than 30 employers have been sued in 2024 alone, with plaintiffs arguing that requiring employees to actually quit smoking as a condition of receiving a reward treats those with nicotine addiction differently from healthier colleagues.
• The Americans with Disabilities Act (ADA) is engaged when a program asks disability-related questions or conducts medical examinations. Severe obesity, for instance, is considered a disability under the ADA, meaning a program that collects weight, height, and related health metrics may generate enough information to infer a disability, triggering ADA confidentiality and anti-discrimination requirements.

Each law could cover a different part of the wellness program, and coverage depends on program design, the specific data collected, and the incentive structure used. As Zheliabovskii notes in her SHRM piece, employers may not realize that certain programs "could cross the line and trigger" medical privacy and anti-discrimination laws.

Joe Jerome, a policy lawyer at the Center for Democracy and Technology, stated in the Washington Post, "There's gaps everywhere." Many employees, he noted, mistakenly believe that all health data they share is automatically protected under HIPAA, not realizing that when data is voluntarily handed to a fitness platform or wellness app, those HIPAA protections do not apply.

The coercion problem

Many employers offer financial incentives for participation such as reduced insurance premiums, cash bonuses, or points redeemable for rewards. The Workplace Wellness Programs Study found that more than two-thirds of employers (69%) with wellness programs use financial incentives to encourage uptake. For smoking-related targets alone, the average incentive for quitting was $682 more than triple the average reward for simply participating in a program. Mizzi points out that wellness program incentives can run into the thousands of dollars, and that even regulatory bodies like the EEOC have struggled to draw a clear line on what constitutes coercion.

Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, warned in the Washington Post that the growing reach of employer health surveillance creates real risks beyond wellness, "It's quite possible there will be effects on whether you are retained, promoted, demoted — who is first to be laid off." The more employers know about employees' lives outside working hours, he argued, the greater their potential influence over those employees' professional futures.

Aggregated data and employer insight

Even when individual employee data is protected from employer access, aggregated reporting creates its own risks. Wellness vendors normally provide employers with population-level dashboards which include participation rates, common health risks, and program engagement metrics. In a small team or department, aggregate data can effectively identify individuals.

There is also the question of what employers do with the insight. This information can influence hiring decisions, benefits design, and even organizational restructuring. Mizzi notes that because HIPAA does not currently cover the third-party apps and platforms used in these programs, employers and aggregators can obtain health data through these channels in ways that sidestep the protections the law was designed to provide.

The Washington Post's reporting shows how this employer oversight can become in practice. At one Texas plastics company, the owner described personally monitoring individual employees' daily step counts through a UnitedHealth app on his phone, calling employees directly to comment on their activity levels, including one worker who was just weeks out from a heart attack and bypass surgery. While the employer framed this as motivational, it shows that even in programs designed with good intentions, the program can enable health surveillance that most employees would not anticipate when signing up for a fitness tracker.

Furthermore, the Workplace Wellness Programs Study found that while employers believe these programs reduce medical costs and absenteeism, only about half had formally evaluated their impact and only 2% had reported actual savings estimates. The study's own statistical analysis estimated a modest average annual cost difference of just $157 per participant.

FAQs

Do wellness programs in other countries have stronger privacy protections than in the US?

Yes, jurisdictions like the EU under GDPR treat health data as a special category requiring explicit consent and stricter handling.

Are mental health apps provided through work any different from general consumer mental health apps when it comes to privacy?

Not necessarily, the same regulatory gaps that apply to fitness trackers often apply to employer-provided mental health platforms.

Can I ask a wellness vendor to delete my data after I leave a job?

This depends on the vendor's data retention policy and jurisdiction.