Privacy and health monitoring: What you need to knowby Elizabeth Dunbar, Minnesota Public Radio
ST. PAUL, Minn. — A growing number of Minnesota companies are banking on the idea that a healthier workforce will reduce their costs. They are offering health insurance premium discounts to employees for participating in programs that monitor their health. That could include blood pressure and cholesterol screenings, fitness challenges, weight-loss programs and extra help in managing diseases like diabetes. But some employees have raised concerns about the privacy of their health data.
Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington, spoke to MPR's Elizabeth Dunbar about the implications of the health monitoring programs.
What laws protect employees' health information in the workplace?
One law is the Health Insurance Portability and Accountability Act (HIPPA), which was enacted by Congress in 1996 and protects the privacy of health information when it is collected, used and shared by health care providers — doctors and hospitals, health plans and entities that work on their behalf. Now that's not employers. They're not necessarily directly covered by HIPAA, but most employers, when they deal with their employees with respect to health information, those communications take place with the health plan.
But when employers collect health data directly, it's going to be covered by the Americans with Disabilities Act. That prohibits discrimination in employment based on disability and it covers individuals who actually have a disability. So it's not really all health data, but if you are a person who has a disability, the data that's about that disability is protected to some extent. But beyond that, there aren't really that many protections for health data collected by your employer.
For employees who participate in a health risk assessment or a biometric screening, what happens with that information? Are there privacy concerns?
Clearly there are privacy concerns that are raised when health data is being collected by anyone. And in the context of employment, where you're being asked or encouraged and being provided with some sort of incentive to fill out a health survey, in some cases that data may be actually going to and being directly collected, by your employer.
If an employee is considering participating in a health risk assessment or other activity that involves their personal health information, how do they find out what's being done with the data?
Ask who is administering the survey. Is it staff within the employer? Or is it their health benefit plan? When they're asked to follow up with phone calls, are those people from the health plan, versus people from within the employer? I would also ask, quite frankly, for a set of policies on what they're going to do with the data. Because if the employer actually makes commitments to the employee with respect to the data, it at least helps to know how the data is going to be used.
All that said, most employers use this data not because they're trying to get rid of employees with costly health conditions, but more because they want these employees to get better. If they get better, they'll be more effective for longer, and it will reduce your health care costs.
So that actually means it's in their best interests to make strong commitments to their employees not to use the data for any purpose that involves their employment. Because why would you, as an employee, be truthful on a survey or take one to begin with if you had any doubts at all about how they would use the data. But that depends on people fully understanding that there aren't, in fact, any protections for this data in the law.
How do employers strike the right balance between protecting their employees' privacy while also collecting information that will help the employer save on health care costs?
Getting an aggregate sense that doesn't identify an individual patient but gives you overall trend data about which interventions are working will help you invest in the types of interventions that can help your employees live more healthy lives. That's good for them, and that's good for you, too.
Any sense of how successful they are?
These health risk assessment tools, the literature on how well they work is a little all over the map. So in many respects, this is a little bit of experimentation. If you can figure out the tools that work and the data that comes from these programs at least in the aggregate, you'll be better off in the long run. So allowing employers to access this data on an aggregate level in a way that doesn't identify their individual employees should be enough to help them manage the program. When they start to get it on an individual basis, I think that's just an invitation for inappropriate behavior, both in terms of overly pressuring an employee, or using it to make employment-related decisions.
• Follow Elizabeth Dunbar on Twitter: http://www.twitter.com/edunbarmpr