If your company hasn’t launched a wellness program, this might be the year.
As benefits enrollment for 2016 approaches, more employers than ever are expected to nudge workers toward plans that screen them for risks, monitor their activity and encourage them to take the right pills, food and exercise.
This involves a huge collection of health data outside the established medical system, not only by wellness vendors such as Redbrick, Audax and Vitality but also by companies offering gym services, smartphone apps and devices that track steps and heartbeats. Such partners pass worker results to the wellness providers.
Standards to keep such information confidential have developed more slowly than the industry. That raises risks it could be abused for workplace discrimination, credit screening or marketing, consumer advocates say.
Here’s what to ask about your company’s plan.
Q. What information will my employer see?
Many employers get only anonymous, group data. The vendor reports how many workers are overweight or have high blood pressure, for example.
But sometimes employers can see individual results, setting the stage for potential discrimination against those with disabilities or chronic illness. Or they can guess them. Discrimination based on disability and illness is illegal but hard to prove.
Workers should ask exactly what information will get back to their company and whether it will identify them.
Q. Is the program covered under the HIPAA privacy law?
The Health Insurance Portability and Accountability Act restricts sharing of certain medical information to doctors, health insurers and other authorized users. Asking whether a wellness plan is covered by HIPAA is a good, first attempt at judging confidentiality.
Workplace wellness programs offered separately from an employer’s group health insurance plan are not protected by HIPAA. Other privacy laws might apply. But often it’s often impossible for employees to tell without asking.
Even in HIPAA-covered programs, a few, designated managers at your workplace can see health reports including identities, although they’re supposed to keep them confidential.
Q. I don’t understand the privacy policy. Did I give up my HIPAA rightswhen I filled out my health assessment on the wellness site?
Use of a wellness portal often gives the vendor permission to share personal data with unidentified “third parties.” Those would be insurers, data-storage firms and other partners necessary to the program, vendors say. They’ll protect the information as well as anybody, they say.
But the open-ended nature of the permission gives consumer advocates the creeps. Read the privacy and terms-of-use disclosures. Ask questions if you’re uncomfortable.
Q. My employer says it sees only group results. Does that guarantee privacy?
At smaller firms it’s sometimes easy for managers to match worker identities with results from group reports. The same goes for large companies when wellness data is disclosed by team or division.
Ask how far the results will be broken down.
Q. How many other companies see my wellness data?
Workplace wellness often involves multiple firms gathering or sharing your information. The main wellness provider might work with labs, app publishers, fitness device makers, gyms, rewards fulfillment companies and others — each with its own confusing privacy policy.
Employees deserve a clear explanation of which companies get their data, what form it takes, how recipients will use it and how it is protected, privacy advocates say.
Q. What privacy policies do subcontractors and other third parties have to follow?
One privacy standard for wellness contractors, set by the National Committee for Quality Assurance, requires the primary wellness vendor as well as third-party partners to conform to HIPAA.
But that kind of policy is not universal. NCQA recognizes only a few dozen out of hundreds of wellness companies. And NCQA standards are voluntary and don’t confer consumer rights.
Q. Could somebody try to identify individuals in the group results shared by my wellness plan?
Wellness privacy policies often give vendors broad room to share data stripped of names, addresses and other identifying features. Such information is not protected under HIPAA.
Experts have shown that such results can be re-identified by combining them with public databases. As an extra protection, wellness vendor Limeade and wearable device maker Fitbit prohibit third-party partners from attempting to re-identify the information they share.
Houston workers who checked the fine print said they weren’t sure whether they were joining an employee wellness program or a marketing scheme.
Last fall the city of Houston required employees to tell an online wellness company about their disease history, drug and seat-belt use, blood pressure and other delicate information.
The company, hired to improve worker health and lower medical costs, could pass the data to “third party vendors acting on our behalf,” according to an authorization form. The information might be posted in areas “that are reviewable to the public.” It might also be “subject to re-disclosure” and “no longer protected by privacy law.”
Employees could refuse to give permission or opt not to take the screen, called a health risk assessment — but only if they paid an extra $300 a year for medical coverage.
“We don’t mind giving our information to our health care providers,” said Ray Hunt, president of the Houston Police Officers’ Union, which objected so strongly along with other employees that the city switched to a different program. “But we don’t want to give it to a vendor that has carte blanche to give that information to anybody they want to.”
Millions of people find themselves in the same position as that of the Houston cops. As more employers grasp wellness as the latest promised solution to soaring health costs, they’re pressuring workers to give unfamiliar companies detailed data about the most sensitive parts of their lives.
But whether or not that information stays private is anything but clear, an examination by Kaiser Health News shows.
In many workplace wellness programs, “it seems by taking the health risk assessment you are waiving your privacy rights,” said Jennifer Mathis, director of programs at the Bazelon Center for Mental Health Law.
At worst, shared information about sensitive conditions could support discrimination by employers, banks, life insurance companies and others. Wellness data is already escaping into what one expert calls “the great American marketing machine” that pitches products according to your diseases and lifestyles, privacy scholars say.
Wellness vendors charge employers a per-person fee to assess workers’ health and motivate them to exercise, eat well, see doctors and take pills. Companies push workers to participate with gift cards, insurance discounts and other rewards or penalties.
As employers flock to the wellness parade, corporate wellness vendors make up what research firm IBISWorld predicts will be a $12 billion industry by 2020 — six times its estimated size in 2011.
Privacy advocates see a void of regulation or even voluntary standards to ensure the information is used as intended. By all accounts the amount of worker wellness data being collected — through the Web, company surveys, wearable devices, gym records and lab tests — is exploding.
“The privacy issues are profound,” said Pam Dixon, executive director of the World Privacy Forum, an advocacy group. “If people are being asked to wear a biometric electronic device, or use a mobile app or work within a wellness program, that data can be used in ways that may be very, very surprising to people.”
Numerous wellness vendors say flatly that privacy is critical to their reputation and that they don’t share information on individual workers with employers, data brokers or marketing companies. But as the Houston employees found out, the fine print isn’t so plain or reassuring.
— Few workers know that wellness contractors are often unbound by the strict privacy law, known as the Health Insurance Portability and Accountability Act (HIPAA), that restricts doctors and hospitals.
— A review of privacy policies shows that many wellness vendors adopt policies allowing them to share identifiable data with unidentified “third parties” and “agents” working to improve employee health.
— The industry boom has drawn a widening network of fitness centers, websites, app publishers, wearable device makers and other affiliates working with wellness plans to collect employee health information — each with its own complicated privacy policy. That boosts chances data will be misused, privacy advocates say.
— Wellness companies and their contractors routinely share almost completely unregulated “de-identified” data showing group heath results with employers, researchers and others. Scientists have shown such information can be “re-identified” and used for marketing, potential credit screening and other purposes.
Wellness vendor Audax Health, whose work with Houston resulted in “an overwhelming number of employees who were uncomfortable with the privacy statement,” according to a city statement to employees, said it keeps information strictly confidential. Audax’s online portal for employees is called Zensey.
“We do not sell or resell personal health information to anyone,” including marketing companies and data brokers, David Sclar, Audax’s chief privacy officer, said through a spokesman. “We do not allow third parties to market to Zensey users.”
But Audax’s own fine print contradicts the second part of his statement, saying the vendor may direct marketing pitches from third parties to wellness members based on “attributes” it collects from those employees. Audax is majority-owned by insurer UnitedHealth Group.
Jeff Cohen, Welltok’s co-founder, expressed surprise at the statement.
“That goes against everything we represent — probably one of those where a lawyer told us to put it in there,” he said in an interview. “I’m going to go back and talk to our compliance person” about the language, he said.
Cohen said Welltok doesn’t “use and sell and share the data from our platform about users to third parties.”
But as of Sept. 25, the disclosure language was unchanged. And that’s what matters legally, privacy lawyers said.
Primary wellness vendors such as Audax and Welltok aren’t the only ones collecting employee health data. Wearable device makers, test labs, gym chains, data centers, workout-app publishers are also part of the gold rush.
As frequent partners of employers and wellness providers, each of those companies also gathers worker information of varying sensitivity — often with employers pushing workers to participate — in what amounts to a widening wellness data web.
The most advanced employee wellness programs can even “ping your cell phone when you’re at the gym” to record your visit through a geo-location app, said Erick Hathorn, a consultant to wellness companies and contractors. “Or they can ping it 30 minutes later to know you stayed.”
Lose It!, one of the most popular diet apps for smartphones, works with employee wellness plans to track your calories and weight via a wireless scale.
The app’s privacy policy assures users of Apple products that information on their weight and eating habits won’t be used for “advertising or other use-based data mining purposes” except for health research. Results for non-Apple users, on the other hand, might be given to “advertisers and potential business partners” with the identities removed.
That’s a lower level of protection, even without identification, lawyers said.
Nobody at Boston-based Lose It! was available to answer questions about corporate wellness and privacy, a spokeswoman said.
“What are the vendors doing with the data they collect? They aren’t telling us,” said Ifeoma Ajunwa, who teaches health law at the University of the District of Columbia. “Are they selling it? I would be surprised if they’re not selling it, because it’s valuable.”
Two years ago Under Armour bought MapMyFitness, another app promoted for use in corporate-wellness programs, and turned it into an ad vehicle for its athletic apparel.
The app records workout routes, times and speeds and shares data with wellness vendors and Under Armour itself, according to a disclosure statement. Users see ads for Under Armour gear and other products on their smartphones and computers.
Data from MapMyFitness and other apps bought by Under Armour “is going to be extraordinary,” company CEO Kevin Plank told industry analysts this year. “This will help us sell more shirts and shoes,” he has repeatedly said.
An Under Armour spokeswoman referred a reporter asking about data policies and wellness programs to MapMyFitness’ privacy statement.
More than 13 million Fitbits and other wearable health devices will be used in corporate wellness plans by 2018, ABI Research has projected. Data gathered by the Fitbit can include height, weight, heart rates and sleeping and exercise patterns.
“Now Fitbit has that information and the wellness program has it,” said Robert Gellman, a privacy consultant and former congressional staffer. “I don’t know of any best practices from wellness industry [to handle the data]. It’s the Wild West.”
Fitbit did not respond to several requests to discuss privacy. The company won’t “sell any data that could identify you” and shares information only when necessary to provide the service, when the data are anonymous or with user permission, its written policy says.
Employer wellness programs even follow you to the supermarket.
A firm called NutriSavings assigns health grades to thousands of food products and lets grocers record member shopping. Stores report scores — but not specific purchases — to the wellness vendor, says NutriSavings. Members get rewards from their employer based on what they buy.
Wellness information isn’t just valuable for selling stuff. Privacy advocates especially worry that the results might be shared with data brokers who crunch information and sell it to banks and other financial firms.
“That’s where the data then moves into other parts of the economy — lending decisions, credit decisions, mortgage decisions,” said Scott Peppet, a law professor and privacy specialist at the University of Colorado. “Once these data are in the hands of a data broker, they can be blended into any kind of formula.”
Credit-card companies could raise rates for employees that wellness programs reveal to be couch potatoes, inferring that they are more likely to default. Life insurers could deny coverage or raise prices based on unhealthy wellness results. Insurer John Hancock has already started offering discounts to life insurance customers who agree to wear a Fitbit, share data and attain certain scores.
No one knows whether data brokers are getting workplace wellness information. But despite what many employees believe, not all wellness information is protected by HIPAA, which authorizes only doctors, insurance plans and others close to a patients’ care to see their medical data.
“People assume all their health information is covered by HIPAA and that’s just not true,” Gellman said. “Wellness programs are on the border. Some are and some aren’t. How can a mere mortal tell? A lot of information can escape into the great American marketing machine, which is desperate to get information on a person’s health.”
Wellness vendors are supposed to obey HIPAA restrictions if they’re part of an employer’s insurance plan. But it’s far from clear what that means.
The National Committee for Quality Assurance, a respected health care certification group, asks workplace wellness groups it accredits to observe HIPAA rules and require the same from third parties they work with.
But NCQA recognizes only about 30 wellness vendors out of hundreds. Even a “HIPAA-compliant” program could induce workers to waive their rights without knowing it, consumer advocates said.
Nor does HIPAA protect the de-identified health information that wellness providers routinely share with employers and other, unidentified outside parties, according to their privacy policies. De-identified data might include blood pressure, cholesterol, drug use and disease history.
Researchers have shown that such information can be linked to the subject by combining it with voter lists, credit-card records and other databases. Harvard investigators used birthdays and zip codes in a de-identified genetics survey two years ago to figure out who more than a fifth of the participants were.
Until recently, Audax’s policy stated that the company could use de-identified employee data “for any business purpose.” It removed that language after KHN inquired about privacy.
Fitbit and Limeade, a wellness provider in Bellevue, Wash., forbid third parties using their anonymized data from trying to re-identify the users.
“We haven’t really stepped into regulating this or decided if to regulate this,” said Peppet, who favors employer wellness efforts despite his concerns about confidentiality. “I’m expecting over the next couple of years we’ll probably see some problems.”
Computer-aided detection appears not to improve diagnostic accuracy for breast cancer screening, according to a large study, though the use of the technology does increase cost.
In other Medicare news, the HHS inspector general investigates mystery ambulance rides, doctors get ready for ICD-10 and lawmakers worry about the doctor supply.
Elsewhere, a Cleveland Clinic lab -- at Marymount Hospital -- gets an overhaul after problems, women's health is targeted in new Minnesota medical facilities and trauma workers' spend time reflecting after a death at one Virginia hospital.
Sixty percent of the experimental partnerships between doctors and hospitals to coordinate care did not save Medicare money in 2014, the Arizona Republic reports. Meanwhile, The Wall Street Journal has an interview with the new chief executive of the Geisinger Health System.
The switch to the new ICD-10 system will mean more than 70,000 classification descriptions that doctors must choose from in order to get paid. In other medical practice news, The Wall Street Journal looks at how doctors may approach end-of-life conversations, and a researcher looks at stopping medical diagnostic errors.
Among the losses are drugmakers' stocks, after Democratic presidential hopeful Hillary Clinton proposed reining in drug prices. In the meantime, a unit of Johnson & Johnson accuses a company that finances hip surgeries of price gouging.
Meanwhile, news outlet report on the challenge of reaching the remaining 33 million uninsured, Rep. Elijah Cummings' speech on universal health care, Alaska lawmakers' meeting to reconsider their Medicaid-expansion lawsuit and the expected premium announcements in Minnesota.
Health care stories are reported from Connecticut, California, Florida, Wisconsin, New Jersey, Alabama, District of Columbia, Kansas, Iowa, Nevada, North Carolina, Michigan and Texas.
The agency also wrote in a letter Thursday that a health-care startup’s cancer detection kit, which would be sold directly to healthy individuals, is high-risk and could harm public health.
A security breach of the insurance company's computer system may have compromised the personal information of 11 million customers. Some of them are suing, citing attempts at identify theft. In other Health IT news, a Walgreens database outage delayed prescriptions at thousands of pharmacies.
With pharmaceutical companies receiving a lot of attention over the skyrocketing costs of drugs, Novartis CEO Joseph Jimenez talks to The Washington Post. And after Turing's controversial price hike for an HIV drug made waves this week, NBC News reports on other similar cases in the industry.
Other prominent doctors groups, including the American Medical Association and the American Academy of Family Physicians, have expressed concern about the proposed mergers' impact on patients.
The flaws uncovered by auditors are now fixed but included critical issues of security policy, such as not encrypting user sessions. Millions of insurance customers' data is stored on the $110-million system known as MIDAS. In other health law news, a new study shows that Americans' top concern when shopping for health coverage is the monthly premium they will pay.
The Centers for Medicare and Medicaid Services have contingency plans in place for managing the transition to ICD-10. In other medical practice news, physician groups oppose draft language aimed at curbing "surprise" billing. And telemedicine usage is on the rise.
While the Republicans running for president are united in their desire to repeal the federal health law, Democrat Hillary Rodham Clinton is fashioning her own health care agenda to tackle out-of-pocket costs – but industry experts question whether her proposals would solve the problem.
“When Americans get sick, high costs shouldn’t prevent them from getting better,” said Clinton in a statement provided by the campaign. “My plan would take a number of steps to ease the burden of medical expenses and protect health care consumers.”
The drug plan would, among other things, cap payments for covered prescriptions at $250 per month and let the government negotiate prices for the Medicare program. The overall health spending plan would let people see a doctor at least three times a year without having to first satisfy their deductible and create a new tax credit for those whose out-of-pocket spending is more than 5 percent of their annual income.
But while surveys show that health costs, and particularly drug costs, are a top concern for many voters, it’s not at all clear that Clinton’s proposals – some of which have been mentioned for decades – would provide an actual cure.
“There’s no magic bullet here except getting health costs down,” said Len Nichols, a health economist at George Mason University and a longtime backer of the federal health law.
The fundamental problem, says Nichols, was built into the health law itself. By requiring many new benefits, such as maternity care and coverage for mental health and substance abuse, insurers were left with few choices when trying to keep premiums from spiraling. Many insurers narrowed their provider networks and collected more from customers who use the system most.
“The degree to which these out-of-pocket realities hit those with chronic conditions harder, it means we’re not accomplishing the social objective of sharing the risk,” said Nichols.
But setting specific limits for those who are sick will simply drive up premiums for everyone, says the insurance industry. “When you look at mandating additional benefits, that has a huge impact on the cost of coverage,” said Clare Krusing, a spokeswoman for America’s Health Insurance Plans (AHIP), the industry trade group.
And even if that was a tradeoff the public – and policymakers – decide they are willing to make, there is a phalanx of lobbyists in Washington bent on making sure many of these changes never happen.
For example, John Castellani, head of the Pharmaceutical Research and Manufacturers of America, said Clinton’s drug proposal “would restrict patients’ access to medicines, result in fewer new treatments for patients, cost countless jobs across the country and could end our nation’s standing as the world leader in biomedical innovation.”
Meanwhile, Clinton’s proposed limit on advertising to consumers for prescription drugs has drawn the ire of the advertising industry. The Association of National Advertisers in a statement called the proposal “wrong and misguided.”
Even the insurance industry, which has been relentlessly campaigning against high drug prices, has come out against Clinton’s plan. Marilyn Tavenner, AHIP president and CEO, said in a statement that “proposals that would impose arbitrary caps on insurance coverage or force government negotiation on prescription drug prices will only add to the cost pressures facing individuals and families across the country.”
Republicans, meanwhile, have yet to settle on how they would replace the Affordable Care Act, concedes Chris Jacobs, a senior editor for the Conservative Review.
“Republicans need to have a better and more substantive alternative than health savings accounts, liability reform, and cross-state purchasing,” he said, referring to ways people can save tax-free for their own health bills, medical malpractice reform and allowing individuals to purchase insurance from states other than their own. All are Republican ideas dating back several campaigns.
But when it comes to cost, Republicans have a major case against the authors of the health law, Jacobs says.
“They were never honest with the American people about how much this was really going to cost and the tradeoffs needed to pass it,” he said. He likened President Barack Obama, when he was lobbying for the bill, to Oprah Winfrey on her television show’s famous give-away episode – “YOU get a car, and YOU get a car,” he said. Basically the backers were offering everything to everyone at the same time many of the costs were either hidden or pushed off to the future, he said.
Nichols agrees, at least to a point. “The (health) law did answer all questions, but now we’re ready to revisit because we didn’t like all the answers.”
Health care stories are reported from North Carolina, Pennsylvania, California, Missouri, Maryland, Florida, Alabama, Ohio, Texas, Massachusetts and New Jersey.
Losses for this sector picked up this week after Democratic presidential hopeful Hillary Clinton said there might be "price gouging" happening in this part of the market.
The decision by a pharmaceutical company to raise the price of the 62-year-old drug 5,000 percent raised the ire of consumers and politicians alike. But health care advocates and industry experts have been wary of the growing prices for some time. Also, several outlets look at the man who decided to raise the price of Daraprim and set off the latest controversy.
The far-reaching state legislation that seeks to change how North Carolina pays for Medicaid patient treatment is the result of a compromise that was years in the making.
A new report by a blue-ribbon Institute of Medicine panel estimated that U.S. patients annually deal with about 12 million diagnostic errors -- some of which are lethal.
CNN Money also profiles Martin Shkreli, the controversial Turing Pharmaceuticals chief executive who has gained notoriety through his company's pricing move and subsequent defense on social media.
Democratic presidential candidate Hillary Clinton's proposal would also allow Medicare to negotiate lower drug costs and increase federal scrutiny of pharmaceutical company pricing.
The executives defended their planned mergers before a Senate subcommittee Tuesday, saying consumers would benefit from the consolidation. But some senators expressed doubts. If Aetna acquires Humana and Anthem buys Cigna, as proposed, the top five U.S. health insurers would shrink to a big three.
Almost every American will experience a medical diagnostic error, but the problem has taken a back seat to other patient safety concerns, an influential panel said in a report out today calling for widespread changes.
Diagnostic errors — defined as inaccurate or delayed diagnoses — account for an estimated 10 percent of patient deaths, hundreds of thousands of adverse events in hospitals each year and are a leading cause of paid medical malpractice claims, a blue ribbon panel of the Institute of Medicine (IOM) said in its report.
Such errors can occur with very rare conditions, such as the Liberian man with undetected Ebola who was sent home from a Dallas hospital last September; or more common problems, such as acid reflux being mistaken for a heart attack or a pathology report showing cancer that is never communicated to a patient.
Still, reducing the number won’t be easy, in part because there is no standard, required way to track such errors. Reversing current trends, the report concludes, will require better medical teamwork, training and computer systems.
“Some people go to their graves with a diagnostic error that is never detected,” said Robert Berenson, a research fellow at the Urban Institute in Washington, D.C., and one of the committee members who wrote the report. “It’s much more difficult to measure than a medication error.”
The report, called “Improving Diagnosis in Health Care,” is the latest in a series launched 15 years ago with “To Err is Human: Building a Safer Health System,” which fueled the patient-safety movement with its estimate that as many as 98,000 patients die each year because of medical errors. The IOM is part of the private, nonprofit National Academies of Sciences, Engineering and Medicine.
Tuesday’s report has a role for just about everyone in the health system, from computer programmers to clinicians to patients. It recommends better teamwork among health care providers, patients and families. Citing the dearth of data about diagnostic errors, the report calls for voluntary efforts to report such problems. Dedicated funding is needed for research, the report says, and hospitals and doctors need to develop better ways to identify, reduce and learn from “near misses.”
Ironically, the report notes that computerized health records, which can help track and coordinate care, can also become a barrier to efficient and correct diagnoses.
The systems, it says, often aren’t compatible from one physician’s office to another or among hospitals, “auto-fill” functions sometimes result in the wrong information being entered, and the sheer volume of inputs and alerts can overwhelm medical staff.
It cites a study of emergency department staff that found clinicians spent more time inputting information into computers than taking care of patients. Another study found that while electronic health record systems provide alerts in response to abnormal diagnostic test results, 70 percent of medical staff surveyed said they receive more alerts than they could manage.
Making the systems more efficient and allowing patients more timely access to their own medical records to check for and correct errors “could be a game changer,” said Berenson.
Indeed, patients “are going to be critical to the solution,” said Michael Cohen, another report author and a professor of pathology at the University of Utah School of Medicine. “There’s a real opportunity for patients to advocate for themselves and at the same time to challenge the health care providers about the diagnosis being made.”
Helen Haskell, who formed Mothers Against Medical Error after her 15-year-old son died as the result of a medical error, said she was pleased the report focused on better teamwork and communication. She also said patients need better access to their records – particularly hospital records — and said consumers should always ask questions.
“What else can it be? Does this diagnosis match all my symptoms?,” are two of the best questions to ask, said Haskell. “If there is any question, people should get a second opinion.”
Health care stories are reported from Iowa, Florida, Georgia, California, Missouri, Oregon, Kansas, Utah, North Carolina, Massachusetts, Pennsylvania and Illinois.
But, a pharmaceutical CEO at another company is defending why he bought the rights to an AIDS drug and then upped the price from $13.50 to $750 overnight. Also, the makers of Tylenol push to fend off tough new restrictions on acetaminophen.
The merger trend among insurers, hospitals and medical practices have raised concerns that consumers will face fewer choices and higher costs when shopping for coverage and care. In related industry news, a court considers reviving a lawsuit filed by the American Psychiatric Association against Anthem, and DaVita acquires 20 new clinics.
State officials set up the $2 million fund in July to help hospitals treating uninsured patients after the state opted not to accept the health law's Medicaid expansion. Also, in Virginia, hospitals are concerned about the legislature's refusal to expand Medicaid.