The Affordable Care Act (ACA) provisions for employee wellness programs give employers the power to reward or penalize their employees based on whether they complete health screenings and participate in fitness programs. While wellness programs are often welcomed, they put most employees in a bind: give your employer access to extensive, private health data, or give up potentially thousands of dollars a year.

Sadly, the Equal Employment Opportunity Commission’s (EEOC) new regulations, which go into effect in January 2017, rubber stamp the ACA’s wellness programs with insufficient privacy safeguards. Because of these misguided regulations, employers can still ask for private health information if it is part of a loosely defined wellness program with large incentives for employees.

As EFF’s Employee Experience Manager, I had hoped the EEOC’s final ruling would protect employees from having to give up their privacy in order to participate in wellness programs. Upon reading the new rules, I was shocked at how little the EEOC has limited the programs’ scope. Without strict rules around how massive amounts of health information can be bought from employees and used, this system is ripe for abuse.

Employers are already using wellness programs in disturbing ways:

The city of Houston requires municipal employees to tell an online wellness company about their disease history, drug use, blood pressure, and other delicate information or pay a $300 fine. The wellness company can give the data to “third party vendors acting on our behalf,” according to an authorization form. The information could be posted in areas “that are reviewable to the public.” It might also be “subject to re-disclosure” and “no longer protected by privacy law.”

Plastics maker Flambeau terminated an employee’s insurance coverage when he chose not to take his work-sponsored health assessment and biometric screening.

A CVS employee claimed she was fined $600 for not submitting to a wellness exam that asked whether she was sexually active.

The Wall Street Journal reported in February that “third party vendors who are hired to administer wellness programs at companies mine data about the prescription drugs workers use, how they shop and even whether they vote, to predict their individual health needs and recommend treatments.”

Castlight (a wellness firm contracted by Walmart) has a product that scans insurance claims to find women who have stopped filling their birth-control prescriptions or made fertility related searches on their health app. They match this data with a woman’s age and calculate the likelihood of pregnancy. This individual would then receive targeted emails and in-app messages about prenatal care.

What's New in the EEOC Rules

The EEOC now provides guidance on the extent to which employers may offer incentives to employees to participate in wellness programs that ask them to answer disability-related questions or undergo medical examinations. The maximum allowable “incentive” or penalty an employer can offer is 30% of the total cost for self-only coverage of the plan in which the employee is enrolled. This can add up to thousands of dollars for an employee per year.

According to the new rule, employers may only receive information collected by a wellness program in aggregate form that does not disclose, and is not reasonably likely to disclose, the identity of specific individuals—except as necessary to administer the plan. This “as necessary to administer the plan” exception is alarming given that employers are permitted to base incentives and penalties on health outcomes and not just participation. Measuring outcomes typically involves gathering information on specific individuals over time.

The EEOC rejected a suggestion that would have allowed individuals to avoid disclosing medical information to employers if they could produce certification from a medical professional that they are under the care of a physician and that identified medical risks are under treatment. The EEOC’s stated reason was that this could undermine the effectiveness of wellness programs as a means of collecting data and was unnecessary.

Why This Matters

A statement by the American Association of Retired Persons (AARP) expressed the organization's deep disappointment with the workplace wellness program final rules:

By financially coercing employees into surrendering their personal health information, these rules will weaken medical privacy and civil rights protections.

The American Society of Human Genetics also issued a statement opposing the EEOC final ruling for weakening genetic privacy:

The new EEOC rules mean that Americans could be forced to choose between access to affordable healthcare and keeping their health information private… Employers now have the green light to coerce employees into providing their health information and that of their spouse, which in turn reveals genetic information about their children.

The ACA was touted as a campaign to put consumers back in charge of their health care. EEOC rules do anything but. Employees should have the right to refuse invasive health surveys without fear of being punished with higher healthcare costs. Incentivizing Americans to be proactive about our health is smart, but putting loads of unnecessary private information into employers’ hands is bad policy.