With the start of 2018, workers across the United States are revitalizing efforts to lead healthier lives. For some, that means diving into employer-sponsored wellness programs, many of which utilize apps. But there's still serious, growing concern that workplace wellness apps could violate privacy rules around users' health data— a risk that in-house teams can help mitigate.

Wellness programs became popular under the Affordable Care Act, which allowed employers to offer seriously discounted health insurance premiums to workers who participated. The data collected varies depending on the app used, but it ranges from vital signs, to hours of sleep, to step counts. Many wellness apps and programs also require a health questionnaire to sign up, one that asks employees for information they may not otherwise share.

An app that monitors the details of an employee's health may sound creepy—but what's more alarming is where this data can end up.

A lot of the data in the apps or programs can be sold to third parties [whose identities] don't have to be disclosed by the wellness program vendor or the app,” said Dr. Ifeoma Ajunwa, an assistant professor at Cornell University's School of Industrial and Labor Relations and a faculty associate member of Cornell Law School.

These third parties include drug developers and others in the health industry, and can lead to targeted, unsolicited ads. The data could also wind up in employer's hands, and while it's theoretically aggregated and anonymous, some apps make it easier for employers to identify the user by breaking employees down into small groups.

Employers can't legally fire someone for health information they uncover from wellness plans, but if they do, it's often hard to prove, according to Ajunwa.

“The problem right now is that there are no set government standards to anonymize data,” she said. “So companies will say the data is anonymized, its disaggregated, but how did they do that? Because there are many different ways to do that, some of which are more effective.”

If employees are concerned (or employers, many of whom may not know the extent to which data is being sold and shared), in-house legal departments can act as the front line of defense. One of the easiest ways to prevent the sale of employee data is by using legal contracts to stipulate upfront what wellness apps can and can't store or sell, Ajunwa explained. Companies should also have a clear plan for how to manage a breach of employee health information.

“The first thing is actual contractual stipulations with the wellness vendor in regards to how the data will be used and how the data will be secured,” Ajunwa said. “I find that a lot of companies don't necessarily have these conversations and they just assume the wellness vendor is taking all the steps.”

Without a contract and specific stipulations in place, the collection of this data is legal in the United States, so long as the wellness program complies with the ACA. While there's been pushback from proponents of the Americans With Disabilities Act, which prohibits employers from forcing workers to disclose their medical history, wellness program supporters have said there's no obligation for employees to sign up.

But some argue that voluntary wellness programs aren't really voluntary as employers can legally incentivize workers with massively discounted premiums or up health care costs for those who don't participate. There may also be social pressure from colleagues at play.

“When there's an environment, [talking] at the water cooler or sharing on Facebook, it's hard on an employee to not participate,” said Pam Dixon, executive director of the World Privacy Forum, a nonprofit public interest research group that focuses on data privacy. “They may feel compelled to participate in a program in order to maintain a good office working relationship. Companies are going to have to look at their culture and say, do we want a policy about making Facebook pages for our wellness program?”

Proposed legislative changes could also affect employers' and employees' rights regarding wellness plan data. The Preserving Employee Wellness Programs Act would allow wellness programs to ask about employees' family medical history or genetic data, which is currently prohibited under the Genetic Information Nondiscrimination Act (GINA), while keeping financial incentives for wellness program participation in place.

On the international scale, the European Union's General Data Protection Regulation, effective in May 2018, will require increased transparency around wellness programs in EU countries, according to Ajunwa. In post-GDPR Europe, she said, it could be harder for a situation to arise in which people don't know whether their data's been sold or kept for years after its initial collection, because data processing will now require “freely given, specific, informed and unambiguous” consent.

So as employees across the company focus on health-related New Year's resolutions, it may be high time for legal departments to focus on a resolution of their own: giving wellness apps a checkup.