Your employer's wellness program may be collecting far more personal health data than you realize. From biometric screenings and fitness tracker data to health-risk assessments and genetic testing, workplace wellness programs can build a detailed profile of your physical and mental health. Here's what you need to know about the privacy risks — and how to protect yourself.
What Data Do Wellness Programs Collect?
Corporate wellness programs have evolved well beyond gym reimbursements. Today's programs often collect highly sensitive personal health information, including:
- Biometric screening data — blood pressure, cholesterol levels, blood glucose, body mass index (BMI), and waist circumference
- Health-risk assessments — detailed questionnaires about your medical history, lifestyle habits, mental health, substance use, sleep patterns, and family medical history
- Wearable device data — heart rate, step counts, sleep cycles, skin temperature, oxygen saturation, and physical activity tracked by employer-provided Fitbits, Apple Watches, or other fitness trackers
- Genetic information — some programs offer or incentivize DNA testing for health risk factors
- Prescription and claims data — information about medications and healthcare utilization
- Mental health data — usage of employee assistance programs (EAPs), stress assessments, and therapy participation
According to recent data, around 20% of employers who offer health insurance are already collecting data from employees' wearable devices, building records that can reveal chronic conditions, substance use, reproductive health status, and mental illness.
Your Data Can Reveal More Than You Think
Wellness program vendors can analyze collected data to identify personal life developments you haven't disclosed to your employer — such as a pregnancy, a new medical diagnosis, or a change in mental health status. Even seemingly harmless fitness data from a wearable can paint a detailed picture of your health when combined with other records.
The Legal Landscape: What Protections Exist?
Several federal laws govern how employers can collect and use health data through wellness programs, but the protections have significant gaps.
HIPAA: More Limited Than You Think
Many employees assume HIPAA protects all their health data, but this is a common misconception. HIPAA only applies to covered entities — healthcare providers, health insurers, and healthcare clearinghouses. If your employer's wellness program is not administered through the company's group health plan, HIPAA may not apply at all. Standalone wellness programs run by third-party vendors often fall outside HIPAA's scope.
ADA: Voluntariness Requirements
The Americans with Disabilities Act (ADA) prohibits employers from requiring medical examinations or disability-related inquiries unless they are job-related. Wellness programs that include health screenings or medical questionnaires must be voluntary — meaning employers cannot require participation, deny coverage, or take adverse action against employees who decline.
However, the definition of "voluntary" has been contentious. Employers can offer financial incentives of up to 30% of the cost of self-only health coverage to encourage participation, which critics argue makes participation effectively coerced for lower-income workers.
GINA: Genetic Information Protections
The Genetic Information Nondiscrimination Act (GINA) prohibits employers from using genetic information in employment decisions and restricts its collection. For wellness programs, GINA requires that any collection of genetic or family medical history information must be voluntary, accompanied by prior written authorization, and kept strictly confidential.
State Laws: A Patchwork of Protections
Some states go further than federal law:
- Illinois has the Biometric Information Privacy Act (BIPA), which requires written notice, informed consent, and publicly available data retention policies before collecting biometric data
- California gives employees rights under the CCPA/CPRA to know what data is collected about them and to request its deletion
- Texas, Washington, and other states have enacted their own biometric privacy laws with varying requirements
Real-World Risks and Controversies
Wellness program privacy concerns are not theoretical. In recent years, employees and regulators have raised serious alarms:
- More than 30 employers were sued in 2024 alone over wellness program practices, with plaintiffs arguing that programs penalizing employees who fail to meet health benchmarks (like quitting smoking) constitute disability discrimination
- In December 2024, the EEOC published guidance warning that employer-furnished wearable devices that collect health data may constitute prohibited medical examinations under the ADA
- Research has shown that coercive wellness data collection undermines employee morale, contributes to mental health strain, and can reduce productivity — the opposite of the program's stated goals
- Third-party wellness vendors have been found to share data with insurance brokers and other parties in ways employees did not anticipate when they enrolled
Ask Before You Enroll
Before participating in any workplace wellness program, ask your employer or the program vendor these questions: What specific data will be collected? Who will have access to it? Will it be shared with your employer, insurers, or any third parties? How long will it be retained? Can you request its deletion? Get answers in writing.
How to Protect Your Privacy
Evaluate Participation Carefully
- Read the privacy policy and consent forms before enrolling — look for clauses about data sharing, third-party access, and data retention
- Understand the incentive structure — calculate whether the financial reward is worth the health data you're handing over
- Consider opting out of features like wearable tracking, genetic testing, or detailed health-risk assessments even if you participate in the broader program
Minimize Data Exposure
- Provide only the minimum required information — you may be able to complete basic program requirements without filling in every field on a health questionnaire
- Use a separate email address for wellness program accounts to limit cross-referencing with your work identity
- Decline employer-provided wearables if possible — use your own fitness tracker and don't sync it with employer platforms
- Review app permissions for any wellness program app installed on your phone — deny access to contacts, location, and other unrelated data
Know Your Rights
- Your participation must be voluntary under the ADA — you cannot be fired, penalized, or denied health coverage for refusing to participate
- Your individual health data cannot be shared with your employer — only aggregate, de-identified data should be disclosed to your company
- You have the right to ask for a copy of any data collected about you and to understand who has access to it
- If you believe your data was mishandled, you can file a complaint with the EEOC, your state attorney general, or the Department of Health and Human Services
Protect Your Data Beyond the Workplace
Wellness programs are just one way your personal health information can be exposed. Data brokers routinely collect and sell information that can reveal health conditions, prescription drug use, and lifestyle details to anyone willing to pay. PrivacyOn monitors over 100 data broker sites and automatically removes your personal information, helping you limit the amount of sensitive data available about you online — whether it originates from a wellness program, a health app, or any other source.