What If Your Employer Gets Access to Your Medical Records?

T was never a star service tech at the auto dealership where he worked for more than a decade. If you lined up all the techs, he wouldn’t stand out: medium height, late-middle age, pudgy, he was as middle-of-the-pack as a guy could get.

He was exactly the type of employee that his employer’s wellness vendor said was their ideal customer. They could fix him.

A genial sort, T thought nothing of sitting with a “health coach” to have his blood pressure and blood taken, get weighed, and then use the coach’s notebook computer to answer, for the first time in his life, a health risk appraisal.

He found many of the questions oddly personal: how much did he drink, how often did he have (unprotected) sex, did he use sleeping pills or pain relievers, was he depressed, did he have many friends, did he drive faster than the speed limit? But, not wanting to rock the boat, and anxious to the $100/month bonus that came with being in the wellness program, he coughed up this personal information.

The feedback T got, in the form of a letter sent to both his home and his company mailbox, was that he should lose weight, lower his cholesterol and blood pressure, and keep an eye on his blood sugar. Then, came the perfect storm that T never saw developing.

His dealership started cutting employees a month later. In the blink of an eye, a decade of service ended with a “thanks, it’s been nice to know you” letter and a few months of severance.

T found the timing of dismissal to be strangely coincidental with the incentivized disclosure of his health information.

An HHS investigation months later showed that T’s employer got access to health data it had no right to see and the service manager, with a wink and a nod from the dealership’s finance office, fingered T as expendable. It was a nice bonus — literally — that T departure lowered the dealership’s medical costs both immediately and over the long term, which is what every wellness vendor promises.

This data breach story is fictional. But, it’s coming. In fact, it has likely already happened but the employee doesn’t know it and the employer isn’t about to admit it. The lack of personal data security in Americans’ lives goes much farther than what the government might know about who you call or email.

Companies trade and sell huge databases of supposedly de-identified information and that’s on top of plain old stealing of insurance records.

Identify theft in medical settings is long-time problem that health reform has not remedied. Hackers see hospitals as a rich trove of useful personal data, and they attack in no small part because hospital leaders are so clueless about exposure. Even state governments are unfortunately all too willing to sell what isn’t really theirs.

The exemplar for health privacy foolishness, however, is undoubtedly AOL’s Tim Armstrong and his disclosure about the babies of two employees and how much money their care cost AOL. We are quite sure that the Fei family did not ask for his broadcasting of their travails. To this volatile mix, employers have welcomed wellness vendors, who are proving all too quickly that people in industries built on deception will eventually do what you expect them to do, like leave data-laden flash drives laying around.

It is only a few small steps from foolish and inappropriate to potential civil and criminal liability, and enthusiastically adding wellness vendors to our health privacy turmoil was liking drilling new holes in a block of swiss cheese.

Employees should ask employers about wellness program particulars: who stores the data, how is it stored and where, who has access to it, can the vendor package and sell it, what will the employer do when the data is breached and how will the vendor be held accountable? In most cases, your employer will not know the answers and even express shock that you had the gall to ask.

To get at the crux of the wellness dilemma, first, refuse to join the program.  (You can get a medical excuse from your physician.)  Then, ask your employer why your company’s wellness strategy relies upon such intrusiveness.

Wouldn’t it be easier, cheaper, and more effective to help people do things joyfully and build cohesion on the team, like creating exercise opportunities, serving better food, and helping people manage work stress while maintaining the integrity of their personal space?

With all the stress inherent in the lives of employees today, how is it ‘wellness’ when you give people more to worry about?

Vik Khanna is Wellness Editor-At-Large for THCB, writes the KhannaOnHealthBlog, and is co-author with Al Lewis, of Surviving Workplace Wellness With Your Dignity, Finances and Major Organs Intact, the inaugural e-book of THCB Press.

22 replies »

  1. This is so true. I managed a small (45 ee) company and two of the ee’s had high medical costs. It was known who they were, and there conditions were chronic and ongoing. The owner was thinking hard about getting rid of them to help control medical costs-though he would not state it as such.

    It happens.

  2. Thanks for raising the data security and use issue Vik. It is not one getting a lot of attention and discussion within the worksite wellness field. The questions you propose are certainly ones I will be including in any future RFPs and contracts I am involved in.

  3. Giving people time and support for exercise, better food at lower prices, sabbaticals, fewer demands to be perpetually connected…all good wellness initiatives that cost little, are completely voluntary, and may or may not reduce medical care spending, but improve morale.

    Making people answer HRAs, have biometrics taken and interpreted by idiots, and go get preventive medical care that actually prevents little and facilitates false positive diagnoses…stupid, costly, and damaging to morale.

    We’re all for the former. The only people all in for the latter are people who make money off the programs and then have data that will one day be either breached or used against employees. We agree that the bad guys are the ones selling these programs. Employers can do lots of great positive things for their employees without a vendor.

  4. Yes, we have EEOC and we have an OCR in the DoJ. You may have noticed we also have an OCR in HHS and its job is to enforce HIPAA and other relevant health care laws. Clearly, not everyone obeys the law. But the fact is, the laws exist and are being enforced much more now than they had been. If employers don’t care if they court the fines, then they will do the wrong thing. That’s not news, it’s mundane reality.

    I suppose it’s totally implausible that an employer would have a vested interest in promoting health in the workplace just because it’s the right thing to do? Must it be the case that their motives are to nefariously use health information against their employees? Don’t you think that’s just a teensy bit paranoid????

    The real bad guys are the ones selling workplace wellness plans because they are the ones who can plant the seed of preemptive loss prevention, just like EHR vendors plant the seeds of up-charging.

  5. Yes, and people once said the same thing about employers dismissing people for race or gender after the passage of civil rights laws. Won’t happen because everyone will obey the law and no one will want to be on the government’s hit parade. Happens all the time, which is why there is an EEOC and an OCR in the Justice Department.

    And perhaps you did not read through to the end of the article, which shows quite clearly, that the environment is ripe for theft of medical records and for idiocy by corporate leaders in the use of that information.

    Rather than occupy “never, never” land, we prefer to raise issues early and often so that people can: a) protect themselves; b) provide feedback — even rancorous, contentious feedback — to their healthcare providers, political leaders (such as they are, these days), and employers; and, c) reject schemes that put their health privacy at even greater risk than it already, such as the intrusion of wellness vendors into the workplace.

    This rhetorical tool is called a hypothetical, and, like all our essays on wellness over the past year, it, too, will eventually be proven prescient.

  6. Now wait just a minute. You set us up with a fictional scenario, tell us that there is NO evidence that it has yet happened, and then deliver the big scare: BUT IT COULD! This is irresponsible. If any employer is not aware that breaking into employee health data is illegal, then they have been hiding under a rock for 15 years. If they were to break into the data, they would be the subject of a HIPAA complaint and stand to lose way more money in a fine than they would save by terminating unhealthy employees.

    There are real security issues in healthcare. This is among the least worrisome. But I guess during HIMSS publicity season, anything goes.

  7. “Pelosi queen of the twits says; ” unemployment benefits remain one of the best ways to grow the economy”.”

    The Fed thinks that the best way is to give free money to the banks – the ones that got us here.

  8. The alternative is for the employee to collect unemployment insurance. After all her highness Pelosi queen of the twits says; ” unemployment benefits remain one of the best ways to grow the economy”.

  9. Clearly reasoned health reform would have certainly made that a high priority. But, that would have required actual thought and potentially risky leadership.

  10. Yes, and the new employer, too, will have a wellness program, so T can go ahead and prepare to get stiffed again. His only solution, according to her highness, is to open his own shop, buy insurance in the individual marketplace, and employ no one. Force entrepreneurship.

  11. “We see there are millions of individuals too lazy to bother signing up for Medicaid even though they have been eligible for years.”

    Agree the Medicaid population might not be the most motivated in life but other hurdles exist:

    “Some of them may have their priorities wrong, but many don’t. The real problem is that state governments are trying to save money by keeping eligible people off the insurance rolls. In 2007, Health Affairs reported that fully one-third of all eligible but uninsured children had been booted out of Medicaid or SCHIP for no good reason, after being enrolled in the prior year. Some states make people file yearly or twice-yearly applications in order to stay covered, with in-person interviews and demands for a birth certificate. (Imagine being asked to retake your driver’s test twice every year.) Make an error on your paperwork or forget an appointment and your kid automatically loses coverage.”


    The real question I see is that these problems only exist in a private insurance mindset. Why should anybody have to “sign-up” for economically stratified coverage access. You’re born, you’re covered for life.

  12. One way of looking at this issue is whether one prefers the employer to be the one looking out for their employee’s best interest in being insured or if you prefer the government to be the one looking out for the individual. I believe if you leave it up to the individual, you will have even more uninsured with or without any mandate, subsidy, or tax break. There are substantial segments of the population that will not spend any of their own money or effort to protect themselves and the tax payers from the costs of providing them with healthcare. We see there are millions of individuals too lazy to bother signing up for Medicaid even though they have been eligible for years. So, is the profit motive of the employer to take care of his employees sufficient enough to make sure they show up to work and are productive enough to generate dollars to the employer more or less powerful than the government’s motive to generate tax dollars that the party in power can enrich themselves or gain power by redistributing through lobbyist efforts?

  13. AlVic, according to Nancy Pelosi T’s situation has improved. Without the job tying him down he will be able to pursue other avenues and fulfill his dreams. [Sarcasm alert]

  14. Health insurance probably wouldn’t come through the employer either if it weren’t for the tax preference. We should get rid of that as part of broad based revenue neutral tax reform.

  15. Absolutely agree. Not one of the other forms of insurance in our household comes through an employer: homeowners, professional liability, LTC.

  16. “Wouldn’t it be easier, cheaper, and more effective to help people do things joyfully and build cohesion on the team, like creating exercise opportunities, serving better food, and helping people manage work stress while maintaining the integrity of their personal space?

    With all the stress inherent in the lives of employees today, how is it ‘wellness’ when you give people more to worry about?”

    Exactly. That was my one lament as I reviewed and critiqued your fine book on my REC Blog recently. I’ll have to update that post with a citation and link to this.

    You guys gonna be at HIMSS14?

  17. Big Brother strikes again. “1984” doesn’t look so unlikely now does it?