- US businesses and health plans are keeping an eye on a proposed EU mandate that would prohibit the use of mHealth wearables in corporate wellness programs.
The European Union’s Article 29 Working Party issued a 24-page data protection and privacy advisory in June that would ban businesses from giving out smartwatches, fitness bands and other devices that collect health data for health and wellness programs because of security concerns.
The ruling bans wearables even if employees give permission for their use, and prohibits employers from collecting any kind of data from employees, even if it’s anonymized.
“Given the unequal relationship between employers and employees - i.e., the employee has a financial dependence on the employer - and the sensitive nature of the health data, it is highly unlikely that legally valid explicit consent can be given for the tracking or monitoring of such data as employees are essentially not 'free' to give such consent in the first place,” the advisory group said in its report. “Even if the employer uses a third party to collect the health data, which would only provide aggregated information about general health developments to the employer, the processing would still be unlawful.”
The board further noted that it would be “technically very difficult to ensure complete anonymization of the data,” saying an employer would still be able to “single out” employees with health issues like high blood pressure or obesity.
The Article 29 Working Party is comprised of officials from the EU’s 28 member nations, and offers non-binding opinions. This document will be taken into consideration by each EU member in advance of the May 2018 implementation of the new General Data Protection Regulation.
Companies like Fitbit are keeping a close eye on the EU’s direction and have generally declined to comment on the advisory group’s directive. But Movecoach, A California-based workforce wellness company whose clients include Visa, Genentech, Salesforce and LinkedIn, warned that such a ruling could end its business in Europe.
“We are concerned that if a company is being transparent with their employees and wants to look at aggregate data, we might not be able to provide that service in Europe,” company CEO Tom McGlynn told Bloomberg.
Also concerned is Nokia, which acquired the French mHealth device maker Withings in 2015 and has since launched a new mHealth division called Nokia Digital Health.
"We believe the responsible integration of connected health devices into the healthcare system, including through corporate wellness programs, has the potential to significantly improve the health and well-being of society, and are actively working with hospitals, research institutions and healthcare providers to explore this promising field," Alexis Normand, Nokia Digital Health’s head of business to business sales, said, adding that the company would abide by the EU’s directives.
The concerns raised by the Article 29 Working Party aren’t lost on healthcare privacy and security experts in the US.
“Health data can be used for many different purposes, and in an age of ‘big data’ can reveal things about you that you may not even know about,” Lee Tien, a senior staff attorney with the Electronic Frontier Foundation told mHealthIntelligence sister site EHRIntelligence in 2013. “And the laws that protect health information often only protect that information within the health care system — [meaning] doctors and those involved in medical treatment and health insurers.”
“Sirens are going off in my head. There’s certainly the potential for abuse,” added Beth Givens, the director of Privacy Rights Clearinghouse.
At the moment, legislators on this side of the Atlantic are focusing their concerns on potential misuse of an employee’s genetic information.
Introduced in March, HR 1313, the Preserving Employee Wellness Programs Act, would enable employers to include genetic testing as part of a workplace wellness program, as long as the tests are voluntary.
Proponents of the bill say the legislation would “untangle conflicting, burdensome and unnecessary rules that are currently jeopardizing the ability of employers to offer quality wellness programs and the opportunity for employees to earn significant savings on their health insurance premiums while also improving their health.”
Opponents say the bill would strip away protections put in place by the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) on the collection of digital health information about employees and their families through wellness programs.
Writing in the Huffington Post, Nisang Patel, a Harvard University graduate student, said the bill could have a chilling effect on digital health.
“Researchers and digital health companies rely heavily on this data to improve clinical diagnostics, develop new insights into genomics, increase the scope of preventive care, and design new treatments for otherwise difficult-to-manage diseases,” he wrote. “The increasing prevalence of fitness trackers, smartphone sensors, and the Internet of Things has paved the way for researchers at both startups and institutions to map our activity, location, habits, and interactions with our environment to clinical disease, that is, develop digital phenotypes for illness. By working backwards and identifying patterns, this may allow us to detect and prevent early stages or progression of a disease much faster and more precisely than ever before.”
“If health status is no longer protected from premium increases and possible discrimination from employers, patient health information sharing will become increasingly scarce,” Patel concluded. “Patients will want to be sure that their health data can’t be used against them when insurers determine prices and coverage status, and the uncertainty alone may provide enough inertia for them to turn away requests from startups and scientists.”