IAPP-GDPR Web Banners-300x250-FINAL

A review of current HR privacy issues

By Brian O’Connor, CIPP and Amy Yates, CIPP

Wellness programs and medical inquiries

Many employers are offering wellness programs to employees in an effort to reduce overall health insurance spending and to reduce employee absence due to illness. Typical offerings include exercise, weight reduction, and stress management programs.

Employee participation is, of course, key to the success of these programs and their positive impact on the company’s bottom line. Incentives directly impact employee participation. However, the use of incentives can raise legal issues as well as complaints from employees who may not qualify for the incentives.

Some employers offer incentives in the form of cash payments, days off, reduced health insurance premiums, waived deductibles, and health coaches. In return, employees may be asked to complete an annual health exam, fill out a questionnaire, undergo biometric screening, attend meetings, or consult with a health counselor.

The provisions of HIPAA (Health Insurance Portability and Accountability Act) impose certain limits on wellness programs. Title I of HIPAA prohibits discrimination on the basis of “health factors” such as medical conditions, disability, claims history, genetic factors, and others. However, HIPAA also contains an explicit exception for certain types of wellness programs.

“Unregulated” wellness programs may be offered without restriction by employers. Such programs provide rewards regardless of health factors, or have no incentives at all. If incentives are offered, they must be so low that an employee’s decision to provide health information would be considered voluntary under the Americans with Disabilities Act. Examples include the reimbursement of fees for joining a health club or a smoking-cessation program, or encouraging participation in preventative care by waiving a deductible.

In contrast, programs that offer benefits or impose penalties based on health factors are regulated by HIPAA. Under this type of program, an employee might be offered lower premiums if they do not smoke, if their cholesterol level is, for example, below 200, or if their body mass index is below a certain level. Because these programs may penalize less healthy employees, the programs are allowed only if they meet five conditions:

   1. The programs must promote health improvement, not just reward healthy employees. Also, they cannot be a subterfuge for discrimination against people with disabilities.

   2. The combined value of all incentives must be less than or equal to 20 percent of the total premium for single employee coverage. The incentive may not affect eligibility for a health benefit.

   3. All employees must be made eligible at least once each year.

   4. The incentives must be available to all “similarly situated” individuals. Furthermore, if an employee may not be able to meet an eligibility factor due to a medical condition, or doing so is medically inadvisable, then    the employer must offer a “reasonable alternative” measure of eligibility (e.g., a low-salt diet as an alternative to low blood pressure readings).

   5. Plan materials describing program terms must mention the availability of “alternative standards.”


In addition to these rules, employers should seek legal advice on the data privacy requirements under HIPAA and the ADA, which will apply to any medical information that employees provide while participating in such programs. Also, it is important to get legal advice on the disability discrimination issues that arise under the ADA and state disability discrimination laws. Finally, some wellness programs that offer “medical care” are covered by ERISA (the Employee Retirement Income Security Act), which imposes additional requirements and restrictions.

Despite the legal complexities, many employers believe that wellness programs improve employee health enough to generate significant savings in health insurance costs and illness absences.

Employee monitoring

Another evolving area relating to employee personal data is the use of electronic monitoring tools to discover employee theft, fraud, and other types of misconduct in the workplace or on the employer’s computer and communication systems. The following is a very-high-level summary of what is generally allowed and prohibited in the U.S. Additional restrictions may exist under certain state laws. In addition, many types of electronic monitoring are prohibited in the European Union and in countries with similar privacy legislation.

In the U.S., most legislation on electronic monitoring recognizes the rights of employers as property owners, who should be free to observe what employees do while on the employer’s property and while using the electronic resources that the employer has purchased for employees to perform their jobs.

Employers now use electronic devices to conduct monitoring inexpensively, as compared to decades-old efforts involving legions of supervisors and security guards. The tools may be as simple as access systems that record data from an employee’s ID badge as they enter and leave the workplace, or as sophisticated as “content monitoring” software that silently registers activities by all users in the employer’s computer system, then flagging or prohibiting certain behaviors that may indicate misconduct by an employee.

Employees in the U.S. have no general right of privacy in the workplace under the federal Constitution, or under most state constitutions. A few state constitutions create employee privacy rights, and a number of states recognize certain privacy torts. While courts have rarely interpreted either to create significant restrictions on the most typical types of employer monitoring, more recent cases have created some exceptions.

Telephone monitoring
The federal “wiretap” law has regulated telephone monitoring since the mid-twentieth century. Generally, it prohibits the interception of telephonic conversations without the express consent of at least one participant. However, it also recognizes the right of “service providers” to intercept calls in the normal course of providing the service. Employers are often deemed to be providers of their own phone systems, and therefore have a limited right to monitor calls of a non-personal nature. However, it is advisable for employers to obtain consent from its employees to the monitoring of calls. For example, an employer may want to get written consent from employees in a call center as a condition of taking the job. This will allow unlimited monitoring of calls by the employer, except in 12 states that require two-party consent. For calls in those states, or involving individuals in those states, most companies use a pre-recorded notice of monitoring. If the caller stays on the line, they give an implied consent to monitoring.

Video monitoring

Many employers place video cameras at facility entrances, in parking lots, and in warehouses or other locations with a higher risk of employee theft. The cost of this technology continues to decrease.

There is no federal law restricting the private use of silent video monitoring. Consequently, an employer may place video cameras in almost any location on its property, without prior notice to employees. Note that in Connecticut and Delaware, employers must post notices of their video monitoring activities before beginning such activities. In addition, New York and a number of other states have laws prohibiting or restricting the use of video in locker rooms, changing rooms, and similar locations. Placing a camera in an employee’s office might create a common-law invasion of privacy claim in California and a few other states if the employee has a reasonable expectation that their office is generally private, and the employer has not notified them of their right to monitor activities in such locations.

E-mail, text messages, and Internet use

In 1986, the wiretap laws were amended by the Federal Electronic Communications Privacy Act to cover the interception of electronic communications, including e-mail. The Stored Communications Act further amended the laws to protect electronic communications in storage on computers. However, these laws continued the exceptions that allow the interception of communications with the consent of one party, as well as the right of “service providers” to monitor communications in their systems.

More specifically, if an employer is the “provider” of the equipment and applications that facilitate e-mail and text messaging, it is free to review any message stored in its systems without prior notice to, or consent from, anyone using those systems. As a result, even if an employer reads an employee’s personal e-mails or texts sent via the employer’s systems, the employee has no claim under federal law. In addition, few state courts have found such activities to violate common law, unless the employer has led an employee to believe that their use of such systems would not be monitored.

The situation is more complicated if an employer uses a vendor to provide e-mail, text messaging, or instant messaging services to employees. In such cases, even if the employer is the “subscriber” to such services, some courts have held that the employer may not compel the vendor to provide copies of an employee’s messages without the employee’s consent. As a result, employers who purchase such services from vendors should obtain a blanket consent from each employee as a condition of using such messaging services. In addition, employer policies should make clear that an employee must consent to any later employer request for copies of such messages in the course of an employer investigation. See Quon v. Arch Wireless Operating Co., 529 F.3d 892 (9th Cir. 2008); but compare with Flagg v. City of Detroit, 2008 WL 3895470 (E.D. Mich. Aug. 22, 2008).

Even better, an employer should arrange for copies of all messages to be stored on the employer’s own systems. These copies are very useful as backups, and for litigation purposes. Moreover, copies stored on the employer’s equipment are not subject to the Stored Communications Act, and may be reviewed by the employer without an employee’s prior notice or consent. See Hilderman v. Enea, 551 F. Supp. 2d 1183 (S. D. Cal. 2008).

All employers should have a policy on the use of its electronic resources and communications systems, and should have employees acknowledge the policy or agree to its terms. Such a policy should make clear that all systems and messages are the property of the company; that employees should use them for business purposes only; that they should have no expectation of privacy with respect to their use of the systems or the messages they send; that the employer can and will review employee messages; that the employee agrees that any vendor of messaging services may provide copies of all messages to the employer; misuse of the systems is prohibited and may result in termination of employment; and that the policy may not be modified orally, but only in writing by a company officer.

For more on the topic of employee monitoring, see the article “Employee monitoring technologies and data privacy—no one-size-fits-all globally” in the May issue of the Privacy Advisor.

Brian O'Connor, CIPP, is chief security and privacy officer at the Eastman Kodak Company, where he coordinates the development and implementation of employee data and information security policies. He directs Kodak’s Corporate Security group, which conducts investigations, manages a global badge and access control system, and provides executive protection services. Before his appointment as CSPO, O’Connor was senior counsel in Kodak’s Employment Law Legal Staff, advising management and human resource professionals on all legal issues relating to applicants, employees, and former employees.

Amy Yates, CIPP, is a director in the Security and Privacy Services practice at Deloitte & Touche LLP, and is aligned with its Security and Privacy Services Center of Excellence. She advises domestic and international clients on a wide range of privacy and data protection issues, working with clients to develop business solutions for addressing complex data protection requirements. Before Deloitte, Yates served as the chief privacy officer for Hewitt Associates LLC, where she established and led Hewitt's Privacy Office and its global privacy program for five and a half years.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Spots Going Fast

With the top minds in the field leading this exceptional program, it's no wonder it's filling quickly. Register now to secure your spot.

Be Part of Something Big: Join the Summit

Registration is open for the Global Privacy Summit 2016. Discounted early bird rates available for a short time, register today!

Data Protection Intensive Returns to London

Registration is now open for the IAPP Europe Data Protection Intensive in London. Check out the program!

P.S.R. Call for Speakers Open!

P.S.R. is THE privacy + cloud security event of the year, and you can take a leading role. Propose a session for this year's program.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»