Wearables, Health Apps, and Cybersecurity Risks for Self-Funded Health Plans

By: Bryan M. Dunton, Esq.

Wearables and health apps are no longer niche wellness perks but instead have become a cornerstone of modern wellness initiatives. Fitbit, Apple Watch, Garmin, glucose monitors, and app-based coaching programs promise to improve engagement, encourage healthier behaviors, and potentially reduce long-term claims costs. Unsurprisingly, employers are increasingly using voluntary wellness programs or integrating these tools directly into their self-funded health plans.

This shift brings genuine opportunities but also significant compliance, privacy, and fiduciary risks. Wearable and app data tied to plan administration may be treated as protected health information (PHI) under HIPAA – triggering strict regulatory requirements and ERISA fiduciary duties. For non-ERISA plans, some states have enacted privacy laws that must be considered. With cyberattacks targeting health data at unprecedented rates, plans must weigh the benefits and risks of adopting these technologies.

Technology in Self-Funded Plan Design

Group health plans may see wearables and apps as natural extensions of cost-containment strategy. Step challenges and similar fitness incentives encourage employees to stay active, while apps monitoring sleep, heart rate, and blood glucose can flag risks for chronic conditions such as diabetes, hypertension, and obesity. Plans often pair these tools with financial incentives to encourage participation.

For self-funded plans, the logic is clear: healthier participants may mean lower claims costs over time. But integrating these devices and apps into plan design also likely means treating data as PHI and ensuring it is properly safeguarded. That raises the bar considerably.

Cybersecurity and Privacy Risks

Wearables and apps capture far more than step counts. They track sleep cycles, heart rhythms, fertility, and even geolocation. Plan participants may be uncomfortable with the idea that their employer or plan administrator could access such intimate data, even if only indirectly.

Once data is created, received, maintained, or transmitted by a HIPAA-covered entity or its business associate in connection with plan administration, it becomes PHI. That triggers HIPAA’s privacy and security rules, requiring strict controls for storage, transmission, and use of the data.

Legal and Regulatory Considerations

Wherever wearable or app data is tied to the self-funded plan, HIPAA applies. Vendors running these programs act as business associates, executing business associate agreements (BAAs), and must comply with HIPAA security and privacy rules.

Plan sponsors also face fiduciary obligations under ERISA. The Department of Labor’s 2021 cybersecurity guidance provides a benchmark for what regulators expect of fiduciaries managing health plan data. Plans must prudently select and monitor their vendors. The guidance emphasizes evaluating cybersecurity safeguards like encryption, secure system development when handling health plan data, and the need for a formal documented cybersecurity program.

Beyond HIPAA and ERISA, the Federal Trade Commission (FTC) has pursued enforcement against health app developers for certain data aggregation practices as well. For non-ERISA arrangements, state laws play a larger role. Washington’s My Health My Data Act, for example, imposes strict requirements on the collection and sharing of health data. Illinois’ Biometric Information Privacy Act protects biometric identifiers such as fingerprints and retinal scans, with efforts underway to clarify that heart rhythm signatures, which are commonly tracked in wearables, also fall within its scope.

Incentive Design and Compliance

Offering wearables also raises questions under HIPAA’s wellness program rules. Health-contingent wellness programs must remain voluntary, which generally means incentives cannot be so substantial that employees feel coerced.

Historically, regulators pointed to a 30 percent cap on incentives relative to the cost of coverage, but this safe harbor is no longer enforceable. In 2021, the EEOC proposed a stricter “de minimis” standard, permitting only incentives of minimal value, citing water bottles and modest gift cards as examples. That proposal remains unfinalized but signals the agency’s skepticism of significant financial rewards tied to health data disclosure.

For plans, that means tying wearable use to discounts or health coverage savings is legally murky. A safer route is to provide devices or app access as stand-alone perks, unrelated to health data collection, and offered equally to all similarly situated plan participants. This avoids HIPAA nondiscrimination concerns while still promoting engagement.

Key Takeaways

For self-funded health plans, wearables and health apps can be useful and powerful tools for promoting wellness and supporting long-term cost-containment. Yet their integration into plan design can transform consumer technology into regulated health plan components.

Plan sponsors must carefully evaluate what data is being collected, who controls it, and whether vendors can meet HIPAA requirements. Sponsors must also ensure compliance with ERISA fiduciary standards, state privacy laws (when applicable), and wellness program regulations. Balancing innovation with compliance, privacy and plan participant trust will be key. Done right, these tools can enhance engagement by gamifying health and improve plan participant outcomes.