In an effort to curb rising health care costs, many employers have introduced wellness programs, which use assessments and motivators to improve employee health. Such programs collect information from various sources including surveys, gym records, lab tests, and even wearable devices. The problem, privacy experts say, is that there are few restrictions on how that information is ultimately used.

The companies administering wellness programs are often not bound by HIPAA and are free to develop and implement their own privacy policies, which can reserve the right to send personal information to third party vendors. Although wellness companies deny selling health information, there is potential for this information to be used in a variety of unexpected ways. For instance, the information could potentially be used by banks and insurance companies in determining who to lend money to, or whether to issue a life insurance policy. Companies could also use the information to market products to a particular person based on their health and lifestyle.

Further complicating the issue is the fact that employees have little control over their health information collected by wellness programs. Wellness programs typically require employees to sign complicated authorization forms that acknowledge that their information is no longer protected by privacy law and may be shared. Employees can choose to opt out of these programs; however, such a choice could result in a sharp increase in their health insurance costs.

These wellness programs are growing at a staggering rate, with estimates that it will be a $12 billion industry by 2020. Despite this growth, federal regulatory agencies have yet to decide whether oversight of the industry is needed.