Google is secretively collecting health data, and American workers should be worried

Measuring the risks.
Measuring the risks.
Image: Reuters/Regis Duvignau
We may earn a commission from links on this page.

Earlier this month, Google confirmed it is collecting the comprehensive health histories of millions of Americans, through a partnership with the largest nonprofit health system in the US. This news should concern us all, but especially anyone who isn’t self-employed.

The revelation of what it calls “Project Nightingale” comes less than two weeks after Google’s announcement that it will buy Fitbit for $2.1 billion, meaning Google’s recent investments in digital health could create enormous problems in the future. The tech giant now has access to the health histories of millions of Americans through its revealed partnership with the Ascension hospital network, while millions more wear devices designed to provide health data on an ongoing basis and in nearly real time.

This has serious implications, especially for employees whose bosses could feasibly have easier access to their health data. Health data aggregation makes it more likely that in the future, people will suffer in the job market for being relatively expensive to insure. While it is illegal to fire someone because she is pregnant or disabled, there is no legal protection against being fired for having a risky health profile.

People suffer when their bosses have access to wide-ranging information about their health, such as blood pressure, average heart rate, and sleep patterns. But the rising cost of health insurance makes having healthier workers an important cost-saving measure. Employers have a strong incentive to collect data to help them identify which of their workers are most likely to have health problems in the future. The Americans with Disabilities Act (ADA) provides no protections against discriminating on the basis of potential disabilities or simply bad health conditions that US employees might suffer from in the future.

Having greater access to employees’ health records could allow employers to see which of their workers are more likely to become ill in the future. Employers are free to use this information as they see fit, at least until those disabilities develop, when the ADA might kick in. Employees with red-flag health records might be first in line to be (or even preemptively) fired, demoted, or otherwise made to suffer at work.

Many health problems develop as a result of employees’ stress, exercise, and/or other behavioral factors—which employers would know about if they had access to the kind of wide-ranging health data that Google is collecting through Project Nightingale. (Google, for its part, says that all of its work with Ascension “adheres to industry-wide regulations (including HIPAA) regarding patient data, and come[s] with strict guidance on data privacy, security and usage.”)

But there are other ways in which employers can get access to health data. They also can get it through the biometric monitoring of employees in connection with workplace wellness programs, as my research has shown. In a forthcoming article in the Stanford Technology Law Review, I explain how current anti-discrimination laws and privacy laws fall short of offering the protection employees need in this regard. Most large companies offer workplace wellness programs designed to help improve employees’ health and thereby lower health insurance costs over time, despite a recent study finding that these programs rarely generate the long-term savings employers seek.

And that’s where Google’s acquisition of Fitbit comes in. When employers provide Fitbits as part of wellness programs, which the Affordable Care Act gives them an incentive to do, there are no legal backstops against using that health data to evaluate their monitored employees.

Are some staff members relatively active, while others get no exercise at all? Are some workers more stressed out than others, according to the sensors in their Fitbits? No federal laws prevent employers from collecting and considering this information for staffing. HIPAA certainly doesn’t help, since neither Google nor Fitbit is the kind of non-medical entity that HIPAA’s restrictions are meant to reach.

The access of two data streams now at Google’s fingertips begs the question of how Google plans to monetize this health data. Selling health profiles of current and potential employees to businesses could be enormously profitable, especially as the workforce ages and as health care costs and private employers’ shares of such costs continue to climb. Without any legal restriction on the use of this health-related data, both employees and job applicants have to wonder how their daily step logs, or their whole health history, will be used against them.

One way to limit the potential damage that Google’s aggregation of health data could cause is to enact new employee privacy laws, in addition to the new consumer privacy laws that Congress is considering this year. A more radical solution would be to decouple health insurance from work. If employers no longer had to shoulder so much of the cost of health insurance, they would likely lose the incentive to track the health of their employees.

While each option has its own complications, leaving the fair use of so many people’s health data up to Google sounds pretty unhealthy to me.

Liz Brown is an associate professor of business law at Bentley University, where her research includes data privacy legislation, the regulation of wearable sensor data, and equity in the workplace.