Why does my company need my health numbers before I enroll?
An explanation of why employers collect health data during benefits enrollment, the difference between wellness data and underwriting data, and how HIPAA protects employees.
The request to provide personal health information during benefits enrollment can feel intrusive. For many employees, it raises immediate questions about privacy, fairness, and how the data will be used. Will this information affect my job? Will my manager see my results? The core of this concern stems from a misunderstanding of how health data flows in the employer-sponsored benefits system. The answer to why an employer collects health data during enrollment is not straightforward; it involves two distinct and separate pathways of data collection, each governed by a different set of federal regulations designed to protect employee privacy.
"A large share of firms offering health benefits ask their employees to complete a health risk assessment, a biometric screening, or both. Among large firms with a biometric screening program, 67% use incentives or penalties to encourage workers to complete the screening."
- KFF, 2023 Employer Health Benefits Survey
The two channels of health data collection
Understanding why your employer requests health information requires separating two fundamentally different purposes: group insurance underwriting and workplace wellness programs. While both involve health data, the regulations, actors, and usage of that data are entirely distinct. The first channel is governed by the Health Insurance Portability and Accountability Act (HIPAA), and the second is primarily regulated by the Genetic Information Nondiscrimination Act (GINA) and the Equal Employment Opportunity Commission (EEOC). For an employee, the most critical takeaway is that a strong regulatory "firewall" exists to prevent data from one channel from being used improperly in the other, or for any employment-related decisions.
The key distinction lies in who is collecting the data and for what purpose. For group insurance, the entity collecting data is the health plan or insurance carrier, not the employer directly. For wellness programs, the program may be administered by the employer or a third-party vendor, but the data is subject to strict confidentiality and cannot be used for underwriting individual policies.
| Feature | Group Insurance Underwriting | Workplace Wellness Program |
|---|---|---|
| Primary Goal | To assess risk for the entire group and set premium rates for the health plan. | To promote health and prevent disease among the employee population. |
| Governing Law | HIPAA (Health Insurance Portability and Accountability Act) | GINA (Genetic Information Nondiscrimination Act), ADA, EEOC Rules |
| Data Recipient | The insurance carrier or a Third-Party Administrator (TPA). | A third-party wellness vendor or a designated, confidential internal program. |
| Anonymity | Data is aggregated and de-identified before the employer sees group-level reports. | Individually identifiable information is confidential and kept separate from personnel files. |
| Employer Access | Employers receive only summary health information for plan administration, not individual PHI. | Employers only see aggregated, de-identified data to measure program success. |
| Participation | Mandatory for coverage under the plan. | Must be voluntary, though incentives may be offered for participation. |
Industry Applications
For carriers, TPAs, and benefits consultants, clarifying these distinctions is a critical part of employee education and building trust. When employees understand the regulatory protections in place, they are more likely to participate in programs that can lead to better health outcomes and more stable long-term plan costs.
Group insurance enrollment
During open enrollment, the health information you provide is used by the insurance carrier to underwrite the group plan. Under HIPAA, the group health plan itself is the "covered entity," not your employer. This means there is a legal firewall between the plan and the employer's HR functions. The employer is not entitled to see your personal health information (PHI). They may receive aggregated, de-identified reports on the overall health of the workforce to help them design better benefits in the future, but they will not know your specific results.
Voluntary benefits and wellness
Workplace wellness programs are different. These programs, which may include biometric screenings or health risk assessments, are governed by EEOC and GINA regulations. Key protections include:
- Voluntary Participation: You cannot be required to participate, though employers can offer incentives.
- Confidentiality: Your individual data is kept confidential and must be stored separately from your personnel file.
- Data Aggregation: Your employer only receives aggregated data that does not identify individual employees. For example, they might learn that 30% of the participating workforce has high blood pressure, but they will not know who those employees are.
Current research and evidence
Research consistently shows that employees are concerned about the privacy of their health data. A 2019 study by researchers at the University of Pennsylvania (Z. Song, et al.) found that while a majority of employees participated in wellness programs, many had significant concerns about data privacy. This highlights the need for employers and their partners to be transparent about data handling. The legal framework provided by HIPAA is robust. According to guidance from the U.S. Department of Health and Human Services, if a plan sponsor (the employer) is given access to PHI for administrative functions, they must certify that they will not use it for employment-related actions. This creates a clear legal barrier against misuse.
The 2023 KFF Employer Health Benefits Survey highlights the prevalence of these programs. It found that 54% of large firms (200 or more workers) offering health benefits provide employees a chance to complete a health risk assessment, and 42% offer a biometric screening. The data shows this is a standard industry practice, but one that relies heavily on the regulatory structures to maintain employee trust.
The future of enrollment health data
The trend is toward more data-informed, but also more privacy-preserving, approaches to group benefits. As technology evolves, the methods for collecting data are becoming less invasive and more integrated into digital platforms. The future is not about collecting more data, but about collecting the right data and using it more effectively within the strict confines of the law. This allows carriers to price risk more accurately and enables employers to offer more relevant wellness programs without crossing the streams of data. The focus for administrators is shifting towards using technology to enhance security, improve communication, and demonstrate the value of participation to a skeptical workforce, ensuring that the reason an employer collects health data at enrollment is clearly understood as a benefit, not a risk.
Frequently asked questions
Q: Can my manager see my blood pressure results from a company health screening? A: No. Under laws like GINA and the ADA, individual health information from a workplace wellness screening must be kept confidential and separate from your personnel file. Your employer would only see aggregated, anonymous data, such as the percentage of all employees with high blood pressure.
Q: Can my employer use my health information to decide on a promotion or termination? A: No. Federal laws, including HIPAA and GINA, create a "firewall" that prohibits employers from using health information collected for group plan enrollment or wellness programs for employment-related decisions like hiring, firing, or promotions.
Q: Is participating in a health screening mandatory? A: It depends on the context. Providing information to the insurance carrier for enrollment in the group health plan is typically required to get coverage. However, participation in a separate workplace wellness program, which might include a health screening, must be voluntary. Your employer can offer an incentive to encourage you to participate, but they cannot require it.
As the landscape of group benefits evolves, Circadify is at the forefront of developing technology that enables carriers and TPAs to gather necessary health insights scalably and securely, all while respecting employee privacy and adhering to the strictest regulatory standards. By digitizing and standardizing the data collection process, our solutions help our partners manage risk more effectively and build more sustainable health plans. Discover how we're addressing this space by exploring our enterprise pilot program at circadify.com/industries/payers-insurance.