Built on Trust
Compliance isn't an add-on. It's our foundation. Privacy isn't a feature. It's our promise.
Regulatory Compliance
HealthReturns is designed from the ground up to meet ACA and HIPAA requirements for employer wellness programs.
HealthReturns is structured as a Health-Contingent Wellness Program under ACA regulations, meeting all HIPAA privacy requirements.
We never penalize employees for health status. Everyone starts neutral and earns rewards through engagement.
Every level includes alternative pathways for those with medical conditions or limitations.
Clear, plain-language explanations of what's tracked, who sees what, and how rewards are earned.
Program Structure
HealthReturns operates as a Health-Contingent Wellness Program under the ACA and HIPAA wellness program regulations (29 CFR 2590.702).
Incentive Limits
Incentives are capped at 30% of the cost of employee-only coverage (50% when including tobacco cessation programs), as required by ACA regulations.
Reasonable Alternatives
Every reward level includes reasonable alternative standards for individuals who cannot meet the primary requirements due to medical conditions. Options include physician attestation, health coaching participation, and preventive care completion.
Voluntary Participation
Participation is entirely voluntary. Non-participation never affects health coverage eligibility, premium rates, or employment status.
Annual Opportunity
All employees have an annual opportunity to qualify for rewards at each level, with quarterly evaluation windows throughout the program year.
Privacy Principles
Your health data is sensitive. We treat it that way.
Data Minimization
We only collect data necessary for program operation. No unnecessary tracking or profiling.
Purpose Limitation
Health data is used solely for wellness program evaluation and rebate calculation.
Employer Boundaries
Employers never access individual health metrics. Only aggregate, anonymized data is shared.
Employee Control
You can view, export, or delete your data at any time. Disconnect sources whenever you want.
Secure Storage
All data is encrypted at rest and in transit. We use industry-standard security practices.
No Data Sales
We never sell, rent, or share your personal health data with third parties for marketing.
Data Handling
Complete transparency about what we collect, how we use it, and who can access it.
- Activity data (steps, active minutes, distance)
- Heart rate metrics (resting HR, HRV)
- Sleep data (duration, quality scores)
- Body composition (weight, BMI if provided)
- Blood pressure (if connected)
- Lab results (if connected to Function Health)
- Establish baseline health snapshot
- Evaluate improvement or maintenance
- Calculate level progression
- Determine rebate eligibility
- Generate personalized insights (optional)
- You: Full access to all your data and history
- HealthReturns: Necessary data for program operation
- Your Employer: Aggregate statistics only (participation rates, level distribution)
- Third Parties: Never shared for marketing or other purposes
What We Never Do
- ✕Share individual health data with employers
- ✕Sell or rent your data to third parties
- ✕Use health data for insurance underwriting
- ✕Penalize employees for non-participation
- ✕Require genetic or diagnostic information
- ✕Track location or non-health behaviors
Security Practices
Enterprise-grade security to protect your health information.
Encryption
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). OAuth tokens are encrypted before storage.
Access Controls
Role-based access ensures only authorized personnel can access specific data types. All access is logged.
Infrastructure
Hosted on SOC 2 compliant cloud infrastructure with regular security audits and penetration testing.
Incident Response
24/7 monitoring with documented incident response procedures. Affected users notified within 72 hours of any breach.
Questions about compliance?
Our team is here to help with any questions about our program design, privacy practices, or regulatory compliance.