The health insurers have been relatively "smart" (more accurately, subtle) about this by this separation of the tracking/privacy implications into separate "Wellness" programs. In many cases these Wellness programs do seem to be firewalled from insurers with the only information passing between Wellness and Insurance being the simple abstracted metrics of "Level" or "Points", and that by way of presumably only the Benefits coordination aspects of corporate HR.
Though there are still questions of how strong the firewall is in cases where the Wellness programs and Insurance providers share parent companies or even just C-Suite members. Arguably, the separation allows corporate plan buyers to pick and choose Insurance and Wellness program separately, allowing for some competition between them on things like privacy. Yet, being employer-driven "benefits" first and foremost, it's hard to say how much the end consumer/user/employer's privacy is always prioritized, as it is an indirect need of the market.
(Also, every employer I've seen the Wellness program didn't define HSA contributions but rather "discounts" on Insurance premiums, which does seem to indicate that Insurance companies are probably using the Wellness program for risk pools, even with what little data they supposedly are being fed across the firewalls.)
Though there are still questions of how strong the firewall is in cases where the Wellness programs and Insurance providers share parent companies or even just C-Suite members. Arguably, the separation allows corporate plan buyers to pick and choose Insurance and Wellness program separately, allowing for some competition between them on things like privacy. Yet, being employer-driven "benefits" first and foremost, it's hard to say how much the end consumer/user/employer's privacy is always prioritized, as it is an indirect need of the market.
(Also, every employer I've seen the Wellness program didn't define HSA contributions but rather "discounts" on Insurance premiums, which does seem to indicate that Insurance companies are probably using the Wellness program for risk pools, even with what little data they supposedly are being fed across the firewalls.)