In April 2014, as electronic medical records became standard, the FBI issued a “private industry notification” warning health care organizations of an increased number of cyber intrusions targeting medical records due to, among other things, the higher payout for these records on the black market. Three years on, this prediction sadly appears to have proven true; in 2016 the medical/healthcare industry reported the second highest number of data breaches caused by hacking or phishing, and the most data breaches caused by insider theft.
Today’s HR professional is inundated with electronic records and emails describing employees’ physical conditions or accommodations. HR professionals responsible for employee benefits administration also have access to records relating to employees’ participation in the employer-sponsored plan (such as medical, dental or vision benefits) that are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Employers are legally required to keep all this information confidential and secure. Below are four ways HR can help.
1. Limit and track access to electronically-stored medical information.
Limiting the universe of employees who can access employees’ medical information is not only a practical way to prevent unauthorized disclosure, but also is a legal requirement. The Americans with Disabilities Act requires that information obtained by an employer in connection with a reasonable accommodation request, fitness-for-duty examination, or direct-threat analysis regarding an employee’s medical condition or history be kept confidential. In addition, at least two states — California and Connecticut — have laws that restrict how employers can use medical information, and prescribe the manner in which employees’ medical information must be stored. Most notably, California requires employers to establish procedures to ensure that employees’ medical information is protected from unauthorized use and disclosure.
In addition, most group health plans with more than 50 participants are subject to HIPAA. The HIPAA Security Rule requires that a company’s group health plan establish controls to maintain the confidentiality and security of employees’ health benefits information. A company’s failure to do this can result in a significant monetary payment to the relevant enforcement agency; the U.S. Department of Health and Human Services (“HHS”). Earlier this year, HHS obtained a $5.5 million settlement from an entity that failed to implement procedures to limit access to medical information and track which employees were accessing medical data.
Based on this, HR should consider implementing the following safeguards:
- Strictly limit access to medical information to those employees who have a need to view the information;
- Develop a system (involve the IT Department if need be) to internally track or “audit” when employee medical information stored by HR is accessed;
- Regularly train HR employees on the methods the Company uses to keep medical information safe.
2. Restrict employees from sharing medical information via email.
In November of last year, HHS posted on its website a warning about scammers trying to fraudulently obtain medical information through a “phishing” email that appeared to be from HHS’ Director of the Office of Civil Rights. Phishing email scams, which often involve a hacked email account, were, according to one survey, the leading cause of data breaches in 2016 (report no longer available. Current reports are available here).
In addition to phishing scams, companies are faced with the threat of their employees stealing or negligently handling medical data. HR can reduce the risk of a company falling victim to these threats by placing restrictions on employees sharing medical information via email, such as:
- Requiring internal requests for employee medical information to be initiated by phone or in person, and not via email;
- Prohibiting responses to external requests for medical information (including legal requests, such as a subpoena) via email. Establish a protocol that third parties must follow in order to receive employee medical data;
- Ensuring that the legal department, or a senior HR executive, is informed before supplying information in response to any external requests for medical information.
3. Do not unnecessarily store medical data
It is a common misconception that employee medical information must be stored for an indefinite period. The more electronic medical information a company has, the greater the risk that the company could suffer a security incident that will lead to medical data being exposed. Therefore, unless HR needs to retain an employee’s medical information, the information should be destroyed. It is not enough to merely delete the information. Both HIPAA and many state laws prescribe specific methods for destroying medical information on electronic media that must be followed.
4. Train employees to identify security threats and immediately report a suspected breach.
In the event of unauthorized disclosure of employee medical information, companies should act swiftly. Twelve states (and Puerto Rico) have laws that require companies to disclose to affected individuals, in certain circumstances, the unauthorized acquisition of medical information. When notification is required, the majority of these states require it without “unreasonable delay,” but one state requires notification within 30 days.
For group health plans, HIPAA requires notification of a data breach be made within 60 days. For the first time, earlier this year HHS announced that it reached a $475,000 settlement with an entity that failed to comply with this notification timeframe. It is therefore crucial that employees are trained to identify security incidents, and notify HR, who should in turn immediately notify the legal department.
Finally, any medical information that a company stores using a cloud service provider (CSP) should be stored with the CSP’s agreement that a security breach will immediately be reported to the company. This is a requirement for group health plans; HIPAA requires that a group health plan enter into a “business associate agreement” with the CSP that requires the CSP to promptly report any security breach to the plan.