Wherever technology is involved, information security can’t be far behind. While we lean on technology to help streamline Annual Enrollment and benefits administration, and make the user experience more positive and personalized, we can’t ignore that technology also opens the door to personal data getting into the hands of the wrong people.
More than 112 million healthcare records were compromised in 2015, and human error plays a role in most organizational incidents related to security breaches. Even with the best of intentions, people make mistakes. Unfortunately, those mistakes can have huge cost implications for employers.
Just this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced that one company will pay a $2.5 million settlement for a HIPAA privacy and security rules violation in 2012 that involved the unlawful disclosure of protected health information (PHI). It’s the first settlement that involves a wireless health services provider, CardioNet, which provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
According to OCR, the breach occurred when an employee’s laptop was stolen from a parked vehicle outside the employee’s home. The laptop contained PHI for nearly 1,400 people. Although the company had written policies and procedures around handling PHI, they hadn’t yet been formally implemented. Further, the policies didn’t address how to protect PHI on mobile devices like laptops and smartphones.
“Mobile devices remain particularly vulnerable to theft and loss,” said OCR Director Roger Severino. With that being the case, how can HR/benefits pros engage their teams and employees in general around security without stoking fear or raising privacy concerns?
In my role as a security leader at Businessolver, I think the most important thing I do is consistently take a step back and reconnect with the reality that each data line in an enrollment system is a person – an employee, a spouse, child, parent. With that mindset, it’s a lot easier to take extra steps as needed to secure data.
In terms of tactics around data security, I’d offer two simple tips:
- Be transparent with your employees. Talk to your employees about the basics of HIPAA, what PHI is, and how it gets handled – not just during enrollment, but year-round. I think sometimes employers think, “That’s too much information; we’ll confuse people,” but I believe the opposite. Our experience is that clients who are open and upfront about information security build greater employee trust and confidence. Outside of enrollment, you can keep that conversation going by holding events around Security Awareness Month or other times throughout the year if that feels authentic with your company culture.
- Be aligned with your carriers. Host a “carrier summit” by conference call or in-person meeting to make sure your vendors are all aligned with your company’s benefits strategy and approach to securing information. Talk about how and when PHI gets transferred, set up clear and uniform standards, talk through any potential leakage points and how to eliminate them. I know time is precious, but it’s well worth it compared to the potential consequences.
Beyond those two things, the do’s and don’ts are simple: Do use trusted and secure storage techniques – we’re a huge advocate of single-source technology to do this. And of course, don’t mishandle PHI – never send it by email and make sure employees don’t either, even when it’s easy and convenient.
When in doubt, follow federal guidelines and best practices where applicable: HHS has great tips and information to help protect and secure PHI when using mobile devices.