By Deena Coffman
Human resource departments are collecting a growing amount of protected health information (PHI) on employees and their dependents for health benefits on a daily basis. Yet many of them are unaware of the risks associated with managing so much accumulated sensitive data.
It’s important for HR departments to ensure the PHI entrusted to them is adequately safeguarded from the moment it is received, through processing, storage, and finally to disposition. To achieve this, HR teams need a thorough understanding of where PHI exists, the security risks to sensitive information and data protection obligations.
Regulations Covering PHI
HR professionals may not receive the training they need on legal requirements under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. To avoid overlooking important data protection requirements by reviewing the HIPAA Security Rule, which offers important guidance for individuals in roles that administer requirements related to privacy, security and breach notification. Compliance advice such as the “Minimum Necessary” guidelines and other aspects of these regulations can all help HR groups navigate what is required of them.
Identifying Information Assets in the Form of PHI
To protect sensitive information, companies must identify how the information is received, where it is located, who has access to it and how long it is retained. Once those factors are known, a plan can be developed for protecting and securely disposing of the information after retention periods expire. A data inventory is a foundational step in developing a data privacy framework. In some environments, a HIPAA risk assessment may also be needed.
Risk Assessment
A risk assessment will help HR groups understand which of these security measures and practices may already be in use, which may be available but not routinely utilized, and which can be added to improve the department’s security posture. An assessment also helps identify whether vendors have weak security protocols that could impact data privacy.
Third-Party Vendor Risk
To manage third-party data breach exposure, HR departments will want to work with procurement, security and legal departments to vet all third-party vendors with access to systems or sensitive information and to implement contractual language that provides requirements for secure data handling as well as responsibilities in the event of a security incident.
Security Strategies
Companies need to focus not only on deliberate, targeted attacks, but also on accidental exposures caused by accident or a lack of training. Lost laptops and smartphones, a problem that has reached epic proportions, are a leading cause of data breaches. Simple measures taken by HR departments can greatly reduce the probability of an opportunistic attack being successful. They include: requiring the use of strong passwords, encrypting sensitive data is another, and installing and keeping updated antivirus and antimalware software. These simple practices can be highly effective, especially when accompanied by policies that are communicated to employees in training and awareness programs.
Mitigating Risks
The next step in improving security and properly protecting PHI is the development of a written information security plan (WISP). This is a plan that pulls together all the data protection protocols and practices the organization uses. Employee training programs, acceptable use policies, protocols on securing communications should be included to ensure that a cohesive picture of the organization’s security posture is established and communicated.
Devising a plan to deal with data exposures is also recommended. Often called an incident response plan (IRP) or a data breach response plan, this document is designed to outline the steps that HR as part of a breach response team will take if a security event, a security incident and/or data breach occurs. By proactively planning responses to an exposure, HR and other departments will be in a position to act quickly and limit the damage from a data breach. This plan will also facilitate alerting the proper agencies if HIPAA-protected data has been exposed. Practicing the plan will raise security awareness and become an ongoing risk management reduction exercise.
Coordinating Internal Operations
A compliance program requires the coordinated efforts of internal groups. This holds true for HR teams grappling with the proper handling of PHI. First, executives from the C-suite down must be on board as support for the program—and the allocation of the necessary resources to implement it—is crucial to success. A top-down approach sends a message that the organization is serious about the initiative and that compliance is not optional.
The information security group, if one exists, will also need to be part of the team. Informing IT of the existence of protected data as well as specific requirements for protecting it allows the IT department to understand what is required so they can select and implement the technology tools that will meet the requirement while tending to productivity and cost.
Together, this multiprong approach will help to ensure HR departments are meeting any compliance obligations that may exist under HIPAA. They will be better equipped to securely manage the day-to-day processing of PHI, as well as its long-term retention and destruction. Workers with access to sensitive data will have a deeper understanding of their responsibilities as part of the organization’s overall privacy policy, and they will also be able to respond more quickly if they suspect the department’s PHI files have been exposed.
For data security consultation or if your business has experienced a breach, please visit IDT911Consulting.com or call 1-866-296-1755. IDT911 Consulting experts provide practical solutions to help businesses avert, prepare for and respond to a data loss incident.
Deena Coffman is CEO of IDT911 Consulting.