Protecting protected health information

In February of 2010, the Health Information Technology for Economic and Clinical Health Act, or HITECH, mandates made business associates accountable for the HIPAA security standards that apply to health plans and health care providers. The expanded definition of "business associates" clearly includes brokers and agents. HIPAA, meanwhile, came about in 1996 as the initial attempt to address the growing concern over the protection of medical records.

Other industries have been affected by privacy concerns as well. For example, the employment screening industry (background investigations for employment purposes) has specific regulations on the protection of personally identifying information. PHI and PII have common data elements and, thus, common requirements for their security. All of this has an impact on our clients, and, more specifically, on the HR managers we work with.

We should establish best practices for the secure use of PHI. This is a classic example of the carrot and the stick; with the carrot being more business for those of us that have implemented compliant privacy and security practices. Our HR clients require it. If they don't, we should make sure they understand why it is important. Either way, we become HR privacy partners.

There are two aspects of becoming HR privacy partners that we should look at more closely: documentation and technology. By documentation I mean regulations, forms and agreements. Regulations and forms go hand in hand and we should be able to provide this documentation to our clients. Furthermore, our knowledge of the regulations can be a key differentiator during the sales process. And remember HR managers want more than just information - they are looking for partners they can trust.

There are good tools available in the market that can help address our clients' documentation needs. Online tools that include federal and state law summaries; model documents with sample policies, notices and job applications; interactive government forms; and more are all readily available. And there are tools that more directly apply to HIPAA such as HIPAA privacy and security manuals and modeling documents.

The agreements brokers use should cover both the relationship with clients and all of the vendors that brokers interact with in the process to provide employee benefits. The Business Associates Agreement, or BAA, has come into broader use and employers are becoming more aware of the requirement for this agreement among and between their vendors and suppliers.

When it comes to addressing PHI privacy and security, technology is a double-edged sword. On the one hand there are great tools to encrypt data and to transmit it securely across the Web, while on the other hand nearly universal access to email and the use of thumb drives make it too easy to become complacent about how PHI is handled on a day-to-day basis. Emailing files or copying them onto a thumb drive is so easy. And really unsecure and non-compliant.

Standard practices and methods for the secure transmission of data have been in common use for quite some time. Secure FTP has become the most commonly used method for secure data transmission. SFTP encrypts both commands and data. Increasingly, though, companies are requesting that data be encrypted before and after transmission, thus adding another layer of security. PGP encryption is the method most often used to accomplish this. An alternative to SFTP is secure file sharing sites, which have been gaining traction in the health care market space. These "drop boxes" allow an employer and a broker to securely access and exchange data on a shared file server.

Secure email is an absolute must if you are going to use email to transfer files. Technology for secure email is readily available from many vendors. Email encryption, again often using PGP, and authentication of email messages, are used to protect the delivery and content of emails from being read by unintended recipients.

We all need to assess whether we have been taking the path of least resistance when dealing with PHI. And, if so, we should resolve, this year, to take the steps necessary to treat PHI more securely and employ the technology tools that protect an individual's personal information, that meet employers' increasing concerns, and help us secure more business.

Reach Lamb of Benergy Interworks at A.D.A.M. Inc. at jlamb@adamcorp.com.

For reprint and licensing requests for this article, click here.
Technology
MORE FROM EMPLOYEE BENEFIT NEWS