5 ways to protect sensitive employee health information

Register now

More and more employers are opting to self-insure to gain greater control over their employee benefits costs. Along with the benefits of a self-insured plan comes the additional risk and responsibility of adequately protecting the health information of their employees — prime data that hackers want.

It’s imperative that employers and their advisers understand the legal obligations if a company experiences a data breach that involves the protected health information of employees.

Federal law says that under certain circumstances companies have to notify the U.S. Department of Health and Human Services within 60 days of a breach of consumer health data, and 48 states have individual statutes for notification of affected individuals. This can necessitate hiring privacy attorneys, credit monitoring firms and other consultants to sort through the laws and regulations and meet notification requirements in a timely fashion.

For companies that are self-insured or thinking about self-insuring, the following five best practices will help protect employees’ sensitive information from hackers and to minimize potential damage to a company and its employees in the event of a data breach:

1) Have a business associate agreement. Many companies outsource the administrative aspects of their health plan to a third party — including plan design, claims administration and prescription drug management. This vendor will have access to employees’ private health information. If a business has contracted with an outside vendor for any aspect of the health plan management, make sure it has a HIPAA business associate agreement (BAA) with them that clearly outlines the protocols and responsibilities in the event of a data breach, including those caused by any of the vendor’s subcontractors. Make sure the BAA includes a provision that the employer must be notified of any type of breach immediately. Ultimately, the employer is responsible for all aspects of breach notification, because it was information from employees that the company gathered. The BAA can transfer the costs and establish a timeframe and process for notifications to the correct parties.

2) Test the technology. Data are only as secure as the network. To test the security of a company’s network, including firewalls and intrusion detection systems, hire an outside firm to complete a penetration test. The firm will act like a hacker to identify any weaknesses in the system, which can run the gamut from application and operating system flaws to risky end-user behavior. The employer can use this information to implement additional security measures where necessary. Maintain the security of the network by holding reviews on an annual basis to make sure the company is up to date with the latest security measures. Hold vendors to the same standards, and require them to disclose proof that they are assessing their networks on an annual basis.

3) Train employees. From emailing the wrong person to opening an email that contains malware, staff errors happen all the time. While one can’t prevent all errors from happening, it is possible to implement policies and train employees on best practices to minimize risk. For example, do employees know how to identify a phishing attempt? Do they work on their own mobile devices and does the company know how secure they are? Do employees email sensitive documents to their home computers to work on at night? Knowing the practices of employees and educating them on any risky behaviors can limit potential end-user security breaches.

The giant breach at health insurer Anthem (previously WellPoint) potentially affecting up to 80 million insured members and employees, reminds us that the hacking threat to protected health information is persistent and growing. The HHS Office for Civil Rights Web site of large breaches lists more than 90 major incidents of hacking, which have become much more prevalent during the past two years. Here are the 10 largest healthcare hacking incidents to date.
February 6

4) Review offline processes. In addition to online practices, employers should also consider their process for securing and disposing of paper files. How are paper files stored and who has access to them? How long will the company keep this data and, if it is to be destroyed, will it be disposed of safely? A piece of paper can be as dangerous as an electronic medical record if not handled properly. Make sure the company has secure policies and procedures in place.

5) Get a cyber insurance policy. Cyber coverage is an essential need for companies with self-insured health plans. Look for policies that offer network security liability coverage for data breaches, destruction of data and viruses and privacy liability coverage for network security failures and breaches due to human error or a technology malfunction. Advisers should thoroughly review any policy to make sure the company is getting the coverage the company needs. Many policies include sub-limits that place restrictions on the payouts for certain aspects of a data breach.

An employer may have a $1 million limit on its cyber policy, but only a certain percentage of that could be earmarked for crisis management costs, such as fees for privacy attorneys, IT forensics, credit monitoring, notification and public relations costs. These costs can easily reach six figures in a matter of weeks. A crisis management sub-limit could leave an employer to cover the rest of the costs that exceed the sub-limit. Paying attention to the details will help avoid any surprises if a company finds itself dealing with a data breach.

With so much of our lives lived online, taking measures to protect the information we share has become a modern day necessity. This is especially true for companies in possession of sensitive employee health information. Taking the proper precautions will help make companies less of a desirable target for hackers and give businesses and employees a safety net in the unfortunate event of a breach.

For reprint and licensing requests for this article, click here.