Ensuring the privacy of protected health information (PHI) isn’t a top priority for many HR departments. They have so many other pressing concerns—such as attracting and retaining talent, managing disciplinary issues, and controlling costs—that maintaining security around employees’ PHI often plays second fiddle. But the latest round of changes to the Health Insurance Portability and Accountability Act (HIPAA) and the related Health Information Technology for Economic and Clinical Health (HITECH) Act should make HR departments sit up and take notice.
The HIPAA final rule, released in 2013, primarily focuses on organizations within the health care sector, such as providers and those who process data for them. But sponsors of health and wellness plans may also fall under HIPAA guidance, and HR departments need to ensure they’re in compliance with the privacy, security and breach notification requirements. Following the “minimum necessary” advice and other guidelines contained in the final rule is just the beginning when developing a strong data privacy program.
Know Where Security Gaps Lurk
Assessing your organization’s risks is the first step in developing a stronger security posture. A HIPAA risk assessment, conducted by an experienced information security professional, provides a window into any potential security weaknesses within the HR department as well as the company as a whole. It will uncover areas where technology tools may be lacking and where potential risks might exist because of outdated or ineffective policies and procedures. A risk assessment will also reveal if security measures used by partner organizations—third-party benefits administrators, payroll processors, etc.—may be putting your group’s data at risk.
“One gap that such assessments routinely find relates to termination of employees,” said Dan Berger, CEO of Redspin, a provider of penetration testing services and IT security audits. “Whether the end of employment is voluntary or involuntary, policies must be in place to cover the removal of the former employee’s access to all IT systems within hours of termination. Even if adequate policies exist, it is critical to show that they work in practice. There must be documented procedures in place and, most importantly, regular audits to show that the process is being followed.”
An assessment also provides an opportunity to discover where risk factors exist outside the typical IT-related activities. Physical security of data storage areas, from file cabinets to mobile devices, may be ineffective. Confidential discussions that involve PHI may be held where they can easily be overheard. These all represent gaps where data exposures can occur, either inadvertently (such as through the loss of a smartphone that wasn’t protected with a strong password) or through deliberate action (hackers and other malicious threats).
Shore Up Your Defenses
Addressing the liabilities and potential dangers identified in the risk assessment is the next step in developing effective PHI safeguards. Technology solutions, such as network security appliances and data encryption, will play a large role in complying with HIPAA’s mandates. Improving users’ security practices should also be a priority, since something as simple as sharing passwords can create an enormous security gap.
A written information security plan (WISP) will bring all these components together into a workable and effective strategy. This is where the organization lists the practices and protocols it plans to leverage to maintain privacy around PHI. Policies covering employee training should be included in the WISP, as should the details of any anticipated changes to the existing technology infrastructure that might impact data privacy efforts.
Next comes the incident response plan (IRP), which is exactly what its name implies—a document that walks the organization through what’s required and expected of the various teams if PHI is exposed. Within the IRP will be outlined those groups and individuals who will take action in the event of a breach, and what their specific role will entail. A comprehensive IRP will also include any outside resources that will be needed in the event of a breach, such as forensic investigation services or public relations expertise to augment the internal teams.
An All-Inclusive Approach to Protection
Nurturing a culture that makes data privacy a priority requires an all-hands-on-deck strategy. Not only must the organization’s top leadership be ready to lend their full support to the endeavor, but several internal groups will also play pivotal roles in developing and maintaining a strong security posture.
The IT department will be instrumental in achieving compliance, as will legal counsel. But forming the framework of any privacy effort will be the information security team. Their expertise is crucial in bringing together the various regulatory mandates, technology tools and internal practices that will form an effective privacy program.
Through these coordinated efforts, HR groups will be in a position to fulfill their HIPAA and HITECH Act responsibilities and maintain the privacy of the PHI within their organization.
Deena Coffman is CEO of IDT911 Consulting, a consultative provider of identity and data risk management, resolution and education services.