Employee Health Data: Evaluating Your Vendors' Privacy Standards

Due diligence includes a responsibility to verify the security of private medical information

By Joanne Sammer Mar 8, 2012

Whether it is a stolen laptop computer, misplaced storage devices or hacking, there has been a steady stream of security lapses in the news involving private medical data and information. For employers, these data breaches are a key concern. No employer wants to find that its employees’ private health data has been compromised as a result of actions or inaction by a service provider it hired.

As investments and directives move electronic medical records closer to reality, employers need to take steps to make sure not only that their own systems are secure but also that the vendors they hire have invested to maximize data security. “The question is, what responsibilities do employers have when it comes to evaluating how well vendors secure data and manage data privacy?” said Russ Robbins, principal and senior clinical consultant for benefit consultant Mercer.

Relying on Service Providers

Because employers cannot have access to individual health data, they must rely on service providers to manage certain employee benefit programs. This way, individuals can enroll in an employer-provided diabetes management program, for example, with the assurance that their employers will not know anything about their condition.

For these arrangements to work, employers need to make sure that their vendors are doing everything they can to secure employees’ data. Just as they conduct due diligence on vendors for their retirement plans, employers need to conduct data privacy due diligence on their health care-related vendors that provide such services as disease management, wellness programs, health risk assessments and case management.

Ensuring this level of privacy and data security is becoming more important as employers expect employees to be increasingly proactive about their health. However, if employees are to be motivated to take health risk assessments and undergo biometric screenings in order to identify and manage certain health conditions, they need assurance that there are safeguards to keep confidential health information related to those activities safe. “Employers should never make assumptions about a vendor’s data privacy controls,” said Robbins. “This is something employers must discuss candidly with their vendors.”

Ensuring data security is becoming more important
as employers expect employees to be proactive
about their health.

Conducting Privacy Due Diligence

“Any time you hire any type of service provider for employee benefit plans, there should be some type of due diligence process involved,” said Bob Lowe, a partner with law firm Mitchell Silberberg & Knupp LLP in Los Angeles. “There are fiduciary duties involved in managing employee benefit and retirement plans. Therefore, it is a good idea to have several service providers bid on a project so that you can compare their various strengths and weaknesses and how those mesh with your plans.”

When choosing service providers for health plans, there is the additional concern with respect to privacy issues. “These are issues to address with any vendor that is going to be performing services that involve access to health information about individuals,” said Lowe. In addition to complying with relevant state and federal laws, including the Health Insurance Portability and Accountability Act (HIPAA), service providers should have a comprehensive plan and approach to securing individuals’ health data.

For example, any vendor that will be handling private health informationand information relating to a participant’s diagnosis or treatment is:

Required to enter into a special agreement with the plan sponsor. The technical term for it under HIPAA is a business associate contract, which is an additional agreement in which the service provider promises to comply with various HIPAA requirements. “In many cases, the service provider will have that as part of a package of documents that they provide for the employer to review,” noted Lowe.

Obligated to notify employers when there has been a breach of protected health information under rules issued by the U.S. Department of Health and Human Services (HHS). The business associate contract between the employer and the vendor should spell out how the vendor will handle that disclosure. If the employer is not comfortable with that process, its employee benefit and HR executives should raise that issue with the vendor and try to modify the notification process until it is acceptable to all parties.

“My preference is to have the employer or plan sponsor have control over the notification process so that you don't have vendors notifying employees without the employer or plan sponsor knowing what is going on,” said Lowe. “In some cases, the affected participants may need to be notified, as well as the HHS or even the media, if the breach is significant enough.”

During the vendor evaluation process, service providers are not obligated to inform the employer about past breaches. “The only way to find out if your vendor has had any breaches would be to ask them,” said Lowe.

Evaluating Existing Service Providers

Employers that are concerned they did not conduct appropriate due diligence on privacy controls when hiring service providers can still take steps to address those concerns. The first steps are to:

Make sure that each vendor contract includes a business associate agreement that spells out HIPAA privacy requirements and compliance. If there is no agreement, the employer should approach the vendor to get an agreement.

If a signed business associate agreement is several years old and does not reflect the most current regulations and requirements, including the security breach notification rules, push for all parties to sign an updated agreement.

As vendors’ contracts come up for renewal, ask questions about privacy controls and protections, whether the vendor has been involved in any security breaches for other clients that have required notification to participants, and about the vendor’s plans for upgrades and enhancements to data security.

Ask internal IT staff or outside consultants to evaluate vendors’ security levels, and make sure that their security is up to standards. “If the vendor does not meet those standards, either choose another vendor or give the chosen vendor a certain amount of time to upgrade,” suggested Robbins.

As more breaches make their way into news reports, vendors and employers will be under growing pressure to ensure and communicate measures for securing private medical data. At the same time, the HHS has announced more resources for enforcement, and the agency has begun conducting audits of selected providers. As electronic medical records become the norm, privacy will become more important and prominent, so employers need to act accordingly.

Joanne Sammer is a New Jersey-based business and financial writer.

Related Articles:

EEOC Issues GINA Recordkeeping Requirements, SHRM Online Legal Issues, February 2012

Ensuring the Privacy of Employees' Health Information, SHRM Online Legal Issues, November 2009

HIPAA Enforcement Rule Revised to Reflect Increased Penalties, SHRM Online Legal Issues, October 2009

HHS Issues HIPAA Breach Notification Rule, SHRM Online Legal Issues, August 2009

Identity Theft Protection as an Employee Benefit, SHRM Online Benefits Discipline, July 2008

A Corporate Plan for Information Security Is a Must, SHRM Online Technology Discipline, November 2007

Quick Links:

SHRM Online Benefits Discipline

SHRM Online Health Care Reform Resource Page

Sign up for SHRM’s free Compensation & Benefits e-newsletter


Job Finder

Find an HR Job Near You
Post a Job

Apply by October 19

Get recognized as an HR expert. Earn your SHRM-CP and SHRM-SCP certification, and set yourself apart.

Apply Now


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect