While we lean on technology to help streamline Annual Enrollment and benefits administration, and make the user experience more positive and personalized, we can’t ignore that technology also opens the door to personal data getting into the hands of the wrong people.
More than 112 million healthcare records were compromised in 2015, and human error plays a role in most organizational incidents related to security breaches. Even with the best of intentions, people make mistakes. Unfortunately, those mistakes can have huge cost implications for employers.
Just this week, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), announced that one company will pay a $2.5 million settlement for a HIPAA privacy and security rules violation in 2012 that involved the unlawful disclosure of protected health information (PHI). It’s the first settlement that involves a wireless health services provider, CardioNet, which provides remote mobile monitoring of and rapid response to patients at risk for cardiac arrhythmias.
According to OCR, the breach occurred when an employee’s laptop was stolen from a parked vehicle outside the employee’s home. The laptop contained PHI for nearly 1,400 people. Although the company had written policies and procedures around handling PHI, they hadn’t yet been formally implemented. Further, the policies didn’t address how to protect PHI on mobile devices like laptops and smartphones.
“Mobile devices remain particularly vulnerable to theft and loss,” said OCR Director Roger Severino. With that being the case, how can HR/benefits pros engage their teams and employees in general around security without stoking fear or raising privacy concerns?
In my role as a security leader at Businessolver, I think the most important thing I do is consistently take a step back and reconnect with the reality that each data line in an enrollment system is a person – an employee, a spouse, child, parent. With that mindset, it’s a lot easier to take extra steps as needed to secure data.
In terms of tactics around data security, I’d offer two simple tips:
Beyond those two things, the do’s and don’ts are simple: Do use trusted and secure storage techniques – we’re a huge advocate of single-source technology to do this. And of course, don’t mishandle PHI – never send it by email and make sure employees don’t either, even when it’s easy and convenient.
When in doubt, follow federal guidelines and best practices where applicable: HHS has great tips and information to help protect and secure PHI when using mobile devices.