Employee Data Access, Security, and Controls

Friday, January 01, 2010

Happy New Year!

Recently, I was asked to comment on and make recommendations for employee data access, security, and controls with respect to HIPAA and non-HIPAA protected data.

1. Know and understand the current security environment and controls in place within your organization! Are your HIPAA Business Associate (BA) agreements up-to-date for relationships with health care providers, vendors, clients, brokers, consultants, TPA’s, and others? Has your internal and/or external legal resources reviewed your BA’s within the last 6 months to a year? What is the official and unofficial security philosophy of your organization? Are those philosophies framed within state law, union agreements, client contracts, vendor agreements, and/or organizational policies? Who within your organization oversees employee data security. HR, IT, internal audit, risk management or a Security Czar? Is there a history of past security breaches? Does your management team perceive that employee data security is important? Is your organization covered by insurance to offset potential losses associated with a data security breach?

2. A complete data security analysis should be done, including physical access security, during the initial system’s implementation to ensure that the right level of access is granted to the right data user for only the data necessary to perform their current position duties. If, for whatever reason a data security analysis was not done during the initial system’s implementation, it should be done as soon as possible by either internal or external resources. Most systems have the ability to define a security classification (data access/security profile) and associates that classification with a position. Example: a Benefits Mgr needs access to base pay (to determine life insurance amounts) and to dependent data to validate enrollment coverage (Single, Single + 1, Family).

3. If the employee’s role changes, e. g., Benefits Mgr is now the Employee Relations Mgr, the ER Mgr will not need access to the employee’s medical plan option. However, he now needs access to any corrective action history. Once again, as soon as the position changes in the system, most systems allow for the automatic linkage of the position, via position number/ID/title to the appropriate data access/security profile.

4. At issue is how tightly is the focus of the data access/security profile relative to the position. Again, the focus is on the duties of the individual and not the individual per se. During system’s implementation/upgrade/maintenance the focus has to be defined on a functional level relative to the security philosophy of the organization. Broad focus might allow everyone in a small “HR” function to have access to all data, because their position duties require it. On the other hand, in a large organization only those performing the specific function would have access to the relevant data, because their position duties may be narrow in scope.

5. On some periodic cycle, someone (IT/HR/Security Czar) must review each position’s functional duties to determine if they have the appropriate data access/security profile (security audit) that allows them to perform their duties in an effective and efficient manner. This audit could be included in the periodic review of a position’s duties for job evaluation. A Benefits Mgr who cannot access an employee’s payroll deductions for health care may not be able to balance and reconcile monthly carrier bills in a timely manner, thus leading to over/under payments. This does not mean the direct access to the entire Payroll system. It means access to just the data needed to balance and reconcile monthly carrier bills against the employees’ Payroll deduction amounts.

6. A breach in employee protected health information (PHI) security is more than just an embarrassment to the impacted parties. Depending on the data that is breached, the scope, and duration of the breach, there could be an issue with The Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy rules (http://www.hhs.gov/ocr/privacy/). Violation of HIPAA could carry with it certain monetary and criminal penalties as well as notification requirements (not an inexpensive process) of the breach to those potentially affected by the breach. In addition, a breach in non-PHI data may not be covered under HIPPA, nevertheless, it could be covered under state law, union agreements, client contracts, vendor agreements, and/or organizational policies. Finally, while the possibility of “corporate espionage” may seem overstated, however, it does occur and appropriate data access/security profiles and audits helps to prevent it. (http://abcnews.go.com/Business/story?id=2161750&page=1 )

7. This means increased oversight of who uses the data, for what purposes, how data is stored/retrieved/transmitted, data backup and recovery procedures, and the necessary data safeguards, including security audits. It means that employees have to be educated in their role in protecting and securing data from possible abuse/misuse. Employee education often takes the form of initial training at hire and follow-up training on an annual basis. Initial and annual follow-up should provide for some means of objective testing and recording of results as well as retraining/retesting for any employees who “fail”. Protected data that is allowed to be copied to a CD, or downloaded to a laptop that then walks out the front door or an un-encoded and open electronic non-encrypted transmission are significant security issues.

8. Clear, appropriate, and well communicated corporate policies concerning data access and security is essential to a well managed organization. This also includes dealing with corrective action in the event that data access and security is breached. These policies must deal with both organizational processes and HR issues. Whether intentional or un-intentional, a breach of employee, patient, member, client, and/or vendor data could have far reaching public opinion, economic, and legal ramifications, including the very survival of the organization.