Quick look: Several tech companies are facing scrutiny (and lawsuits) for violating HIPAA rules by tracking sensitive health data and using it to generate ads. In this age of information, data sharing is commonplace but can quickly be taken too far. How then can employers ensure their employees’ personal information isn’t also at risk?
Data sharing and data privacy don’t always go hand-in-hand. In fact, KFF Health News recently reported a few major tech companies have been caught violating HIPAA rules and misusing other sensitive consumer data. Per the U.S. Department of Health and Human Services, “the HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other individually identifiable health information… and requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization.”
In an investigation with The Markup, KFF Health News found trackers, regularly referred to as “pixels,” on 12 of the biggest U.S. drugstores’ websites. These pixels were implemented to share information about specific products customers viewed with some of today’s biggest social media and advertising platforms, including Google, Microsoft, and Meta (formerly known as Facebook).
Pixels collect website information which is sent to these firms so they can use it to target ads based on an individual’s search history. In addition to pharmacies, these pixels were also found transmitting information from hospitals, telehealth startups, and tax preparation companies, as well.
While receiving targeted ads has been largely normalized, people may not realize privacy violations include health-related search and purchase history, such as HIV tests, pregnancy tests, and Plan B emergency contraception. The data breach also applies to people using notable discount medication websites and online therapy platforms, some of which have also been under scrutiny from the Federal Trade Commission (FTC) regarding data misuse.
How this affects employers
When private health information is dispersed to entities without safeguarding the details, it puts people’s rights in jeopardy. This information can be used to inform decisions which can lead to the denial of health insurance coverage or care, among other harmful repercussions. Because of the way some tech companies are harvesting this information, it’s important to inform employees of instances where their data may be shared and the implications it may have.
Employers are in a position where they can help protect their employees from data breaches. In fact, they’re required to maintain compliance regarding privacy protection and any lack of could lead to financial and legal complications. Here is where a professional employer organization (PEO) partner can step in and ensure companies are kept up-to-date. With as fast as regulations change, it’s beneficial to have risk and compliance experts in place to adapt accordingly.
What employee data must be kept confidential?
Regulations under the Americans with Disabilities Act (ADA) and the Genetic Information Nondiscrimination Act (GINA) require all employers to separate medical information from an employee’s personnel file. Some employers may also be required to follow HIPAA regulations, depending on the nature of the business.
Additionally, the Electronic Communications Privacy Act (ECPA) requires regulation of all “email, telephone conversations, and data stored electronically.” Therefore, business leaders should be aware of the type of data gathered, how it’s collected and stored, and who can access it. This information may include but is not limited to:
- Home address and phone numbers
- Spousal and family information
- Background check information
- Medical history including genetic conditions
- Social Security numbers
Due to the sensitivity, yet need, of this information, developing secure recordkeeping policies is essential. Here are a few tips on how to keep employee data protected.
Current and potential employees should have knowledge of how and why companies collect, use, and disclose certain data. This includes geographical, background check, and health record information. These policies must uphold all current local, state, and federal regulations and be clearly communicated to employees prior to submitting their information.
With changes in regulations as well as technology, it’s best to schedule periodic audits of company policies and processes to prevent data breaches and cybersecurity attacks. For companies maintaining physical records, the number of people with access should be limited and require a log showing when and why files were accessed. Also, there should be established methods of disposal as applicable.
But as most records have become digitized, the same level of safety and security should be applied, restricting access to limited parties and ensuring it cannot be accessed for unauthorized purposes. Authorization should also be updated when those with credentials leave the company to prevent misuse by former employees.
Company privacy policies should also clearly lay out what personal employee data the company has access to. This typically includes non-work communications involving activities on computers and other programs owned by the company. It should identify reasons for data disclosures about information which may be shared with employees but is to remain with the company.
Also, it’s important to be transparent about any company monitoring at work, such as the use of productivity tools, video conferencing software, and other security programs designed to track location and use. With more companies open to remote opportunities, some monitoring may be necessary to keep employees and business data protected but may feel invasive unless communicated properly.
Hackers are becoming more sophisticated which means updating cybersecurity regularly is crucial. Employers must protect their networks, servers, and hardware without allowing their firewalls and antivirus tools to lapse. Also, some employers may choose to set up virtual private networks (VPNs) to encrypt data, as well as implement passkeys and/or multi-factor authentication to confirm approved credentials.
How a PEO helps employers remain compliant
It’s no small undertaking to maintain compliance. The rules are constantly changing as new technology and information come to light. Though due diligence is a benefit to employees, it also protects employers from potential lawsuits for mishandling employee information.
A PEO partner like ExtensisHR stays current on compliance requirements and facilitates a customized safety action plan and maintenance program to educate your workforce and establish best practices. This is part of a comprehensive HR solution which also includes benefit administration, recruiting and talent management, advanced reporting, and more. Therefore, employers can focus on business growth initiatives and feel more confident moving forward.
At ExtensisHR, we tailor HR plans to meet a company’s evolving needs and ensure they maintain compliance every step along the way. Contact our team today to learn how working with us can benefit you.