For partners  Tech 
June 28, 2022

Employee Medical Data And Privacy: Key Questions For Building Or Refining Your Tech Infrastructure.

Anthony Capone is the president of DocGo, a leading AI-powered mobile health services and transportation provider.

As the cost of healthcare continues to rise, a new dawn is emerging for employer health plan management. This radical transformation taking place is fueled in part by the Covid-19 pandemic, the rise of digital health technologies and new, easily accessible capabilities for employers of all sizes. More and more companies are replacing traditional, fully insured plans with customized, self-funded insurance plans, in which employers choose to pay for some or all the health services of their workers directly.

A study by Statista found that 64% of all insured employees were covered by self-funded plans in 2021, compared to just 44% in 1999. These types of plans are a strategic way for employers to substantially lower costs and improve a health plan’s offerings without negatively impacting the health of their employees. But this shift has also unearthed a series of organizational challenges, including concerns around employee medical records and privacy.

It has quickly become clear that most human resource organizations and departments are not set up—or, in many cases, equipped—for properly managing employee health records. With a slew of regulations around patient data and ramifications of potential HIPAA violations, employers and their HR managers have found themselves in need of guidance, systems to properly handle data and compliance, additional training and sometimes even an elevated technology infrastructure

As we move further into 2022 and beyond, sensitive data, such as employee medical records, will remain a key consideration when building or refining a business infrastructure. Below are questions companies of all sizes should be asking themselves and their IT leaders.

Data accessibility: Who has access to information?

The biggest and most practical piece is understanding whether a company has the right setup and data architecture. Specifically, who has access to sensitive data? Does the infrastructure allow for greater access to specific shared folders? For instance, there’s little reason for the entire human resources department to have access to confidential employee files, particularly medical records. Since the ramifications of violating patient privacy can be significant, the scope can and should be limited to a handful of key people—or even just a single person—to prevent any potential issues.

To further complicate matters, many companies seek assistance from third parties in performing activities or processes that involve the use or disclosure of personal health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA controls the authorization of federal privacy rules for health information, among many other goals. More specifically, its Privacy Rule regulates how a health plan or covered healthcare provider shares PHI with a patient’s employer.

As healthcare data continues to grow, it’s imperative that businesses have a business association agreement (BAA) in place with any partners with which they are sharing data. This legal contract outlines the responsibilities that each party has in managing PHI and ensures HIPAA compliance and their commitment to managing patient data. Failure to enter into a BAA with all vendors that are provided with or given access to PHI is one of the most common violations and can result in major financial penalties.

According to the U.S. Department of Health and Human Services, since the compliance date of the Privacy Rule in April 2003, the Office for Civil Rights has “settled or imposed a civil money penalty in 110 cases resulting in a total dollar amount of $131,563,132.”

Data storage and security: How is employee data handled?

In addition to access patterns, consider storage. Is employee data cryptographically signed? Does everything in the database have a storage mechanism? Does the company abide by the toughest security and encryption protocols? Data storage gets materially challenging with hundreds or thousands of employees on the payroll, particularly when it comes to privacy.

The pandemic has further complicated storage concerns. For example, with employees regularly getting tested for Covid-19, any positive case triggers a chain of events, including conversations and decisions about an employee’s work schedule, changes in shifts, alerting the exposed and more. Without proper data storage and access, an employee’s sensitive patient data could quickly turn from a private to a public matter.

For employers, a critical step regarding data storage involves choosing a human resources information system (HRIS). HRIS software offers monitoring capabilities to help stay up to date and in compliance with ever-evolving regulations and data security measures.

BambooHR is an affordable and compliant HRIS solution for smaller organizations, while Workday is an effective and compliant, albeit a bit pricey, HRIS for larger companies.

Data purging: When and how are you removing sensitive information?

There are numerous considerations tied to data purging, including costs, timing, privacy and more. It’s also assumed that the larger the dataset, the more potential for a data breach. When it comes to sensitive data, such as employee medical records, having a plan and process in place to address purging can prevent many issues, including sensitive data finding itself in the wrong hands, be it inside or outside the company. Even if done without malice or by accident, sharing someone’s medical records, such as past Covid-19 test results, is a potential HIPAA violation.

Health information, in general, can be used against an employee years down the road, making it imperative for organizations to ensure that their infrastructure is up to date and operating at the highest standards.