This article was updated on July 12, 2018.
Employee wellness programs give organizations the opportunity to provide better health outcomes to their valued employees and help increase workplace productivity. Better health outcomes can lead to positive results, such as reduced company-paid health costs and reduced absenteeism. Yet, employee wellness programs come with a risk relating to the security of private health information collected in connection with those programs. Hackers are getting more technically capable every day and are increasingly targeting health records.
According to the U.S. Department of Health and Human Services, there have been over 400 "large" breaches (500 records or more breached) of protected health information in the last two years, impacting tens of millions of people. These breaches have happened via laptops, desktops, network servers, and portable electronic devices, as well as old-fashioned paper files.
Direct and Indirect Penalties for Breaches of Health Information
In addition to the public embarrassment and the justifiable anger from those who gave out their health information (assuming it would be kept confidential), there are regulatory penalties for failing to comply with privacy standards defined in the 1996 Health Insurance Portability and Accountability Act (HIPAA). Each violation of the law can cost you up to $50,000, and even more if you don't have adequate protective systems in place. HIPAA applies to anyone collecting and managing protected health information, which would include employee wellness programs. Whether you outsource your wellness program or manage it in-house, you'll need to maintain the data security of employee health information.
5 Best Practices for Health Data Security in Wellness Programs
1. Establish protocols
First and foremost, you should have clear privacy policies and procedures in place for anyone handling employee health data. Of course, those policies and procedures should be fully compliant with HIPAA and other related state laws. A firewall should also be installed between those handling the data on behalf of the wellness program and the people making all operational decisions. Because employees are already hesitant to disclose private health information, freely communicate that this information is only for the wellness program and no other purpose.
2. Educate systematically
Have regular and effective security and awareness training for all staff and vendors who work with protected health information. Every organization is only as strong as its weakest link, so employees who become casual about compliance (for example, leaving a post-it note with their passwords on their computer) put the entire reputation of the wellness program at risk. When staff working on the wellness program violate the rules, take it seriously and deal with the situation swiftly.
3. Encrypt data
Use strong data encryption, whether on a desktop, laptop, server or other device, as a way to keep data confidential. Encryption makes data unintelligible to anyone without the code to decrypt, so it's a pivotal layer of security against hackers. When sharing protected health care information by email, these messages should also be encrypted.
4. Employ secondary verification
Use multi-factor authentication as an additional security measure. This would require users who want to have access to protected information to have both a password and additional method, such as a smartcard, authentication app or biometric (a fingerprint, for example). Similar to encryption, multi-factor authentication represents a further level of data security in your efforts to prevent unauthorized disclosures of information.
5. Examine internally
Review and audit your policies and procedures, ensuring that your staff and partners are following them. Always retain your audit records in case your compliance efforts are called into question by regulators, who will then audit you independently. In every partner/supplier agreement, be certain that you reserve the right to audit said partner for compliance related to the protection of employee health information. Work with your partners to carefully define HIPAA compliance best practices, including the necessity of your partner's use of encryption and multi-factor authentication, which will help to certify that they don't transfer protected employee health data to anyone without your approval. The Office of the National Coordinator for Health Information Technology also offers a very detailed, 21-page "approach" to protect employee health information, with a wealth of related links and pertinent resources therein.