So much is changing in the working world, but the need to keep your people data secure is one thing that will stay constant.
Employers manage a large amount of sensitive people data, including Social Security numbers, salaries, and background check results. Many are also now tracking employee health data including COVID-19 vaccination status, test results, and sick leave.
How should this data be managed? Does the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule apply to health data? And how can your software vendors help protect your employee data?
There has been a lot of confusion around data security as it relates to employee health data, which is no surprise. Employers must navigate a patchwork of federal and local regulations and it can be challenging to discern which apply and when. Here’s some guidance to help you get started.
HIPAA doesn’t apply to employers
HIPAA compliance in the U.S. is the standard that exists between a healthcare provider and a patient. It ensures that individuals’ health information is protected while allowing the flow of health information needed to provide high quality health care and protect the public health.
The U.S. Department of Health and Human Services recently issued guidance to remind the public that the HIPAA Privacy Rule does not apply to employers or employment records. The HIPAA Privacy Rule only applies to covered entities, including health plans, health care clearinghouses, and health care providers that conduct standard electronic transactions. In some cases, it may also apply to covered entities’ business associates.
However, HIPAA generally prohibits a doctor’s office from disclosing an individual’s protected health information to the individual’s employer, unless the disclosure is authorized by the individual. This includes COVID-19 vaccination status and medical history.
Data security is paramount for risk mitigation and compliance
Although HIPAA doesn’t apply to employers, getting HR data security right is still of the utmost importance. Here are some areas to consider in this regard:
- Liability. Data breaches can create enormous liability for employers. This can include legal, financial, and reputational impacts.
- ADA compliance. The Americans with Disabilities Act (ADA) requires U.S. employers to keep employee medical information confidential and stored separately from the employee’s personnel files.
- GDPR compliance. European countries that allow employers to process employee health data will be subject to the General Data Protection Regulation (GDPR). For instance, employers may only retain COVID-19 vaccination records and test results for as long as necessary, which would be a shorter time period for test results than for vaccination records.
- Compliance with other federal and local regulations. Data privacy legislation can vary by location. For example, the California Consumer Privacy Act (CCPA) requires covered employers to safeguard personal information. California residents may also seek statutory damages when an employer’s failure to implement reasonable security measures results in a breach related to vital employee data.
SOC Type II security accreditation is the gold standard for keeping data safe
If your organization is storing employee data—including health data—it’s crucial to keep it secure. Safeguard sensitive employee data by working with technology partners that use a shared security model to ensure industry standard controls. SOC Type II security accreditation is considered the gold standard for keeping data safe. Technology vendors should also undergo regular penetration testing and security reviews, and encrypt people data for maximum security and privacy.
Keep in mind that all HR solutions are not created equal when it comes to HR data security and privacy. Sapling has achieved SOC2 Type 2 compliance, undergoes regular penetration testing and security reviews, encrypts data at rest and in transit, and is designed to be GDPR compliant. This enables People Operations teams to securely track all people data in one unified system.
Final thoughts on keeping people data secure
Keeping sensitive people data secure is not a new responsibility for most employers, though security is certainly worth revisiting regularly. Cyber attacks are on the rise and employers may be collecting more people data than ever before. Keep that data safe from external hackers or unauthorized internal personnel by putting the right systems, protocols, and training in place. For instance, set appropriate user permissions in your HR systems, make sure team members know how to create strong passwords, and remind team members to never share logins.
Employee data security is a responsibility your organization—and your technology partners—should take very seriously.