Companies have a duty to protect their data, as well as any employee and client data with which they have been entrusted. Obviously, employment records contain sensitive details about individuals, and thus employment contracts and other related documents must be safeguarded. However, in addition to general employment records, many companies offer their employees health insurance, which also necessitates detailed paperwork. In some cases, companies may have healthcare-related contracts with firms better equipped to oversee these employee plans. Of course, other companies may have other types of healthcare-related contracts based on their areas of expertise or industry involvement. Regardless of the type of healthcare information that a company has on hand or the reasons for entering into healthcare contracts, it is critical to ensure that any such data is vigilantly protected. Here is why healthcare data and contract security is more important than ever:
Data Breach Costs and Fallout
Companies that suffer from even the smallest of data breaches can be hit with some costly and lingering consequences. In addition to rectifying the wrongdoing and likely paying some kind of restitution or damages to those affected, these breaches usually require a major analysis and overhaul of a company’s IT systems and security. The cumulative costs associated with breaches can include things like attorneys’ fees, litigation costs, additional insurance premiums, penalties, damages, consulting fees, and the list goes on and on. Of course, even if a company has the funds to address the issue, the ensuing fallout may be too severe to overcome, as clients may simply lose faith and take their business elsewhere. Thus, it is abundantly clear that focusing on proactive protection of health-related data is the best course of action.
The Health Insurance Portability and Accountability Act (HIPAA) was the initial piece of legislation that established the importance and urgency of protecting healthcare information. These regulations afford rights to healthcare consumers and are intended to protect the public by instituting certain privacy and security requirements. From a business standpoint, insurance companies, software companies that develop and maintain electronic health records and other databases, and healthcare providers, among various other entities and individuals, are expected to comply with HIPAA regulations when handling people’s healthcare information.
In addition, there are many instances in which companies contract or subcontract with other firms to handle matters that necessitate access to and/or review of private health information. Any of these business associates of the firms and individuals who have direct access to private information and who may also have access to that information, perhaps due to the services they provide, must also abide by the regulations. Therefore, it is important to determine whether your company is under this obligation and to ensure that the appropriate security measures are taken.
With the increasing reliance on technology and the use of electronic health records, the Health Information Technology for Economic and Clinical Health Act (HITECH) was passed to promote the use of technology for maintaining health information. However, by encouraging electronic usage, it also expanded the importance and scope of the mandated privacy and security protections. In addition, it contains incentives for using technology, strict requirements regarding compliance, and strong penalties for violations. A number of healthcare technology firms likely fall within the purview of these regulations, so this is just another reason among many that companies must take data protection and security very seriously.
Another significant federal regulation that emphasizes the importance of healthcare data security is the Employee Retirement Income Security Act (ERISA). This law imposes a fiduciary duty on healthcare plan administrators, and these fiduciary obligations generally entail a duty to maintain privacy and confidentiality. Thus, as with the other regulations, this may be applicable to companies with employee health plans that have access to private health information or companies that contract with other companies to help them manage such information.
Ultimately, any company involved in healthcare and/or with access to healthcare data must figure out whether these regulations apply to it, and if so, ensure that data security is a significant component of its IT strategy.