Panera and UnderArmour are the latest large companies to experience data security breaches, according to a Washington Post article. Hackers stole consumer information from the rewards programs offered by both companies. While this is concerning to us as consumers, as HR professionals, you should really be frightened.

There are two types of data you collect about your employees:

• Protected health information (PHI): individually identifiable health information
• Personally identifiable information (PII): any information that can be used to distinguish or trace an individual’s identity, either alone or in combination with other personal or identifying information.

You are required by law to protect both types of data. The consequences are steep if you don’t.

Protected Health Information

The Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), provides detailed privacy rules that apply directly to individually identifiable healthcare data. Covered entities, which include providers, insurers, and clearinghouses, are obligated to treat patient information in accordance with HIPAA.

HIPAA is a federal law that pre-empts state laws, so it is the law of the land unless a specific exception applies. According to the Department of Health and Human Services, there are three valid exceptions, meaning state law supersedes HIPAA when it:

1. Relates to the privacy of individually identifiable health information and provides greater privacy protections or privacy rights with respect to such information
2. Provides for the reporting of disease or injury, child abuse, birth, or death, or for public health surveillance, investigation, or intervention
3. Requires certain health plan reporting, such as for management or financial audits. In these circumstances, a covered entity is not required to comply with a contrary provision of the Privacy Rule.

In 2009, the Health Information Technology Economic and Clinical Health (“HITECH”) broadened HIPAA to include business associates, directly requiring their compliance with HIPAA. HITECH requires business associates to have certain provisions in place for security, breach notification, and minimum use in business associates’ agreements with covered entities and other business associates. HITECH also allows for criminal and civil fines for “willful neglect” of HIPAA compliance.

The best way to avoid these penalties is by using HIPAA-compliant software. For example, Foothold Technology’s platform for managing human services cases is both HHS and HIPAA-compliant, so you can trust that your data is optimally secured.

Personally Identifiable Information

Unlike HIPAA, there is no federal law that governs liability when PHI is violated. The Federal Trade Commission has some enforcement, but that mostly involves marketing companies misleading the public or technology companies tracking consumer information without consent.

State laws govern the protection of PHI. Some states have stricter, more formal laws. You need to understand the laws of the state(s) where you do business to ensure you are protecting PII in accordance with all applicable laws.

Penalties and Jail Time

Your company can face stiff fines if there is a PHI or PII breach, and you could face both financial penalties and jail time. Section 13410(D) of the HITECH Act established the following violations and penalties:

87%

of the US population is likely unique enough to be identified by:

• Date of birth
• Gender
• Zip code

Source: Latanya Sweeney, CMU

Financial Penalties

TierFine1The covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.$100-$55,010 for each violation, up to a maximum of $1,650,300 for identical provisions during a calendar year.2The HIPAA violation had a reasonable cause and was not due to willful neglect.$1,00-$55,010 for each violation, up to a maximum of $1,650,300 for identical provisions during a calendar year.3The HIPAA violation was due to willful neglect, but the violation was corrected within the required time period.$11,002-$55,010 for each violation, up to a maximum of $1,650,300 for identical provisions during a calendar year.4The HIPAA violation was due to willful neglect, and was not corrected.$55,010 or more for each violation, up to a maximum of $1,650,300 million for identical provisions during a calendar year.

Criminal Penalties

TierFineUnknowingly or with reasonable causeUp to 1 yearUnder false pretensesUp to 5 yearsFor person gain and malicious reasonsUp to 10 years

The government is aggressively addressing HIPAA violations:

Case 1

CardioNet to pay

$2.5 M

for not understanding HIPAA requirements creates risk (HHS.gov)

Case 2

A doctor received

4 months

in prison,1-year supervised release, and $2K in fines (MPR)

The health system (employer) paid

$800K

in civil penalties

In both cases cited above, the courts ruled that ignorance of the law in no excuse. That means you need to be diligent about protecting your employee PHI and PII, or your company could face civil penalties, and you could be fined and possibly go to jail. It’s time to take the security of your employee and customer data seriously.