Friday, November 15, 2019

Data Breach Pitfalls and the PHI Pendulum

This Halloween, the ghosts and goblins aren’t the only scary creatures out there. Now we have new threats scaring us that are very real and come in the form of computer hacks, malicious malware, and phishing scams. In the most recent Equifax breach, we have been shown how vulnerable our personal data really is.

Having a smaller company doesn’t protect you either. You may think that hackers won’t attack your company’s data because you don’t have millions of records like Equifax, but you’re wrong. Last week, a coworker received a call about booking hotel rooms for a conference our company is attending next year. The caller said that all rooms in the area of the conference were booked, but he could get us in if we reserved rooms through him.

My coworker recognized this as a scam, and hung up with no damage done. It’s likely that the scammer got our name off the exhibitor section of the conference website. The point is, people are out there looking for ways to get access to your company’s credit card and other personally identifiable information it houses about you, your clients, or their members.

Be alert at all times!

HIPAA Privacy and Security Rules

Your benefits data contains personal information about your employees, so it’s protected under HIPAA. The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.

To protect yourself and your data, you have agreements in place with your carriers or third-party administrators (TPAs), who are considered covered entities. All vendors accessing that data on your behalf, like a disease management vendor or your benefit advisor, are considered business associates and must also comply with HIPAA.

How Secure is Your Benefit Advisor?

While hackers are a huge problem, many data breaches occur from simple, unintentional human errors. But a breach is a breach, and you must be sure the vendors you use to secure your data have secure measures in place to keep it safe.


Anyone working with healthcare data must undergo training. But in every day practice, how well do you or your vendors adhere to this requirement? Think about the protected health information (PHI) or personally identifiable information (PII) you have or your vendors have. Do you/they:

  • Keep data on an unencrypted computer? Have you ever left it in an unlocked car?
  • Have PHI or PII sitting in binders on your office shelves?
  • Leave the door unlocked when you aren’t in your office during the day or at night?
  • Keep file drawers unlocked?
  • Send PHI or PII in emails?
  • With your benefits advisor, carrier, or TPA?
  • Internally, with your leadership or fellow HR staff?

If you answered yes to any of the questions, you’re exposing yourself to data breach. If you email data, it must be encrypted, with the encryption key being shared in a separate, secure correspondence.


While you won’t face the Spanish inquisition like Poe’s character in The Pit and the Pendulum, you could be in serious trouble.

  • In many companies, committing a data breach is grounds for dismissal.
  • Because HIPAA requires that breaches be disclosed to the affected parties and the media, your reputation and that of your company’s could suffer. You may lose clients.
  • If fines are imposed, it could put your company out of business.
  • You could be held personally liable for fines.

What can you do?

Take these steps yourself, and make sure your benefit advisors do the same:

  • Adhere to all your security training so you don’t put PHI and/or PII at risk.
  • As a company, speak about the importance of protecting PHI and/or PII.
  • Conduct a security audit to assess your risk, and implement additional measures to protect all data, including PHI and PII.

One of the best ways your benefits advisors can reduce the risk of data breach is to consolidate all their client data with a third party vendor that provides a secure, HIPAA-compliant platform. Make sure the vendor undergoes third party security audits to certify their security protocols.

Data Warehouse versus Analytics Vendor

If your advisor is procuring a third party vendor, make it an analytics vendor so you can get more out of your data than just secure storage. An analytics vendor can integrate your data across programs and provide insight into the issues driving costs in your population. Identifying trends and population health issues will enable you to make benefit design changes that improve your company’s health and reduce costs.

It could also help you from running afoul of your fiduciary responsibilities outlined under ERISA.

It’s even better if the analytics platform is collaborative. That way, you can share information with others strictly within the platform itself, so data never leaves the HIPAA compliant environment.

Protect yourself and your company from data breaches to prevent a Poe-like nightmare from occurring to you and your company.

More from the Innovu Blog

Learn more about how Innovu can help you.

Your clients expect you to control benefit costs and improve the health of their employees. Do both more efficiently & effectively.


stay in touch

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form