This Halloween, the ghosts and goblins aren’t the only scary creatures out there. Now we have new threats scaring us that are very real and come in the form of computer hacks, malicious malware, and phishing scams. In the most recent Equifax breach, we have been shown how vulnerable our personal data really is.
Having a smaller company doesn’t protect you either. You may think that hackers won’t attack your company’s data because you don’t have millions of records like Equifax, but you’re wrong. Last week, a coworker received a call about booking hotel rooms for a conference our company is attending next year. The caller said that all rooms in the area of the conference were booked, but he could get us in if we reserved rooms through him.
My coworker recognized this as a scam, and hung up with no damage done. It’s likely that the scammer got our name off the exhibitor section of the conference website. The point is, people are out there looking for ways to get access to your company’s credit card and other personally identifiable information it houses about you, your clients, or their members.
Be alert at all times!
Your benefits data contains personal information about your employees, so it’s protected under HIPAA. The HIPAA Privacy Rule protects the privacy of individually identifiable health information. The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates, receives, maintains or transmits in electronic form.
To protect yourself and your data, you have agreements in place with your carriers or third-party administrators (TPAs), who are considered covered entities. All vendors accessing that data on your behalf, like a disease management vendor or your benefit advisor, are considered business associates and must also comply with HIPAA.
While hackers are a huge problem, many data breaches occur from simple, unintentional human errors. But a breach is a breach, and you must be sure the vendors you use to secure your data have secure measures in place to keep it safe.
Anyone working with healthcare data must undergo training. But in every day practice, how well do you or your vendors adhere to this requirement? Think about the protected health information (PHI) or personally identifiable information (PII) you have or your vendors have. Do you/they:
If you answered yes to any of the questions, you’re exposing yourself to data breach. If you email data, it must be encrypted, with the encryption key being shared in a separate, secure correspondence.
While you won’t face the Spanish inquisition like Poe’s character in The Pit and the Pendulum, you could be in serious trouble.
Take these steps yourself, and make sure your benefit advisors do the same:
One of the best ways your benefits advisors can reduce the risk of data breach is to consolidate all their client data with a third party vendor that provides a secure, HIPAA-compliant platform. Make sure the vendor undergoes third party security audits to certify their security protocols.
If your advisor is procuring a third party vendor, make it an analytics vendor so you can get more out of your data than just secure storage. An analytics vendor can integrate your data across programs and provide insight into the issues driving costs in your population. Identifying trends and population health issues will enable you to make benefit design changes that improve your company’s health and reduce costs.
It could also help you from running afoul of your fiduciary responsibilities outlined under ERISA.
It’s even better if the analytics platform is collaborative. That way, you can share information with others strictly within the platform itself, so data never leaves the HIPAA compliant environment.
Protect yourself and your company from data breaches to prevent a Poe-like nightmare from occurring to you and your company.