Panera and UnderArmour are the latest large companies to experience data security breaches, according to a Washington Post article. Hackers stole consumer information from the rewards programs offered by both companies. While this is concerning to us as consumers, as HR professionals, you should really be frightened.
There are two types of data you collect about your employees:
You are required by law to protect both types of data. The consequences are steep if you don’t.
The Health Insurance Portability and Accountability Act of 1996, as amended (“HIPAA”), provides detailed privacy rules that apply directly to individually identifiable healthcare data. Covered entities, which include providers, insurers, and clearinghouses, are obligated to treat patient information in accordance with HIPAA.
HIPAA is a federal law that pre-empts state laws, so it is the law of the land unless a specific exception applies. According to the Department of Health and Human Services, there are three valid exceptions, meaning state law supersedes HIPAA when it:
In 2009, the Health Information Technology Economic and Clinical Health (“HITECH”) broadened HIPAA to include business associates, directly requiring their compliance with HIPAA. HITECH requires business associates to have certain provisions in place for security, breach notification, and minimum use in business associates’ agreements with covered entities and other business associates. HITECH also allows for criminal and civil fines for “willful neglect” of HIPAA compliance.
Unlike HIPAA, there is no federal law that governs liability when PHI is violated. The Federal Trade Commission has some enforcement, but that mostly involves marketing companies misleading the public or technology companies tracking consumer information without consent.
State laws govern the protection of PHI. Some states have stricter, more formal laws. You need to understand the laws of the state(s) where you do business to ensure you are protecting PII in accordance with all applicable laws.
Your company can face stiff fines if there is a PHI or PII breach, and you could face both financial penalties and jail time. Section 13410(D) of the HITECH Act established the following violations and penalties:
of the US population is likely unique enough to be identified by:
Source: Latanya Sweeney, CMU
TierFine1The covered entity or individual did not know (and by exercising reasonable diligence would not have known) the act was a HIPAA violation.$100-$55,010 for each violation, up to a maximum of $1,650,300 for identical provisions during a calendar year.2The HIPAA violation had a reasonable cause and was not due to willful neglect.$1,00-$55,010 for each violation, up to a maximum of $1,650,300 for identical provisions during a calendar year.3The HIPAA violation was due to willful neglect, but the violation was corrected within the required time period.$11,002-$55,010 for each violation, up to a maximum of $1,650,300 for identical provisions during a calendar year.4The HIPAA violation was due to willful neglect, and was not corrected.$55,010 or more for each violation, up to a maximum of $1,650,300 million for identical provisions during a calendar year.
TierFineUnknowingly or with reasonable causeUp to 1 yearUnder false pretensesUp to 5 yearsFor person gain and malicious reasonsUp to 10 years
The government is aggressively addressing HIPAA violations:
CardioNet to pay
for not understanding HIPAA requirements creates risk (HHS.gov)
A doctor received
in prison,1-year supervised release, and $2K in fines (MPR)
The health system (employer) paid
in civil penalties
In both cases cited above, the courts ruled that ignorance of the law in no excuse. That means you need to be diligent about protecting your employee PHI and PII, or your company could face civil penalties, and you could be fined and possibly go to jail. It’s time to take the security of your employee and customer data seriously.