Data security is increasingly important in our shift towards a digital world. A lot of the hesitation about wellness program participation deals with privacy. In order to increase engagement, it’s your job as a wellness program manager to answer those difficult security questions, and be sure you’re keeping your employees safe.
Our new, free E-book is all about keeping information safe, and how data security plays a role in your wellness program. Check it out here!
Data security is especially important because of the information you collect in your wellness program: health information. This health information must be protected, and there are laws and guidelines you need to follow to do just that.
The information we’re talking about is Protected Health Information, or PHI. Basically, PHI is health information collected or maintained by certain entities. In order to be protected, however, the information has to be identifiable, meaning it can be used to determine who someone is. For example, any health information that has a name or social security number attached is definitely PHI. When it comes to other characteristics and aggregate data, the protection might not apply.
The protection of PHI is monitored by the Health Insurance Portability and Accountability Act, often referred to as HIPAA. The specific rules that deal with PHI are the Privacy and Security Rules.
The Privacy Rule
- Protects PHI held by covered entities and their business associates
- Permits disclosure of PHI needed for patient care
- Limits access to PHI to the “minimum necessary”
- Deals with PHI in any medium
The Security Rule
- Protects PHI held by covered entities and their business associates
- Specifies a series of administrative, physical and technical guidelines
- Allows for confidentiality, integrity and availability of PHI
- Deals with PHI in electronic form
These rules must be followed by any covered entity, and if a breach occurs the company has to follow the breach notification protocol.
In the wellness world, you’re likely held accountable for HIPAA’s rules as a health plan. If you partner with a vendor, they’re considered your Business Associate, and are also responsible for adhering to the HIPAA regulations.
In your employee wellness program, it’s important to take action to avoid some common threats:
- Always secure your technology so no computer that contains PHI is accessed or stolen.
- Properly store your files so they aren’t left out and available to the public.
- Designate a chain of command so you know who to report to with HIPAA questions and concerns.
These common concerns fall into three primary solutions.
Solution #1, Administrative
These solutions deal with the policies you have in place to protect PHI. Be sure to do an adequate risk assessment, and identify roles and responsibilities of anyone with a need to access PHI.
Solution #2, Physical
These solutions deal with the physical accessibility of your PHI. Do desk drawers and cabinets have locks? Who has access to the room where PHI is stored? How will access of PHI be recorded and monitored?
Solution #3, Technical
These solutions deal specifically with electronic PHI. It’s important to have a secure IT system in place whether you store information in the cloud or on a physical server. Be sure you evaluate the state of PHI as it is stored, and as it is transferred.
We know data security can seem overwhelming. To learn more about what you’ve gotten a peek at here, check out our free E-book with definitions, clarifications and even a security checklist!
What concerns do you have when it comes to protection of privacy in your employee wellness program?
