Privacy in an Age of Online Record-Keeping

As more and more employers store and share employee information electronically, HR professionals face a major question: What is the company's liability as far as privacy goes? If a service provider leaks your company's confidential employee information, who gets sued? If a hacker gains access to the data, is it the company's fault? It's a worrisome are--particularly when it comes to medical records. Kerry Kearney, partner and head of the privacy task force for Reed Smith in Pittsburgh, offers some guidelines.

What are the protocols for electronically sharing private employee information-like medical records-with service providers?

There's no national requirement, no uniform standard in terms of how far the employer has to go with protecting employee medical information. That goes for whether the sharing is in-house, or whether the information is shared with service providers. However, there is a growing body of case law and state statutes saying that you need to provide confidentiality for information that's not of a public nature. And I don't know a single employer that does not feel an obligation to protect the privacy of employee information. But it's not a right set in stone. It's a common-law right. People recognize that private information should stay private.

What should employers consider when sharing information with service providers electronically?

One thing employers could do to protect themselves is to enter into contracts that require the service providers to accord privacy and security to employee information that is transferred.

If the information gets leaked or mishandled on the service provider's end, is there liability for the employer?

Sure. If the employer failed to enter into a contract whereby the service provider undertook to provide confidentiality, then the common-law cause of action could seek money damages from the employer for being cavalier about the way it handled confidential employee information. So you need to protect yourself by contract, and make sure the entity with whom you enter into a business relationship is a viable company. Because if that company gets sued and is no longer around, they'll look to you for money.

How should a company store medical information electronically?

Employers aren't allowed to use medical information much. If an employee comes to you seeking an accommodation because he or she has a medical condition, then you have an affirmative obligation to do what you can to help. That requires a record of their medical problem. But most employers very carefully segregate out any health information about employees from anything to do with personnel. So personnel records normally wouldn't have medical information, unless the employee is claiming entitlement under ADA or FMLA, for example. Then you'd have the information, but you should be very careful not to disseminate it more widely than is absolutely necessary.

There's been a lot of buzz about HIPAA's new medical privacy regulations-what do employers need to know?

The first thing they need to know is that they are not covered entities for purposes of the new HIPAA medical privacy regulations unless they have a self-insured ERISA plan. So if they're self-insured for purposes of ERISA for employee health, then that department is covered by HIPAA the Health Insurance Portability and Accountability Act of 1996. They would need to comply with the HIPAA privacy standards. They'll be effective on April 13, 2003. But it doesn't normally apply to employers. The bottom line for most employers in regard to HIPAA is that they won't be allowed to use employee claims information to buy insurance coverage.

Where does the liability lie if the company computer gets hacked and the employee information is accessed?

There has been no litigation in which any company has been found responsible for not operating a secure site that results in hacking. Your company does have an obligation to maintain a certain standard of security. To the extent you do not, and you harm somebody with whom you have an obligation, a relationship, that person could claim you had acted tortiously.

But there's no history of such litigation as yet?

The only verdict I can think of that's close is Doe v. Medlantic Healthcare Group Inc. A District of Columbia superior court awarded a plaintiff patient $250,000 for a hospital's lack of adequate security measures in protecting patient medical information online. The patient was HIV-positive and his records were accessed by a part-time unauthorized employee and then disclosed to coworkers. The court cited lack of security, including the inability of software used by the hospital to trace and identify who had accessed the records.

So what does happen if the violation is internal-if an employee accesses the information?

Ideally you should have specific policies in place that address the sanctions, and procedures for enforcing compliance up to termination. In addition to that, if you want to avoid getting in trouble yourself, you have to be able to show you had in place state-of-the-art procedures to avoid employee malfeasance. We talk about hackers, but the majority of computerized losses that companies suffer are from employees rather than outsiders. There has historically been a recognition that you're most vulnerable from those who really know you. In this case, that's obviously your employees. They're the ones who know where your vulnerabilities are.

What should a company do security-wise to avoid liability?

How you go about providing security is not set in stone anywhere, but you want to be thinking about your physical safeguards. Do you have password-protected computers? Do you regulate access to the data systems? Is there a person in charge of security? Are there firewalls in place? Do you have chain-of-trust agreements with anybody who exchanges data? Do you have internal audit procedures? Do you train employees so they know what their obligations are? Do you have training on security management? Are there discipline or termination procedures for employees who violate your security regulations? And of course, everybody should have an employee e-mail policy. And not just for employees dealing with sensitive information--every employee. It should emphasize that the employer owns the e-mails, and they will be monitored.

How much legal protection does all that provide?

If you are going to be sued by third parties who claim your procedures were lax, even if you don't avoid liability, you'll reduce the damages if you prove you did everything you could. You had good procedures in place, and this particular person was so determined, he or she had to go through several levels of security to get this information and do the dirty deed.

Gillian Flynn is a freelance writer in New York

COPYRIGHT 2001 ACC Communications Inc.
COPYRIGHT 2001 Gale Group