As part of the employment process, employees routinely give up their personal information, which the employer then uses for various purposes – including hiring, payroll processing, and benefits administration. This sensitive data may classify as “Personally Identifiable Information” (PII), which the employer is obligated to protect.
What is PII?
According to the General Services Administration, Personally Identifiable Information “refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.”
Information linkable to a specific individual includes name, Social Security Number, and driver’s license number. A combination of information that might be linkable to a specific individual includes gender, date of birth, address, marital status, health-related information, and criminal history.
Data privacy and security laws covering PII apply not just to active employees, but also job applicants, independent contractors, consultants, and terminated and retired employees – basically anyone whose personal data you acquire.
There are several laws that protect PII. However, those impacting employers the most include:
- Health Insurance Portability and Accountability Act (HIPAA), which protects specific health-related information
- Genetic Information Nondiscrimination Act (GINA), which protects genetic information
- Fair and Accurate Credit Transactions Act (FACTA). which protects employee credit information
In addition, many states have data protection laws that employer must comply with.
Data Protection Measures
With the Federal Trade Commission (FTC) reporting identity theft and fraud as among the top consumer complaints in 2017, your challenge is to create processes that reduce the risk of data theft and unauthorized disclosure. Here are some suggestions:
- Create a records retention policy that outlines which data should be kept and for how long.
- Perform periodic audits of your recordkeeping processes.
- Shred unwanted documents, including those on contractors, and terminated employees.
- Restrict access to personal data to individuals with a valid business need.
- Keep physical files in a secure location.
- Hire trained Information Technology professionals to maintain the security of your IT infrastructure.
- Minimize the collection, use, and retention of PII to what is strictly required to achieve business objectives.
- Make sure your HR vendor’s data security policies and procedures align with your company’s needs/
- Avoid putting employees’ Social Security Number on their pay stubs.
- Have a contingency plan for dealing with data theft and breaches.
- Train your HR and payroll staff on how to protect employees’ personal information.
For more insight into safeguarding personal data, see the FTC’s guide for businesses.
Also, your human capital management system should be built to strengthen employee data security.
A Note about HIPAA
If your group health plan has at least 50 participants, it’s regarded as a “covered entity” under HIPAA. Covered entities must comply with HIPAA’s privacy and security rules, which are designed to safeguard “individually identifiable health information,” also called “Protected Health Information” (PHI).
Specifically, PHI is health-related information that can be used to identify patients, such as medical records, lab reports, hospital bills, and health plan documents. As the sponsor of a covered entity – that is, your group health plan – you will likely encounter PHI on certain employees.
To comply with HIPAA’s Privacy Rule, you must implement policies and procedures for protecting PHI and preventing unauthorized disclosure. Under HIPAA’s Security Rule, you must institute administrative, physical, and technical safeguards – as defined by HIPAA – to ensure the confidentiality and safety of electronic PHI.
There’s a wealth of HIPAA-related information plus tools and resources on the U.S. Department of Health and Human Services website. Also, be sure to collaborate with the necessary parties – such as your insurance carrier, third party administrator, and legal counsel – when handling PII and PHI issues.