By MATTHEW BRODSKY, senior editor/Web editor of Risk & InsuranceŽ
CHICAGO---How did one of the largest national pharmacy chains dispose of its customers' prescriptions? Threw them out into the dumpster. That might have been easiest, but it led to a settlement with the Department of
Health and Human Services of $2.25 million in Feb. 2009.
Another fine was levied recently for $895,000--to an individual hospital worker who violated medical privacy rules. How many years of salary will it take to pay that one off?
When it comes to how employers should handle their workers' medical information, a lot of laws are already on the books to "protect the innocent," according to Rania V. Sedhorn, principal with Buck Consultants LLC in New York City.
Yet when it comes to how employers should deal with their workers' comp-related medical information, it's a "free for all," she said.
"There are no specific rules for you to follow," she told an audience at the Annual National Workers' Compensation and Disability ConferenceŽ & Expo. "You guys can make your own rules."
Of course, making up your own rules on the fly is perhaps not the brightest path to pursue here. It could be best for workers' comp and disability managers to follow the same standards that their HR and benefits colleagues most apply to healthcare information privacy.
These standards, by the way, have your colleagues' hands full. This September, the HITECH Act went into effect, mandating for all employers additional guidelines for security breaches above and beyond what HIPAA already calls for.
In effect, explained Sedhorn, the HHS wants all medical records to be handled electronically. Now. According to Sedhorn, only about 20 percent of employers can handle this requirement at the moment.
Before panicking, all HR, benefits and workers' comp professionals should keep in mind that the basic four steps to securing medical data privacy still work. Explained Sedhorn, those are: obtain the necessary data, share it, store it and then destroy it.
Of course, each step is simpler said than done. For instance, with step one, it's essential to collect only the data that you need to satisfy your requirements, whether your employee is filing for an accommodation or an FMLA break.
For step two, only share information with the people who need it. The employee's direct supervisor, for instance, in many cases does not need to know about their health history.
Employers should keep in mind that they cannot create a full-proof system. Breaches will happen. But what they can do, said Sedhorn, is create set policies for handling medical data privacy issues, train their employees on said policies, and then revisit and revise those policies and training programs as the law evolves.
The alternative is to be caught with your proverbial pants down after a breach and having to notify folks of the issue. Under the current HITECH rules, with breaches involving more than 500 medical records, employers must also notify the media.
"That's the fun part!" kidded Sedhorn.
(Click here to read all of our other coverage from the
Annual National Workers' Compensation and Disability ConferenceŽ
November 18, 2009
Copyright 2009© LRP Publications