Magazine article Workforce

Privacy in an Age of Online Record-Keeping

Magazine article Workforce

Privacy in an Age of Online Record-Keeping

Article excerpt

Legal Insight

As more and more employers store and share employee information electronically, HR professionals face a major question: What is the company's liability as far as privacy goes? If a service provider leaks your company's confidential employee information, who gets sued? If a hacker gains access to the data, is it the company's fault? It's a worrisome are-particularly when it comes to medical records. Kerry Kearney, partner and head of the privacy task force for Reed Smith in Pittsburgh, offers some guidelines.

What are the protocols for electronically sharing private employee information-like medical records-with service providers?

There's no national requirement, no uniform standard in terms of how far the employer has to go with protecting employee medical information. That goes for whether the sharing is in-house, or whether the information is shared with service providers. However, there is a growing body of case law and state statutes saying that you need to provide confidentiality for information that's not of a public nature. And I don't know a single employer that does not feel an obligation to protect the privacy of employee information. But it's not a right set in stone. It's a common-law right. People recognize that private information should stay private.

What should employers consider when sharing information with service providers electronically?

One thing employers could do to protect themselves is to enter into contracts that require the service providers to accord privacy and security to employee information that is transferred.

If the information gets leaked or mishandled on the service provider's end, is there liability for the employer?

Sure. If the employer failed to enter into a contract whereby the service provider undertook to provide confidentiality, then the common-law cause of action could seek money damages from the employer for being cavalier about the way it handled confidential employee information. So you need to protect yourself by contract, and make sure the entity with whom you enter into a business relationship is a viable company. Because if that company gets sued and is no longer around, they'll look to you for money.

How should a company store medical information electronically?

Employers aren't allowed to use medical information much. If an employee comes to you seeking an accommodation because he or she has a medical condition, then you have an affirmative obligation to do what you can to help. That requires a record of their medical problem. But most employers very carefully segregate out any health information about employees from anything to do with personnel. So personnel records normally wouldn't have medical information, unless the employee is claiming entitlement under ADA or FMLA, for example. Then you'd have the information, but you should be very careful not to disseminate it more widely than is absolutely necessary.

There's been a lot of buzz about HIPAA's new medical privacy regulations-what do employers need to know?

The first thing they need to know is that they are not covered entities for purposes of the new HIPAA medical privacy regulations unless they have a self-insured ERISA plan. So if they're self-insured for purposes of ERISA for employee health, then that department is covered by HIPAA, the Health Insurance Portability and Accountability Act of 1996. They would need to comply with the HIPAA privacy standards. They'll be effective on April 13, 2003. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed


An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.