“…HIPAA does not create a duty on the part of employers to protect employees from computer-virus related injuries”.
Farr v. St. Francis Hosp. & Health Centers, 2007 WL 2793396 (2007).
This quote, from the Farr v. St. Francis Hosp. & Health Centers case in the Southern District of Indiana, demonstrates a sizeable gap in the protections offered by HIPAA for employees working in the modern workplace. The Farr case dealt with a man who used a work computer, which was subsequently infected with a virus. This virus downloaded highly-explicit material onto his computer, which triggered an internal workplace investigation. Despite the virus, and not the employee, being the responsible entity for the downloading of the explicit material, the court was loathe to add that covered entities had a duty under HIPAA to protect employees’ data too, giving birth to the quote above.
Under 45 C.F.R. §164.306, HIPPA/HITECH sets forth the security standards that covered entities and their associates must follow. These include:
- Ensuring the confidentiality of all electronic health information it creates, receives or transmits;
- Protecting against any reasonably anticipated threats or hazards to the security of such information;
- Protecting against any unauthorized transmissions for said data; and
- Making sure an entity’s overall workforce abides by HIPAA/HITECH standards.
Under this rule, an entity has the flexibility to use nearly any system or method “appropriately” to protect Personally Identifiable Information Data (“PIID”) of its customers, but that duty does not extend to its employees.
This is confounding, considering the vast amount of knowledge the modern employer has on its employees. Beyond obvious documents that must be collected in the course of hiring, such as social security and passport information for Federal Work authorization, even health insurance records, salary and bank account information are all largely within the realm of employer’s control. Companies that largely outsource such operations must, at some point in the employment cycle, collect PIID on their employees, and so their employees cannot expect any greater level of protection compared to what employees at smaller companies enjoy.
Employers should recognize that protecting employee data can significantly reduce costs associated with testifying in identity theft cases and missed time from employees prosecuting their cases. Thus, while future revisions should at least consider revising HIPAA to include protection for employees, employers would be wise to put in place methods for protecting employee PIID immediately.