Protecting personal information

Our consciousness of personal privacy was elevated several years ago with the passage of Health Insurance Portability and Accountability Act of 1996 (HIPAA), which was designed to “restrict the uses and disclosures of participant’s personal health information (PHI) by an employer’s medical plan.” This law created a protective wall between the employer and medical plan, thereby making it illegal for an employer to use PHI to make employment-related decisions.

Business owners scrambled to quickly designate internal Privacy Officers who would ensure compliance.

Dual Identity

This same law also required that dental labs, as healthcare service providers, protect patient PHI (e.g., name, age, treatment plans) and only use PHI for planning, designing, and fabricating prosthetic devices, or to obtain payment for services rendered.

Labs were inundated with requests from clients to sign Business Associate Agreements, and our Privacy Officers were charged with having employees sign Employee

Confidentiality agreements

HIPAA provided individuals with more control in how their information may be used. Authorization must be received before identifiable information is used or disclosed. As employers, for example, we could no longer provide identifiable information to an insurance broker. Our dual identity as No. 1, an employer, and No. 2, a provider of a medical device, required that we must protect identifiable health information that is transmitted electronically, by paper, and via verbal communication.

Security complications

If this all wasn’t bad enough, along came the massive theft of personal information in the case of TJX Corp. in 2005. In this case, credit card information of a staggering 45.6 million people had been stolen by unknown attackers who had breached the company’s computer transaction processing systems.

In addition, more than 450,000 names, addresses, and personal ID numbers (in most cases, the person’s Social Security number) also were taken from the company’s servers. A 2004 audit of the company’s network had found “high-level deficiencies” in its security practices.

As a result of these recent high-visibility security breaches, the federal and state governments have been working diligently to enact legislation that mandates the information keepers do a better job of protecting that information. The Federal Trade Commission has its “Red Flag Identity Theft Rule,” which requires businesses that permit the deferred payment of a debt to develop and implement a program to prevent identify theft.

Compliance

Here in Massachusetts, we are dealing with our own version of this type of legislation, which went into effect on March 1. Under this new law, because we have both employees and customers who reside in Massachusetts, we must have a written security plan that protects personal information (PI) that we have in our possession. PI is defined as social security, drivers license, or State-issued ID number, or a financial account number (bank account, credit card, debit card, etc.) in combination with the person’s name.

Complying with these laws will take some effort, but in analyzing our strategy, we found we already intuitively were doing many of the things that the “experts” were suggesting for protecting information, be it personal or confidential.

To protect the personal and confidential information that you have in your possession, use common sense. For example, to protect the security of your physical space, require that visitors wear a badge and be escorted by an employee; don’t allow ex-employees to wander freely; and be aware of unusual or suspicious questions or requests for favors.

Your employees and your customers trust you with their most valued asset- their personal and confidential information. Honor their trust by taking this responsibility seriously and guard their information as if your life depended on it. As we saw in the TJX case, breaches in security can have wide reaching, disastrous and costly results.