Big Brother is watching–HRO users and providers beware.
As it turns out, Big Brother is watchingHRO users and providers beware.
Federal privacy law is expanding with the Security Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the privacy and civil liberties procedures established under the Intelligence Reform and Terrorism Prevention Act of 2004 (IRATPA) one for electronic health information, the other for virtually all personal information that could be discovered in homeland security and anti-terrorism investigations. For HRO customers, employees, and service providers, each law will impose new obligations and safeguards.
HIPAA SECURITY RULE
The HIPAA Security Rule reinforces the Transactions Rule and the Privacy Rule, which focus on the privacy of protected health information. The HIPAA Security Rule takes effect on April 21, 2005, for all covered entities except small health plans. In the private sector, all private health plans, healthcare providers, and healthcare clearinghouses must assure their customers that the integrity, confidentiality, and availability of electronic health information that they collect, maintain, use, or transmit will be protected. The goal is to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threat or hazards to security or integrity of the information and unauthorized use or disclosure of the information. The HIPAA Security Rule will be an additional compliance requirement for HRO deals. There is no specific federal security standard, but only one that adopts reasonable and appropriate precautions. The enterprise customer cannot simply dump the HIPAA compliance obligation upon the service provider. As a best practice, HRO customers and their providers should review the design and implementation of the processes involved in compliance, and establish periodic reviews to deal with changes that might be needed. The costs of such periodic changes should be discussed as well.
PRIVACY AND CIVIL LIBERTIES
Under IRATPA, executive departments and agencies must appoint a bevy of new privacy and civil liberties officers to protect against abuses of constitutional and statutory rights. Within the National Intelligence Department, a Civil Liberties Protection Officer, reporting directly to the Director of National Intelligence, will be appointed to meet constitutional, technological, and statutory mandates. To protect constitutional freedoms, this officer will be responsible for compliance, review, and assessment of complaints and other information indicating possible abuses of civil liberties and privacy in the administration of national intelligence programs. As a counterbalance to the increasing centralization of powers in the war on terrorism, a Privacy and Civil Liberties Oversight Board will be established within the Executive Office of the President as part of an enhanced system of checks and balances to protect the precious liberties that are vital to our way of life. In addition, Congress recommended each executive department or federal agency with law enforcement or anti-terrorism functions designate a privacy and civil liberties officer.
PRIVATE SECURITY OFFICERS
In the private sector, enterprises that either hire their own private security officers or rely upon service providers to do so will now be subject to new regulation. A private security officer is an individual other than an employee of a Federal, State, or local government, whose primary duty is to perform security services, full or part time, for consideration, whether armed or unarmed and in uniform or plain clothes. IRATPA authorizes prospective employers, after getting written consent from the prospective employee, to submit fingerprints for an authorized criminal history record information check for prospective private security officers. The employer must disclose the results to the prospective employee.
CRIMINAL HISTORY CHECKS
The new law opens the door to new regulation of access to criminal records in support of lawful employment beyond private security officers. The IRATPA law calls on the Attorney General to recommend to Congress any legislative improvements for the conduct of criminal history record checks for non-criminal justice purposes. As part of this process, commercially available databases will be reviewed as possible supplements to government records. Privacy rights will need further consideration, based on principles of employee consent, access to the records used if employment was denied, the disposition of fingerprint submissions after records are searched, an appeal mechanism, and penalties for misuse of the information. Employerswhether or not they outsource any HR administrative functionshould review and update their employee handbooks and the rules applicable to third parties having access to HR information.