The U.S. Labor Department should try to make the regulations governing the security of information at retirement plans and health benefits plans as similar as possible, and leave room for technology changes.
John Barton, a plan administrator, gave that recommendation to a national benefits policy panel.
The panel, better known as the ERISA Advisory Council, advises the U.S. Labor Department and the department’s benefits arm, the Employee Benefits Security Administration, on issues relating to the Employee Retirement Income Security Act.
The Health Insurance Portability and Accountability Act (HIPAA) set health data privacy and security standards in 1996, and the Health Information Technology for Economic and Clinical Health (HITECH) Act expanded on the HIPAA standards in 2009.
The Labor Department and the U.S. Department of Health and Human Services are still implementing the HITECH requirements.
Barton, head of a firm that administers both health plans and retirement plans, said he sees first-hand how interested workers are in privacy and data security issues.
Workers are concerned about identity theft, Barton says in the written comment.
“They are equally concerned about the implications of HIPAA for fear that their employers will learn about their health status,” Barton says. “The focus on wellness, disease management, and absenteeism in the workplace is making employees with any health condition concerned about the risk of discrimination or other unfair treatment based on their health status. The feedback we get from plan participants in focus groups on this issue is vivid and pointed.They know what HIPAA is.”
Barton’s firm now has to have “business associate agreements” with all providers of service, to assure that protection of information shared between the firm and the service providers will meet federal standards.
“Even internally such information is shared only on a need-to-know basis,” Barton says. “Any electronic transaction or transmission of data must be encrypted. Only the minimum data necessary to fulfill any one function is available to that function.”
The firm also has a security officer, disaster recovery standards, security incident report review and data destruction procedures, Barton says.
Network security involves the use of an intrusion prevention service, restrictions of Web access to approved Web servers, and an e-mail that prevents 98% of all e-mail received from entering the company’s network.
Barton noted that company recently bought cybersecurity coverage to protect against data security risks.
“If you are considering new rules, new standards, I would encourage you to consider the following: Please approach any new standards such that we won’t have separate security regimes for pension and health and welfare plans,” Barton said. “It is easier to maintain one standard procedure than it is to have two or more regimes which might create confusion and misunderstanding and risk.”
The HIPAA security requirements already are extremely detailed, and new rules would create confusion and require separate measures for different plans, Barton said.
Barton added that any rules that are adopted should be flexible enough to accommodate changes in technology.
Rules that are too weak could lead to problems, but rules that are tight also could lead to problems, by reducing efficiency and affecting companies’ ability to provide good service, Barton said.