The U.S. Labor Department should try to make the regulations governing the security of information at retirement plans and health benefits plans as similar as possible, and leave room for technology changes.
John Barton, a plan administrator, gave that recommendation to a national benefits policy panel.
The panel, better known as the ERISA Advisory Council, advises the U.S. Labor Department and the department’s benefits arm, the Employee Benefits Security Administration, on issues relating to the Employee Retirement Income Security Act.
The Health Insurance Portability and Accountability Act (HIPAA) set health data privacy and security standards in 1996, and the Health Information Technology for Economic and Clinical Health (HITECH) Act expanded on the HIPAA standards in 2009.
The Labor Department and the U.S. Department of Health and Human Services are still implementing the HITECH requirements.
Barton, head of a firm that administers both health plans and retirement plans, said he sees first-hand how interested workers are in privacy and data security issues.
Workers are concerned about identity theft, Barton says in the written comment.
“They are equally concerned about the implications of HIPAA for fear that their employers will learn about their health status,” Barton says. “The focus on wellness, disease management, and absenteeism in the workplace is making employees with any health condition concerned about the risk of discrimination or other unfair treatment based on their health status. The feedback we get from plan participants in focus groups on this issue is vivid and pointed.They know what HIPAA is.”
Barton’s firm now has to have “business associate agreements” with all providers of service, to assure that protection of information shared between the firm and the service providers will meet federal standards.