Is Email a Secure Communications Method for HR to Employee Interactions?
Most businesses today don’t think twice about communicating internally via email with employees. Though much attention is given these days to the consequences from a legal standpoint of deleting and archiving email records, little thought is given to the ramifications of email content that seemingly has nothing to do with risks to business operations.
Emails that suggest inappropriate or even possible illegal activity are often quietly scrubbed. Emails to HR, which may include HIPAA or other confidential information, are virtually ignored from a legal standpoint.
Which is the higher risk to an organization? Exposure of potentially nefarious business activity or a HIPAA violation? Well that depends. How does a $1.5M penalty plus prison time for a serious HIPAA violation sound?
The simple fact is that the vast majority of businesses have nothing to fear about potential exposure of illegal practices because the vast majority of businesses operate legally and ethically. But virtually all of those same businesses think nothing about email communications between employees and HR. And why not? There is nothing private about requesting a W4 form or inquiring about vacation balances. Those are the mundane questions employees ask HR every day.
However, there is everything private about supplying one’s social security number, or revealing a spouse has a serious illness. Even emailed questions about insurance coverage or life changes can be potential HIPAA violations if that information was viewed by unauthorized eyes.
The bottom line is email can be the weakest link in an organization’s HIPAA compliance practices. Email is frankly not HIPAA compliant at all. Emails can be forwarded and BCC’d either intentionally or inadvertently. There is absolutely no practical control over protection of email content.
And folks, this happens virtually every day in many organizations. Insider trading and embezzlement — very rare. HIPAA data traversing the insecure email system — all the time.
Taking email out of the mix of HR communication options may cause a cultural tsunami, but consider the risks of a privacy violation. Not only could a HIPAA penalty be directly costly, the aftermath could magnify the damage. Loss of employee trust and negative press are just a few additional consequences.
One solution to this critical issue is to deploy a fully HIPAA compliant HR Help Desk system that takes dialogs with HR out of email and places them within a secure case management environment. In the Help Desk application, these confidential conversations are only accessible to authorized HR personnel. In the most confidential of cases, only the assigned HR specialist even knows the case exists.
Using the Employee web portal, even from their cell phone, employees have 100% confidence that their personal issues remain private between themselves and assigned HR reps. Back and forth dialogs function much like chat, with the entire interaction stored in the case permanent record.
For businesses that need to transition (be weaned off) from email to the new system, the LBi HR Help Desk can copy the conversations to email for a period of cultural adjustment until all users are assimilated into the new process.
So please leave email to daily business operations (and football pools). Place your HR communications in the hands of HIPAA-compliant systems like LBi HR Help Desk. The potential savings are immeasurable.