In our latest installment of Ask the Expert, brought to you by the team of industry experts at HR Hero®, we look at a recent question from a subscriber regarding the accidental sharing of an employee personal information and an organization’s obligations to report the mistake.
Q: A client of ours experienced a technical issue within their HRIS system and one of their employees was able to see the information of another employee. Data including: date of birth, address, salary, work history, benefit enrollment. They believe there was an unintentional keying error that mistakenly allowed this employee to see the other employee’s data. The employee was in their self-service portal when this incident happened.
What are their obligations to report this?
A: As a threshold matter, this incident is probably not a HIPAA privacy or security violation, or a reportable HIPAA breach, because an employee’s health plan enrollment information does not become protected health information (PHI) subject to HIPAA until it is in the hands of the health insurer (or, if the plan is self-funded, the staff or service provider responsible for plan administration).
The enrollment information entered on an employee portal would likely be considered an employment record (rather than PHI), though this might not be the case for all data in the HRIS. See the HIPAA Privacy analysis.
Assuming then that HIPAA does not apply, the response to an accidental disclosure of personal information will depend on state law. This will generally mean the state where the person resides whose information was disclosed.
For example, Virginia’s breach notification law applies to a “breach of the security of the system,” which is defined as the unauthorized access and acquisition of unencrypted and unredacted computerized data that:
- Compromises the security or confidentiality of personal information maintained as part of a database of personal information regarding multiple individuals; and
- Causes, or it is reasonably believed has caused or will cause, identity theft or other fraud to any Virginia resident. (Va. Code 18.2-186.6)
There is an exception for good-faith acquisition by an employee of the entity that maintains the database, provided the personal information is not used for a purpose other than a lawful purpose of the entity, or subject to further unauthorized disclosure.
Is Accidental Viewing Reportable?
“Personal information” is defined as a name in combination with a:
- Social security number (SSN);
- Driver’s license number or state identification card number issued in lieu of a driver’s license number;
- Financial account, credit card, or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial accounts; or
- Passport number or military identification number.
An SSN with no more than five digits shown, and a driver’s license, state ID card, or account number showing only the last four digits, are considered “redacted” so their disclosure would not be a breach.
“Acquisition” is not defined, and might not include mere viewing of the information—assuming it was not printed or downloaded. In any event, employment information like work and salary history, while sensitive, would not seem to be reportable under state statute, unless it included an unredacted SSN (or, say, an unredacted bank account number for direct deposit). Even then, the employer would have to conclude that identity theft might result.
In other words, it is unlikely that one employee’s accidental viewing of another’s employment data would be a reportable breach under state or federal law. However, it would be advisable to have the privacy or security officer document the incident, the company’s response, and the reasons for concluding it did not rise to the level of reportability.
Ask the Expert is a service provided to subscribers of BLR®’s HR Hero product, where experts are ready with answers to your organization’s unique questions surrounding HR compliance. To learn more and request a demo of HR Hero, click here.