Businesses in Texas are excited to begin reopening their companies on May 1st. But, before they do they need to be aware of a hidden risk in implementing their re-opening plan. A risk that could cost as much as $50,00 per employee.
Uncovering the hidden risk
In Governor Abbot’s Report to Open Texas, the Minimum Standard Health Protocols are outlined for every business to follow. The cornerstone is screening employees for COVID-19 symptoms. Which means you will need to be able to prove that you did the screening consistently and thoroughly. This is where the new risk that most businesses haven’t had to deal with in the past rears its ugly head. When you start collecting health information for employees you are collecting sensitive personal information. This has to be protected according to the Texas Business and Commerce Code and if it isn’t you can be fined up to $50,000 per incident. Most businesses in Texas are not prepared to handle this type of information correctly.
What you need to do
Like any other sensitive information data collected during the employee screenings should be stored in an encrypted, secure location and never transmitted unencrypted. Online file systems like Dropbox, Microsoft One Drive, and Google Drive are not configured by default to have encryption and most require an extra cost to get to the level of protection you need.
What you will need to do is train your employees, document everything, and protect all the information that you documented.
1st Train your employees
You will need to train your employees in several ways. They need to know to self-screen themselves before coming to work. The employee that is responsible for screening employees when they come to work needs to know how to properly handle sensitive information. I suggest that you review your existing Sensitive Information Handling Policy with them and explain the importance of keeping that information safe and confidential even from other employees.
2nd Document everything
You have to document everything. Make a paper trail of the training that you did and the policies that you put in place. Document your daily enforcement of those policies. This will help protect you in case an employee or customer becomes ill with COVID-19.
3rd Protect the data
Protect all that documentation. You could just keep it all on paper and lock it in a secure filing cabinet but, that isn’t practical for companies that have more than a handful of employees or those that have more than one location. Every business is different and there is no one size fits all solution.* However, I can tell you the one question to ask your IT advisor to see if the way you are handling the information is secure.
The question you need to ask
“Is the way we are handling this information considered HIPAA compliant?”
If your IT advisor answers “No” or doesn’t know if the solution meets HIPAA requirements, then it probably isn’t being done correctly. Although your company probably doesn’t need to be HIPAA compliant it is a easy way for someone that doesn’t know Business IT Security to make sure they are protecting their sensitive data.
Technology is constantly creating new risk
Technology has a tendency to create new risks unexpectedly. This generally happens when an old process becomes digital but can also occur when new regulations get passed without your knowledge. The typical IT technician is not going to catch these types of business issues. A CIO would normally bring this type of information to light but but most mid-size and smaller businesses can’t afford to fill that role full-time. To protect your company from these types of surprises in the future you should look at IT outsourcing that includes all four roles of a successful IT department.
*Edit to original article
So after writing the article I found CheckIns for Business which is an app that will work for almost any size business. It has the level of security that I mention in the article and it is the tool we are going to be using for our customers.