Red Hot Thoughts

Archive for the ‘Security’ Category

Social Security Numbers and Record Keeping

September 29th, 2014

download

It’s a routine part of the morning.  Before you answer your voicemail or log into your computer, you open the mail.  From the return address on the first envelope in the stack, you realize it is not such a typical morning after all.  The return address states the communication is from the Social Security Administration (SSA).  The government is reporting that one of your employees has a social security number that does not match their records.  What do you do now?  Some employers may think they can ignore it, while others may believe that they must fire the employee immediately.  Neither of these actions is the right one.

There has been a lot of confusion about what an employer’s obligation is when they receive a “no match” letter from the Social Security Administration (SSA) stating that they have an employee whose name does not match the social security number in the system.  Much of the confusion has stemmed from the Department of Homeland Security’s proposed rules.

Historically, the no match letters were sent by SSA for the sole purpose of matching names to Social Security numbers to ensure that payments are properly credited. The proposed new regulations, if finalized, and pending legislation, would have serious potential implications for employers because they are based on border security concerns and the SSA no-match information would be shared with the Department of Homeland Security (DHS) which is responsible for coordinating apprehension of illegal aliens.

There has been a ground swell of feedback from organizations, both business and labor, who have disagreed with the proposed rules, which have not yet been finalized.  So, until that time, the old rules apply.  Your best course of action when you receive a “no match” letter is to avoid taking any adverse action against an employee.  The letter specifically states that it is “not a basis, in and of itself, for the employer to take any adverse action against the employee, such as laying off, suspending, firing, or discriminating against any individual who appears on the list”.

You should not however, ignore the “no match” letter.   Investigate the matter.  Make sure that the company did not make a typographical error in reporting the employee’s social security number.  If there is an error, write a letter submitting the correct number to the SSA.  If you don’t find an error you should share the “no match” letter with the employee and ask him or her to verify that what you have submitted is correct.  You should not require the employee to produce a social security card or other specific documentation, as this could be considered document abuse under employment eligibility verification laws.  You should ask the employee to investigate and get the error corrected, giving them a reasonable amount of time.  Ask them to keep you posted on the progress.  If there is an error, correct the employee’s Form I-9 and submit the correct information to the SSA.  Of course you should treat all employees who receive a no match letter consistently without regard to race, national origin or citizenship status.

If an employee verifies that the information given is correct ask them if they can think of any other reason for the “no match” letter.  If they have no other explanation, write a letter to the SSA explaining that the company has re-verified that the information submitted to the SSA is correct and that you have no explanation for the discrepancy.    If the employee admits to a false social security number and is actually unauthorized to work in the United States, you must immediately terminate the employee’s employment.

 

Safety

August 11th, 2014

Regardless of the size of your business, you need to be vigilant about workplace safety.  Although safety can be a bigger concern in some industries than in others, no company can afford to ignore efforts to instill safety consciousness throughout its workforce.  Ensuring that the workplace is safe and free from hazards is a key role in business and human resource management.

What are the elements needed in designing an effective safety program?  The following factors are essential for an effective safety management program:

Management Commitment

A Safety Management Program cannot be successful without the active support of the company’s management team.  Necessary support includes allocating resources to safety programs and demonstrating the organization’s commitment to safety.  Managers should be involved in implementing and communicating the program so all employees understand management is committed to the program’s success.

Communication

The overall effectiveness of workplace safety and security measures will depend on an organization’s ability to effectively communicate safety and security goals and objectives. A communication strategy should be developed and implemented in a manner that supports the goals and objectives of the safety management program.  The business will want to ask how, when and where will employees be the most receptive to communication and retain the information provided.

Employee Participation

Employee participation is another key element in an effective safety plan.  If you do not have employee buy-in, the program may not ever fully be implemented.   For example, group decisions have an advantage of the group’s wider range of experience.   Employee participation means that employees are encouraged to participate fully in the program, including the review and investigation of injuries and illnesses, periodic workplace inspections, and regular safety and health meetings, and recommendations to the employer with respect to the overall safety program.

Analysis of the Work Environment

Work environment analysis helps the business with the identification of hazards by conducting baseline reviews for safety and health.  Additionally, employers should have a system in place for completing periodic updates to ensure continued safety.

Work environment analysis involves a variety of worksite inspections to identify not only existing hazards, but also conditions and operations in which changes might create hazards. Effective safety programs have systems in place to actively analyze the work tasks and the work setting to anticipate and prevent harmful occurrences.

Hazard Prevention and Control

Hazard prevention and control procedures ensure all current and potential hazards are corrected in a timely manner and safe work practices are understood and followed by all members of the work team.  Also, the company needs to ensure that all appropriate personal protective equipment is provided, and all other necessary actions are in implemented and followed.  Workplace rules should provide guidance for employees’ behavior. The entire organization needs to continually be mindful of safety…it should be part of the culture.

Additionally, as part of the overall safety plan, management should focus on encouraging employees to report unsafe behaviors. Reporting of close calls and unsafe conditions may help keep tragic incidents from occurring.

Training

An effective safety prevention program includes training for all employees and managers. In addition to initial training during the safety program’s implementation, and when new employees are hired, on-going training and any other needed updates need to occur in order to support a safe culture within the Company.  Besides in person training, there are many other options for training including on-line courses, DVD’s as well as written materials.  Companies will need to consider their employee demographics to determine what type of training may work best.

If your business needs assistance with creating or updating an Accident Prevention and Safety Program, give us a call at 866.599.1733.

 

Employee Files and HIPPA Regulations

June 16th, 2014

privacy_law_1368689486616_415555_ver1.0_320_240

For years there has been confusion as to whether or not information contained in employment records is considered to be Protected Health Information (PHI) under the HIPAA Privacy Rule.   There now is a clear answer to this question/confusion – No!

The U.S. Department of Health & Human Services’ (HHS) website (www.hhs.gov) reports, “The Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Education Rights and Privacy Act, 20 U.S.C. §1232g.”

Other clarifications and new changes to HIPAA have recently been communicated by HHS.  These changes have come about for many reasons, including new kinds of entities holding health information (i.e. “the Cloud”), objections to some uses of health information, lack of breach notification for health information, lack of control over business associates, and enforcement seen as lacking teeth (the Office of Civil Rights has been criticized as being too lax in enforcing the regulations).

 

Regardless of the origin of the change, the outcome is the same – HHS is getting serious about enforcement of the Privacy, Security and Breach Notification Rules.  Previously, an entity was audited only in response to complaints or breaches; now HHS is required to periodically audit covered entities and business associates.  There is a random audit program now under way with 20 initial audits due by April 2012, then a recalibration based on those, followed by up to 150 total random audits by the end of 2012.

If you are audited and found to be out of compliance, you could receive a penalty up to $50,000 ($1.5 million maximum for all violations of a similar type in a calendar year).  New definitions (Reasonable Cause, Reasonable Diligence,  Willful Neglect) have been created and new tiered penalties have been established. Tier 1 Violations equal $100-$50,000 per violation with Tier 4 Violations resulting in $50,000 per violation.

If you are a Covered Entity or Business Associate (yes, Business Associates are now directly responsible for complying with HIPAA), you should conduct an audit of your HIPAA compliance policies and procedures.   If you clearly understand the new clarifications, changes and definitions, you could conduct an internal audit yourself and make changes based on your internal findings.

If you do not have the internal resources to conduct an audit or to make the changes found necessary, you should contact a professional services group to assist you.  Or call us—we’re here to help!

 

If I don’t have to comply with HIPAA what is there to worry about?

Although employment records are not subject to the HIPAA Privacy Rule, there are many laws that do include rules regarding the safe-keeping and retention of employment records.  This newsletter focused on HIPAA regs; more will be highlighted in our future newsletters.  As always, please contact us at red for more detailed information and/or help with your records retention!

 

 

Identity Theft (Part Two)

June 12th, 2014

ID theft

 

1. Do you track who has keys to all locked file cabinets?  Be sure to keep a list of who has keys and be sure to collect them when the employee is assigned elsewhere or is leaving your employ.

 

2. Does everyone who has keys to locked file cabinets really need access?                             Only those who must have access to complete their assigned tasks should                                      have keys.

 

3. Are all computers password protected?  Laptops, PCs, Blackberrys…any technology that contains personal information must be password protected. 

 

 

4. Are all passwords changed periodically in order to protect confidential data?  It’s not good enough to just have passwords; they must be changed often if they are to remain secure.

 

5. Do you use codes, not social security numbers, to identify employees in your computer systems?  Only use social security numbers when no other identifier can be used (i.e. payroll for federal and state reporting).

 

6. Do your vendors, such as your company’s insurance providers, use codes rather than social security numbers?  If they are still using social security numbers, contact them immediately and require that other identifying codes be used immediately.

 

7. If you use any identifying numbers on customer receipts or other forms, do you truncate or code the information in order to protect any identification of personal information?  Most business software that records receipts and charges provide this service.  If yours does not, contact them and ask for an update.

 

8. Do you review your employee break-room or any other areas in your company where public information is approved to be posted to ensure that no confidential information is included?  Sign up slips for company or charity events sometimes ask for addresses, phone numbers, or other personal identification.  When these are posted in public areas where other employees or customers can see private employee information, the opportunities for ID theft is greatly increased.

 

9. Do you communicate with your employees and customers so they know why information is being collected, how it will be used, and how it will be disposed of after it is no longer needed?  As with all policies, employees are much more apt to follow the rules when they understand WHY they are required.

 

10. Do you have a procedure in place to assure workers who leave your employ or transfer to another part of the company will no longer have access to sensitive information?  Supervisors need to change passwords, issue new keys, and whatever else is necessary to keep sensitive information away from those who are no longer needing this data to complete their assigned work.

 

11. Do you include terminating passwords, collecting keys and identification cards, collecting company cell phones and other devices that may hold sensitive information as part of your company’s termination checklist?  If you have access to our HR Subscription Service, you can download the ‘termination checklist form’ to make sure you are collecting all of the keys, passcodes, and other sensitive information when an employee leaves your company. 

 

 

12. Do you have email policies in place to eliminate exchange of personal information (employee, vendor and customer) on unsecured sites?  Technology changes—and grows more sophisticated—every day.  Be sure your email policies are up to date and address the issues that arise when an employee enters an unsecured site.

 

13. Have employees who are charged with intra-office communications (i.e. company newsletters, department updates, etc.) been fully trained in what they can/cannot include in their communications?  Even well-meaning employees can expose your company to release of sensitive information.  If you have a company newsletter, be sure to get the employees permission to publish personal information about them.  Something as innocuous as where the employee of the month is planning on vacationing this year can provide information that the employee might not want known to the rest of the company.

 

14. In the event that you determine that confidential information has been compromised, do you have a system in place that identifies the steps needed to be taken to minimize any potential loss/breach of security?  If you fall under the Red Flag Rule, the federal government demands that you have such a system in place.  Even if you aren’t required to follow this regulation, it is a very good idea to have procedures in place so all of your employees know who to contact and what to do should such a breach occur.

 

15. Have you obtained an insurance coverage analysis to assist you in exposing any potential privacy gaps relating to corporate liability?  Contact your broker today!

 

Remember, different industry segments and professions have their own requirements when it comes to employee and customer privacy rights.  Does yours?

 

 

Safety

June 10th, 2014

sign

Regardless of the size of your business, you need to be vigilant about workplace safety.  Although safety can be a bigger concern in some industries than in others, no company can afford to ignore efforts to instill safety consciousness throughout its workforce.  Ensuring that the workplace is safe and free from hazards is a key role in business and human resource management.  

What are the elements needed in designing an effective safety program?  The following factors are essential for an effective safety management program:

Management Commitment

A Safety Management Program cannot be successful without the active support of the company’s management team.  Necessary support includes allocating resources to safety programs and demonstrating the organization’s commitment to safety.  Managers should be involved in implementing and communicating the program so all employees understand management is committed to the program’s success.

Communication

The overall effectiveness of workplace safety and security measures will depend on an organization’s ability to effectively communicate safety and security goals and objectives. A communication strategy should be developed and implemented in a manner that supports the goals and objectives of the safety management program.  The business will want to ask how, when and where will employees be the most receptive to communication and retain the information provided.

Employee Participation

Employee participation is another key element in an effective safety plan.  If you do not have employee buy-in, the program may not ever fully be implemented.   For example, group decisions have an advantage of the group’s wider range of experience.   Employee participation means that employees are encouraged to participate fully in the program, including the review and investigation of injuries and illnesses, periodic workplace inspections, and regular safety and health meetings, and recommendations to the employer with respect to the overall safety program.

Analysis of the Work Environment

Work environment analysis helps the business with the identification of hazards by conducting baseline reviews for safety and health.  Additionally, employers should have a system in place for completing periodic updates to ensure continued safety.

Work environment analysis involves a variety of worksite inspections to identify not only existing hazards, but also conditions and operations in which changes might create hazards. Effective safety programs have systems in place to actively analyze the work tasks and the work setting to anticipate and prevent harmful occurrences.

Hazard Prevention and Control

Hazard prevention and control procedures ensure all current and potential hazards are corrected in a timely manner and safe work practices are understood and followed by all members of the work team.  Also, the company needs to ensure that all appropriate personal protective equipment is provided, and all other necessary actions are in implemented and followed.  Workplace rules should provide guidance for employees’ behavior. The entire organization needs to continually be mindful of safety…it should be part of the culture.

Additionally, as part of the overall safety plan, management should focus on encouraging employees to report unsafe behaviors. Reporting of close calls and unsafe conditions may help keep tragic incidents from occurring.

Training

An effective safety prevention program includes training for all employees and managers. In addition to initial training during the safety program’s implementation, and when new employees are hired, on-going training and any other needed updates need to occur in order to support a safe culture within the Company.  Besides in person training, there are many other options for training including on-line courses, DVD’s as well as written materials.  Companies will need to consider their employee demographics to determine what type of training may work best.

If your business needs assistance with creating or updating an Accident Prevention and Safety Program, give us a call at 866.599.1733.

 

 

 

 

 

 

 

Email as Evidence

May 29th, 2014

 

eDiscovery1

At red and associates, we have a significant number of years of Human Resources experience between us, and have all worked with a considerable number (and variety) of managers and employees.  Over our professional careers, much of our daily communication has switched from phone calls or face-to-face chats to e-mails or even text messages.   In a previous edition of our newsletter, we reviewed basic e-mail etiquette; however, we also want to address the potential liability that seemingly innocent e-mail may be exposing your business to on a regular basis.

Many employees may not realize that e-mail may be considered electronic evidence and is discoverable if any type of lawsuit is filed.  Once that send button is pushed, you have created a paper trail that could come back to haunt you.

Here is a case for review:  a person applied for a position at a mid-size company by e-mailing his resume and cover letter. He heard back from the company, but received a very different e-mail than what he expected.  The individual received an e-mail from the CEO.  At first, he was thrilled that the CEO actually responded to his application personally.  However, as he began to read through the response, he soon discovered it had been intended for a co-worker inside the company instead.  The e-mail suggested the applicant “must be old and just looking for something to do.”  Imagine the CEO’s surprise when a case was made against the company for a Violation of the Age Discrimination in Employment Act.

Here are two other cases we have heard of in just the last few weeks. Would you want these to be seen in court?

Example 1:  A manager e-mails another manager after one of his employees called in sick on a Monday due to a migraine for which she uses approved intermittent FMLA – “Mary called in with another Monday Migraine.  I think she is just recovering from a case of the “Weekend Bottle Flu”.”

Example 2:  On a Friday afternoon, which happened to be very sunny and warm, a supervisor e-mailed her manager, and said “The God she worships is the Sun.” after an employee left early for religious reasons.

As you can see by these examples, having a policy in place and employee training is essential. A key point to remember….do not put anything into writing that you would not want read on the national nightly news, or printed on the front page of the newspaper… or read in a courtroom where your company is on trial.

 

Tips to Keep your Company more Secure

March 28th, 2014

security_guard_icon

Most companies keep sensitive personal information in their files and on their computers (names, Social Security Numbers, insurance numbers, account data, etc.) that identifies customers or employees.  Businesses need this information to fill orders, meet payroll or perform other necessary business functions.  However, if sensitive data falls into the wrong hands, it can lead to identity theft and potentially….FRAUDSafeguarding sensitive data is just plain good business.  Even if your industry or business does not have to comply with current Federal and/or State confidentiality laws (such as the Red Flag regulations), what steps should you be taking to protect personal information at your company?

Listed below is 15 ways to protect sensitive information in your organization. 

1. Do you have a written policy in place to ensure that sensitive, confidential paperwork is unreadable before you throw it away?  Have shredders by every work station where sensitive data is handled; if an area has a large amount of sensitive paperwork to be shredded, consider hiring a third party company to shred and dispose of the material.

2. Do you have a system in place defining how all personal information on customers and employees are destroyed once it is no longer needed?  Having shredders available is just one step.  Be sure you have indentified all forms, letters, files, etc. that contain personal identification then have written specific steps on what needs to occur when a specific form, etc. must be destroyed.

3. Do you check references and/or complete background checks before hiring employees who will have access to sensitive data?  Companies can significantly reduce their exposure to internal criminal risk if they follow a policy of checking both references AND backgrounds prior to hire.  If they do so, they need to have the appropriate forms for potential employees to sign that gives them permission to seek this information.  Because  potential employees must provide confidential information for background checks to be completed, the company will be subject to Red Flag regulations (see question 4)

4. Is your company subject to Red Flag regulations?  The Red Flag Rules require financial institutions and creditors to implement a written Identity Theft Protection Program to detect, prevent and mitigate identity theft in connection with new and existing “covered accounts”. 

5. Have you appointed someone within your management team as Information Security Officer?  Because a majority of identity breaches occur through a company’s technology, the Information Security Officer is usually someone in the IT department who can keep abreast of the latest threats and make adjustments rapidly.

6. Do you ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data?   This form should be part of every new hire packet; regardless of how little the new employee will be exposed to confidential data.

7. Do you audit your confidentiality agreements periodically to be certain no employee has been missed?  Not only should a company audit these agreements to assure all have signed them, but the document itself needs to be reviewed at least on an annual basis to assure it covers all the areas needed to protect the identity of clients, the vendors, the company and its employees.

8. Do all employees understand that abiding by your company’s data security plan is an essential part of their duties?  Data security responsibilities and tasks need to be included in the employees’ job descriptions to focus their attention that abiding by the policies and procedures of the security plan is an important part of their job.

9. Do you regularly conduct training to remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential?  Training…and enforcing…are key to assuring your policies are followed consistently.

Key-on-screen

10. Do you limit access to personal information to only those employees with a “need to know”?  Sensitive information is needed for some tasks to be completed adequately.  Companies have a duty, however, to assure that only those who need the information to complete their job have access to it.

11. Are your fax machines in a secure area?  While you can control most of the information that leaves your office, you also need to take adequate steps to assure that information coming to your office through your fax machines are handled in a secure environment.

12. Do you have a policy for receiving mail to assure only approved employees have access to confidential information?  Different departments might receive mail that has sensitive information enclosed; however, steps should be taken to assure that only those who need the information have access to it.

13. Do you review how confidential personal information is stored and accessed?  The company must take adequate precautions that all departments and branches follow the same policies and procedures when it comes to personal information storage and retrieval.  If the company has employees that travel with technology that contains sensitive information, policies and procedures need to be applied consistently through the organization.  Examples would be policies for employees who store customer information on their PDAs, for safeguarding financial information being stored on an employee’s laptop who sometimes works from home, for an outside salesperson whose Blackberry contains sensitive emails from the home office, etc.

14. Do you regularly assess what personal information you really need to collect?  Just a few years ago, many job applications asked for the social security number and most insurance companies used the insured’s social security number as their policy number.  Companies must constantly manage their risk for identity theft exposure by limiting access (and collection) of personal information wherever and whenever possible.

15. Do you keep all written confidential information such as employee personnel files and customer information in locked file cabinets?  It may seem obvious, but too often sensitive information falls into the wrong hands not because of some complicated technology breach but because a file door was left unlocked…or there was no lock on it in the first place.

Tips to keep your company more secure

March 7th, 2014

Data_Security

Most companies keep sensitive personal information in their files and on their computers (names, Social Security Numbers, insurance numbers, account data, etc.) that identifies customers or employees.  Businesses need this information to fill orders, meet payroll or perform other necessary business functions.  However, if sensitive data falls into the wrong hands, it can lead to identity theft and potentially….FRAUDSafeguarding sensitive data is just plain good business.  Even if your industry or business does not have to comply with current Federal and/or State confidentiality laws (such as the Red Flag regulations), what steps should you be taking to protect personal information at your company?

Listed below are 15 ways to protect sensitive information in your organization.  Next month, we’ll provide our readers with 15 MORE ways to make your workplace more ’identity theft-proof’.

1. Do you have a written policy in place to ensure that sensitive, confidential paperwork is unreadable before you throw it away?  Have shredders by every work station where sensitive data is handled; if an area has a large amount of sensitive paperwork to be shredded, consider hiring a third party company to shred and dispose of the material.

2. Do you have a system in place defining how all personal information on customers and employees are destroyed once it is no longer needed?  Having shredders available is just one step.  Be sure you have indentified all forms, letters, files, etc. that contain personal identification then have written specific steps on what needs to occur when a specific form, etc. must be destroyed.

3. Do you check references and/or complete background checks before hiring employees who will have access to sensitive data?  Companies can significantly reduce their exposure to internal criminal risk if they follow a policy of checking both references AND backgrounds prior to hire.  If they do so, they need to have the appropriate forms for potential employees to sign that gives them permission to seek this information.  Because  potential employees must provide confidential information for background checks to be completed, the company will be subject to Red Flag regulations (see question 4)

4. Is your company subject to Red Flag regulations?  The Red Flag Rules require financial institutions and creditors to implement a written Identity Theft Protection Program to detect, prevent and mitigate identity theft in connection with new and existing “covered accounts”.

5. Have you appointed someone within your management team as Information Security Officer?  Because a majority of identity breaches occur through a company’s technology, the Information Security Officer is usually someone in the IT department who can keep abreast of the latest threats and make adjustments rapidly.

6. Do you ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling sensitive data?   This form should be part of every new hire packet; regardless of how little the new employee will be exposed to confidential data.

7. Do you audit your confidentiality agreements periodically to be certain no employee has been missed?  Not only should a company audit these agreements to assure all have signed them, but the document itself needs to be reviewed at least on an annual basis to assure it covers all the areas needed to protect the identity of clients, the vendors, the company and its employees.

8. Do all employees understand that abiding by your company’s data security plan is an essential part of their duties?  Data security responsibilities and tasks need to be included in the employees’ job descriptions to focus their attention that abiding by the policies and procedures of the security plan is an important part of their job.

9. Do you regularly conduct training to remind employees of your company’s policy—and any legal requirement—to keep customer information secure and confidential?  Training…and enforcing…are key to assuring your policies are followed consistently.

10. Do you limit access to personal information to only those employees with a “need to know”?  Sensitive information is needed for some tasks to be completed adequately.  Companies have a duty, however, to assure that only those who need the information to complete their job have access to it.

Key-on-screen-e1358870962794

11. Are your fax machines in a secure area?  While you can control most of the information that leaves your office, you also need to take adequate steps to assure that information coming to your office through your fax machines are handled in a secure environment.

12. Do you have a policy for receiving mail to assure only approved employees have access to confidential information?  Different departments might receive mail that has sensitive information enclosed; however, steps should be taken to assure that only those who need the information have access to it.

13. Do you review how confidential personal information is stored and accessed?  The company must take adequate precautions that all departments and branches follow the same policies and procedures when it comes to personal information storage and retrieval.  If the company has employees that travel with technology that contains sensitive information, policies and procedures need to be applied consistently through the organization.  Examples would be policies for employees who store customer information on their PDAs, for safeguarding financial information being stored on an employee’s laptop who sometimes works from home, for an outside salesperson whose Blackberry contains sensitive emails from the home office, etc.

14. Do you regularly assess what personal information you really need to collect?  Just a few years ago, many job applications asked for the social security number and most insurance companies used the insured’s social security number as their policy number.  Companies must constantly manage their risk for identity theft exposure by limiting access (and collection) of personal information wherever and whenever possible.

15. Do you keep all written confidential information such as employee personnel files and customer information in locked file cabinets?  It may seem obvious, but too often sensitive information falls into the wrong hands not because of some complicated technology breach but because a file door was left unlocked…or there was no lock on it in the first place.