Businesses are becoming much more focused customer data privacy issues and regulations these days. Failure to safeguard information can not just open a company to legal liabilities, but also can be an expensive public relations nightmare if a company has to disclose that its computer system has been hacked and private information stolen.
Privacy information is also important regarding information that might be shared deliberately. Bill Leech, a shareholder with Copeland, Cook, Taylor & Bush, P.A., Ridgeland, said while there are exceptions, such as in the areas of credit bureau reporting or federal regulations in the health care industry, the best general practice for a small business to follow is this: Don’t disclose customer information to third parties without either the customer’s informed written consent or an order from a court of competent jurisdiction.
Employers must be very careful with information concerning individual employees, said Robert C. “Bob” Richardson, an attorney with Copeland, Cook, Taylor & Bush. For example, certain employee information, such as medical information, may be protected by law.
“Dissemination of other information, such as grounds for discharge or a subjective evaluation of the employee’s performance history, may result in a defamation suit against the employer,” Richardson said. “The best practice for an employer is to treat all personnel-related information as confidential. The employer should have a firm policy that all requests for information — both oral and written — should be forwarded to human resources for processing. Only basic information, such as verification of positions held and employment dates, should be given to third parties, unless the employer is presented with an authorization signed by the employee to reveal additional information.”
Most of the time, it probably isn’t necessary for small businesses to obtain legal advice about privacy laws.
“I think businesses are generally fairly well informed about privacy laws,” said Chad Shook, an attorney with Aultman, Tyner & Ruffin, Ltd., Hattiesburg. “If they have doubts or questions, they should certainly contact an attorney well versed in privacy laws, because they can certainly find themselves in a litigious situation if they do step over into a violation of privacy situation.”
It is an unfortunate fact that even large companies with major information technology resources have been victims of hacking.
“In the technological world we live in with the Internet, there are a lot of savvy folks out there who, if they have the mindset to break into your system, can do it,” Shook said. “But it is important to take adequate steps as a business person to prevent that from happening. It is important for the small business person regardless of the field they are in to assure that, if they have a broad based electronic network, make sure to have appropriate safeguards in place like firewalls to make sure that information is adequately protected.”
The cost and hassle of compliance with privacy laws can depend on the type of business and the scope of the business. For example, healthcare providers face stringent requirements for protecting the privacy of patients.
“For medical records, the HIPAA (Health Insurance Portability and Accountability Act of 1996) regulations that were put in place several years ago have placed an incredible burden on the medical community to be compliant,” Shook said. “By the same token, it is important they do maintain that compliance in order to protect the individual information of the patients.”
The Department of Health and Human Service (DHHS) said the shift of medical records from paper to electronic formats has increased the potential for individuals to access, use and disclose sensitive personal health data. HIPAA has addressed these concerns with new privacy standards that set a national minimum of basic protections, while working to balance individual needs with those of society. HIPAA provides the following controls over health information:
• Sets boundaries on the use and release of health records.
• Establishes appropriate safeguards that the majority of healthcare providers and others must achieve to protect the privacy of health information.
• Holds violators accountable with civil and criminal penalties that can be imposed if they violate patients’ privacy rights.
• Strikes a balance when public health responsibilities support disclosure of certain forms of data.
• Enables patients to make informed choices based on how individual health information may be used.
• Enables patients to find out how their information may be used and what disclosures of their information have been made.
• Generally limits release of information to the minimum reasonably needed for the purpose of the disclosure.
• Generally gives patients the right to obtain a copy of their own health records and request corrections.
• Empowers individuals to control certain uses and disclosures of their health information.
Contact MBJ contributing writer Becky Gillette at firstname.lastname@example.org.