Hospital Fined for Failing to Protect Private Data

Earlier this year the U.S. Department of Health and Human Services Office for Civil Rights (OCR) fined Dallas Hospital in excess of $3 million for its failure to protect electronic data related to patients.

From 2009 through 2013 Children’s Medical Center of Dallas had three separate security breaches in which thousands of individual records were lost.  In each case information on employee devices was improperly encrypted and improperly protected resulting in the security breaches.  During this period, the hospital had engaged outside experts for several risk assessments, which included the protection and security of data.  The written assessments, which were reviewed as part of the OCR’s investigation, has recommended three steps: 1) implement encryption to prevent the loss of Electronic Protected Health Information (ePHI); 2) Develop a mechanism to protect data on devices and flash drives that might be stolen; and 3) identify and protect high-risk information on unsecured mobile devices.  These steps were recommended for implementation by the end of 2008.  The investigation found that by 2013 these steps had not been implemented.

All employers have an increasing risk and therefore and increasing obligation to protect private electronic information.  For healthcare organizations, however, there is an additional body of law requiring extra protection for private medical and health information.  The Health Insurance Portability and Accountability Act (HIPAA) requires, among other things, that organizations that create and keep this information regularly train their workforces and implement special protocols to protect the security of electronic health information.

Among other findings, the OCR found that an employee’s iPod was synched to a work email account and that unauthorized staff had access to confidential medical information.  According to the publication LawRoom, Attorney Michael Bertoncini commented, “This fine indicates that even with the change of administration, OCR seems likely to continue its aggressive approach to HIPAA enforcement.”


This case highlights practices that should be adopted by every employer regarding confidential information.  Information that may seem routine on a day to day basis, in litigation or under the scrutiny of an audit, should very well be protected.  For example, even something like a spreadsheet or report of compensation data should be handled, inside a company, with appropriate care and viewing privilege.  We recommend using tools such as Box or Citrix to send privileged information rather than simple email, even internal email.

Many attorneys and data security experts recommend training and assessments of risk.  This case points out however that these assessments can be a double-edged sword – particularly if security recommendations are presented in writing and then not implemented.  Data security becomes a larger and larger issue for employers every year.  We strongly recommend that every employer take appropriate steps, on an annual basis, to assess its risk, take steps to mitigate this risk, and consider purchasing the appropriate cyber insurance in the event of a breach.

Paul Finkle, CMC, SPHR – Executive Vice President

Disclaimer: Some information contained herein has been abridged from numerous sources and may be protected by various copyright laws. Such information should not be construed as consulting or legal advice. Please contact our office for specific advice and/or referrals.

Bay Area Human Resources Services

New Employee Benefit – Student Loan Repayment Assistance

The average college graduate with student loans enters the workforce with approximately $35,000 in educational debt.  Tuition debt is considered the second largest consumer debt approaching $1.3 to $1.4 trillion in the U.S.  As many know, payments are required early in a graduate’s work career and represent a significant financial burden.

To respond to this issue, several start-ups have developed software platforms and a series of ideas to turn the repayment of college debt into an employee benefit that employers can support.  Gradifi is one of these organizations.

PwC, a large accounting firm, offers this benefit to their associates and senior associates.  The company has adopted this platform and supports it as not only an employee benefit, but as a recruiting tool for new hires.  According to Gradifi, a payment by the employer of just $100 per month accelerates the average college debt payoff to an employee by 2.5 years, thereby saving a significant amount in interest.*  Many of Gradifi’s clients report that the benefit is widely and positively received empowering employees to take control, early in their career, of their financial future and fostering greater engagement with the employer.

Employee turnover can cost companies six to nine months of an employee’s salary. Companies offer this benefit to increase retention rates and reduce that cost. Gradifi member surveys report significantly improved employee engagement with this program.

While focused on student loans, the benefit also fosters employees to begin to think about investments as well as to take greater interest and control in their financial future.


Here at ABD, part of our wellness initiative includes “financial wellness”.  It is well recognized that financial literacy is a glaring omission in the curriculum of most educational systems in the United States.  Rather than pretending that challenges such as college debt do not exist, Gradifi encourages an employee to take the issue head on, work with the employer to reduce education debt and get started on a plan of savings and future financial health.  First Republic Bank found Gradifi so interesting, that it recently purchased the company and is heavily supporting the development of this employee benefit. There is no sign that the competition for talent, particularly in the Bay Area, is slowing down.  These types of innovative employee benefits that foster greater employee engagement merit consideration as part of a total compensation package.

*Estimated savings based on a $35,000 average student loan balance at 5% APR, under a 10-year repayment plan with $100 monthly employer contributions plus regular payments made by borrower. Individual savings will vary.

Paul Finkle, CMC, SPHR – Executive Vice President

Disclaimer: Some information contained herein has been abridged from numerous sources and may be protected by various copyright laws. Such information should not be construed as consulting or legal advice. Please contact our office for specific advice and/or referrals.

Bay Area Human Resources Services

Initial Response to Employee Complaints Critical

Every employer of every size will receive a complaint from an employee at some point.  It is inevitable. How you initially respond can be crucial to a successful outcome. The four most common serious issues brought by employees are harassment, discrimination, theft, and violence, and if they are handled improperly, the results can be costly.

First and foremost, employers should encourage employees to bring complaints forward within the organization.  This is better than having the complaint directed to an outside agency such as the EEOC.  A well-defined grievance procedure offering multiple ways to bring forward an issue should be part of the employee handbook and other communications.  Another key element to encourage internal complaints is establishing a culture and record that the company takes the complaints seriously and will appropriately address them.  In other words, the company will thoroughly investigate the complaint, determine what happened, and take reasonable action based on the facts uncovered.

In a BLR webinar, as described by BLR below, partners with the law firm Ford Harrison, Buena Vista Lyons and Delaine Smith outlined some guidance on what do to when responding to an employee complaint.

Step 1: When the Employee Comes to You

The famous first words of a complaint are often “I need to talk to you.” And of course, they’re often uttered at a time when you have too many other things to handle. Your reaction to an employee complaint will set the stage for its resolution, so it pays to have a plan. In the webinar, Lyons and Smith gave us some tips for how to react during those initial moments after hearing an employee complaint (or an indication of such):

  • Be friendly and open to talk
  • Do not immediately go into defense mode
  • Treat every complaint seriously
  • Be sincere

“Be aware of the fact that if it’s not a good time for you [to talk], that it’s your responsibility to offer a specific time and a place to meet; and try to do that within 24 hours. And before that 24-hour period goes by, if you can’t come up with a specific time and place, be sure to get back to them to schedule that meeting.” Lyons advised. The first mistake employers often make is not handling the concern promptly; when a lawsuit arises and the claimant says they went to HR to complain but no one followed up, you’re left without much defense. It’s very important to take complaints seriously and follow up.

Step 2: Determine the Best Person to Handle the Employee Complaint

Once the employee begins explaining the complaint, immediately begin assessing who would be the best person to handle the issue at hand. Sometimes the answer is you, but other times there may be someone more appropriate, depending on the details of the situation.

Once you understand the issue at hand, if you’re the best person to handle it then allow the employee to continue. But if not, stop the conversation and identify to whom the person should take the issue. If someone else is more appropriate, call that person right then and set up a meeting time or ask that person to join the ongoing meeting, if possible. Be sure that you’ve taken appropriate steps to get the complaint on the path to resolution.

When hearing an employee complaint, always remember that you are not a confidant. You are an arm of the company, and as such, information you learn may impute knowledge on the company. That said, you are also not alone – take the employee complaint to a higher authority. If an employee requests confidentiality, you can advise that you will maintain confidentiality to the extent possible, but that there is an obligation to discuss the matter with others and investigate (if applicable). You want to set forth that consistent message every time you’re in this situation. Smith confirmed this during the webinar: “There are no off-the-record conversations when these sorts of issues come up.”

Step 3: Listening and Responding

When handling an employee complaint, you need to be an active listener. Listen for the facts: who, what, when and where. Do not presume you know where the person is going – follow the road map they give. Don’t be distracted by thinking about your investigation prematurely or passing judgment on the situation and making assumptions.

Lyons also advised during the webinar that “it’s important to take notes because your memory will fail you”. Notes allow you “to summarize and be able go back over those statements for clarification with the complainant.” Ask questions to clarify what you heard, and be sure not to second-guess the complainant.

Once you’ve gotten to this point, it’s important to close this initial conversation properly. Firstly, be sure to thank the person for coming forward, because this will go a long way to putting the employee at ease knowing they did the right thing in coming forward. Here are some other tips for closing the conversation:

  • Reiterate the fact that the company takes these types of things seriously and will take prompt action to explore the matter.
  • Don’t jump to any conclusions or say anything to indicate agreement with the claimant; be neutral.
  • Tell the employee that you will determine need and scope of further investigation.
  • Explain that you will keep the conversation as confidential as possible, but that others will need to be involved.
  • Ask the complainant to put their complaint in writing (signed and dated) with as much detail as possible. Sometimes the employee may be hesitant; if you can’t get it in writing, you still need to proceed based solely on the information provided verbally. Do not say you won’t do anything without the written statement – it is important to take some action now.

Malcolm Whyte, SPHR – Vice President HR Services

Disclaimer: Some information contained herein has been abridged from numerous sources and may be protected by various copyright laws. Such information should not be construed as consulting or legal advice. Please contact our office for specific advice and/or referrals.

Bay Area Human Resources Services