CHAPTER 15
HRIS Privacy and Security
1
WHY PRIVACY IS CRITICALLY IMPORTANT
An HRIS includes a great deal of confidential data about employees, such as Social Security numbers, medical data, bank account data, salaries, domestic partner benefits, employment test scores, and performance evaluations.
It is critical for organizations to understand and pay close attention to what employee data is collected, stored, manipulated, used, and distributed—when, why, and by whom.
Organizations also need to carefully consider the internal and external threats to these data and develop strong information security plans and procedures to protect these data and comply with legislative mandates.
Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.
2
WHY PRIVACY IS CRITICALLY IMPORTANT
However, starting in the 1990s, as computer networks became more common, threats to information security became more involved due to the presence of enterprise-wide systems.
There is a growing concern about the extent to which these systems permit users (both inside and outside of the organization) to access a wide array of personal information about employees. As a result, employees may perceive that if these data are accessed by others, the information contained in their employment files may embarrass them or result in negative outcomes (e.g., denial of promotion or challenging job assignment).
Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.
3
WHY PRIVACY IS CRITICALLY IMPORTANT
Recent research suggests that this concern may be well founded. For example, one report indicated that over 500 million organizational records have been breached since 2005, and there has been a rise in the theft of employment data (Privacy Rights Clearinghouse, 2010).
In view of the growing concern about identity theft and the security of employment information in HRIS, a number of states (e.g., AK, CA, FL, HI, IL, LA, MO, NY, SC, WA) passed privacy laws requiring organizations to adopt reasonable security practices to prevent unauthorized access to personal data (Privacy Protections in State Constitutions, 2012).
Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.
4
WHY PRIVACY IS CRITICALLY IMPORTANT
Despite these new laws, results of surveys revealed that 43% of businesses stated that they did not put any new security solutions in place to prevent the inadvertent release or access to employee data, and almost half did not change any internal policies to ensure that data were secure.
The cost of these data breaches can be large. For example, the average cost of a data breach has increased to almost $7 million per firm.
Kavanagh, Human Resource Information Systems 4e. SAGE Publications, 2018.
5
WHY PRIVACY IS CRITICALLY IMPORTANT
Software vendors, such as Oracle, are aware of the potential for security breaches and offer multiple security models (e.g., Standard HRIS Security and ...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
CHAPTER 15HRIS Privacy and Security1.docx
1. CHAPTER 15
HRIS Privacy and Security
1
WHY PRIVACY IS CRITICALLY IMPORTANT
An HRIS includes a great deal of confidential data about
employees, such as Social Security numbers, medical data, bank
account data, salaries, domestic partner benefits, employment
test scores, and performance evaluations.
It is critical for organizations to understand and pay close
attention to what employee data is collected, stored,
manipulated, used, and distributed—when, why, and by whom.
Organizations also need to carefully consider the internal and
external threats to these data and develop strong information
security plans and procedures to protect these data and comply
with legislative mandates.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
2
2. WHY PRIVACY IS CRITICALLY IMPORTANT
However, starting in the 1990s, as computer networks became
more common, threats to information security became more
involved due to the presence of enterprise-wide systems.
There is a growing concern about the extent to which these
systems permit users (both inside and outside of the
organization) to access a wide array of personal information
about employees. As a result, employees may perceive that if
these data are accessed by others, the information contained in
their employment files may embarrass them or result in negative
outcomes (e.g., denial of promotion or challenging job
assignment).
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
3
WHY PRIVACY IS CRITICALLY IMPORTANT
Recent research suggests that this concern may be well founded.
For example, one report indicated that over 500 million
organizational records have been breached since 2005, and there
3. has been a rise in the theft of employment data (Privacy Rights
Clearinghouse, 2010).
In view of the growing concern about identity theft and the
security of employment information in HRIS, a number of states
(e.g., AK, CA, FL, HI, IL, LA, MO, NY, SC, WA) passed
privacy laws requiring organizations to adopt reasonable
security practices to prevent unauthorized access to personal
data (Privacy Protections in State Constitutions, 2012).
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
4
WHY PRIVACY IS CRITICALLY IMPORTANT
Despite these new laws, results of surveys revealed that 43% of
businesses stated that they did not put any new security
solutions in place to prevent the inadvertent release or access to
employee data, and almost half did not change any internal
policies to ensure that data were secure.
The cost of these data breaches can be large. For example, the
average cost of a data breach has increased to almost $7 million
per firm.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
5
4. WHY PRIVACY IS CRITICALLY IMPORTANT
Software vendors, such as Oracle, are aware of the potential for
security breaches and offer multiple security models (e.g.,
Standard HRIS Security and Security Groups Enabled Security)
that enable an administrator to set up HRIS security specifically
for an organization. This means that the software allows
companies to determine the kind of data access and
responsibility each employee has.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
6
EMPLOYEE PRIVACY ISSUES
The U.S. Fair Labor Standards Act of 1938 requires employers
to maintain basic information on all employees including Social
Security number, address, gender, occupation, pay, and hours
worked. However, the increased use of HRIS to store these data
has prompted concerns about the degree to which these systems
have the potential to invade personal privacy.
Information privacy has been defined as the “degree to which
5. individuals have control over the collection, storage, access,
and release of personal data.”
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
7
EMPLOYEE PRIVACY ISSUES
Unauthorized access to information
Unauthorized Disclosure of Information
The unauthorized disclosure of data accuracy problems
Stigmatization problems
Use of data in social network websites
Lack of privacy protection policies
Despite the widespread use of HRIS and growing concerns
about the (a) unauthorized access, (b) unauthorized release, (c)
data accuracy, and (d) use of data to stigmatize employees,
many companies have not established fair information
management policies to control the use and release of employee
information.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
8
6. COMPONENTS OF INFORMATION SECURITY
The McCumber Cube provides a graphical representation of the
architectural approach widely used information security. It
examines not only the characteristics of the information to be
protected but also the context of the information state. The cube
allows an analyst to identify the information flows within an
HRIS, view it for important security-relevant factors, and then
map the findings to the cube. The cube has three dimensions. If
extrapolated, the three dimensions of each axis become a 3 x 3 x
3 cube with 27 cells representing areas that must be addressed
to secure a modern-day information system.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
9
COMPONENTS OF INFORMATION SECURITY
Desired Information Goals – Ensure that data is kept
confidential, has not been manipulated, and is available to those
who are authorized to access it
Countermeasures – Identify mechanisms that can be used to
protect data
7. State of Information – Identify the state in which data is
currently residing
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
10
THE MACUMBER CUBE
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
11
SECURITY THREATS: SOURCES
Human error
Disgruntled employees and ex-employees
Other “internal” attackers
External hackers
Natural disasters
8. Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
12
SECURITY THREATS: TYPES
Misuse of computer systems
Extortion
Theft
Computer-based fraud
Cyber-terrorism
Phishing
Denial-of-service (DoS) Software Threats
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
13
SECURITY THREATS: TYPES
A computer virus is a type of malware that works by inserting a
9. copy of itself onto a computer or device (e.g. smartphone) and
then becoming part of another program. It can attach itself to
files without the user’s knowledge and duplicate itself by
executing infected files. When successful, a virus can alter data,
erase or damage data, create a nuisance, or inflict other damage.
Worms are in some ways similar to viruses since they can
replicate themselves. However, unlike viruses that require the
spreading of an infected file, worms such as Code Red,
Slammer, and MyDoom can spread by themselves without
attaching to files.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
14
SECURITY THREATS: TYPES
Spyware is software installed on an unknowing user’s computer
that gathers information about the user’s activities on the Web
(keystrokes, websites visited, et cetera) and transmits it to third
parties such as advertisers or attackers. Problems associated
with spyware include potential privacy invasion, appropriation
of personal information, and interference with the user’s
computer operation.
Blended Threats: These threats propagate both as viruses and
worms. They can also post themselves on websites for people to
download unwittingly.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
10. 15
SECURITY THREATS: TYPES
Trojan is another type of malware that usually hides inside e-
mail attachments or files and infects a user’s computer when
attachments are opened or programs are executed. Trojans are
named after the Trojan horse of Greek mythology in that they
appear to be something positive but are, in reality, doing
something malicious. Unlike viruses and worms, Trojans do not
reproduce by infecting other files nor do they self-replicate.
Instead, they must be opened on a computer by a user. Some
Trojans can work as spyware while others can display a login or
install screen and collect personal data such as usernames and
passwords, or other forms of identification, such as bank
account or credit card numbers. They can also copy files, delete
files, uninstall applications using remote access programs on the
computers, and format disks without alerting the victim.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
16
11. SECURITY THREATS: SOFTWARE AS A THREAT
A computer virus is a type of malware that works by inserting a
copy of itself onto a computer or device (e.g. smartphone) and
then becoming part of another program. It can attach itself to
files without the user’s knowledge and duplicate itself by
executing infected files.
Worms such as Code Red, Slammer, and MyDoom can spread by
themselves without attaching to files.
Spyware is software installed on an unknowing user’s computer
that gathers information about the user’s activities on the Web
(keystrokes, websites visited, et cetera) and transmits it to third
parties such as advertisers or attackers.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
17
SECURITY THREATS: SOFTWARE AS A THREAT
Blended Threats: These threats propagate both as viruses and
worms. They can also post themselves on websites for people to
download unwittingly.
Trojan is another type of malware that usually hides inside e-
mail attachments or files and infects a user’s computer when
attachments are opened or programs are executed.
12. Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
18
INFORMATION POLICY AND MANAGEMENT
Fair information management policies
To date, there has been legislation restricting the collection,
storage, use, and dissemination of employee information in the
public sector (e.g., Privacy Act of 1974), but there is no
comprehensive federal legislation on employee information
privacy in private-sector organizations.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
19
INFORMATION POLICY AND MANAGEMENT
However, one state, California, has recently passed a law that
protects the privacy of employee records in private-sector
13. organizations (Privacy Protection in State Constitutions, 2012
In addition, multinational organizations should also consider the
privacy practices in the countries in which they operate. The
challenge for organizations is that every country takes a
different perspective on protecting employee information
privacy, and your organization will need to be familiar with all
the applicable laws in each country in which you operate.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
20
PROTECTING EMPLOYEE PRIVACY
“There are few laws governing the storage, use, and
dissemination of information in HRIS. Organizations may
decrease the degree to which employees perceive that HRIS
invades their privacy by establishing fair information
management policies and practices.”
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
21
14. EFFECTIVE INFORMATION SECURITY PRACTICES
Follow established security standards such as ISO/IEC 27000
series.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
22
EFFECTIVE INFORMATION SECURITY PRACTICES
Several best practices include these:
Adopt a comprehensive information security and privacy
policy.
Store sensitive personal data in secure HRIS, and provide
appropriate encryption.
Dispose of documents properly or restore persistent storage
equipment.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
23
15. EFFECTIVE INFORMATION SECURITY PRACTICES
Build document destruction capabilities into the office
infrastructure.
Implement and continuously update technical (firewalls,
antivirus, antispyware, etc.) and nontechnical (security
education, training, and awareness) measures.
Conduct privacy “walk-throughs,” and make spot checks on
proper information handling.
Kavanagh, Human Resource Information Systems 4e. SAGE
Publications, 2018.
24
Collaborative Documentation (CD)
Completing All or most of the documentation with the
individual during the time of the service
Benefits of CD
Efficient
16. Allows our clients to know what is in their charts
Clarify information
Include client perspectives
Clients will become more engaged and involved in their
treatment
Specific treatment outcomes can be discussed
Change in treatment plan can be addressed more quickly
(emphasis on collaboration)
CD and Clinical Practice
Collaborative Documentation integrates documentation into
clinical practice
Documentation becomes useful to the interests and values of
practitioners
Documentation becomes timely (real time)
Client participation will improve
Focus on treatment goals/objectives
Intake Process with CD
Non clinical staff collect the non-clinical information
(demographics)
Completing all Information- gathering collectively
Allowing clients to view the computer screen
Pointing to the computer screen and alternating between
listening and summarizing
Depending on client presentation, some parts of the assessment
may be completed post session (e.g., mental status exam).
17. Tips for Psychiatric Providers
Start by asking ‘What do we want to result from our work over
the next few months? How will we know we if we’re
successful?’
Measurable or observable outcomes
What can we do together to move towards your goal (e.g., how
medication monitoring services will assist in the overall
treatment goal)
Changes in functioning, behaviors, symptoms, skills
Additional Tips
‘I may be typing while you are answering some of my questions
so that I am not missing any information shared with me.’
Alternating between listening, summarizing, and eye gaze will
assist in building a therapeutic alliance.
Completing the note during intervals (whatever works for the
individual-some clients may need a brief break or a change in
focus)
More Tips!
Allow the individual and family to see the note!
Agree to Disagree
Think of CD as written ‘wrap up’ versus paperwork
Control documentation to enhance the clinical process
Invite clients to share their values/perspectives
Use formatted notes (thank you, HMS!)
18. Attitude is KEY-present CD as an invitation
Office Setup
Where is your desk in relation to where clients sit?
How is your computer positioned?
Are you facing clients ?
Are you able to turn your screen so clients can see what you’re
typing?
Is your office conducive to CD?
Office Setup
Clinical Benefits
Highly positive responses from individuals/families
Improved recall and plan adherence
Improved Engagement-reductions in NO
SHOWS/CANCELLATIONS
More time to see clients and meet the needs of the community
19. Data from 10 CMHCs
10 community mental health centers were randomly assigned to
receive training in person-centered planning and collaborative
documentation or provide treatment, as usual (N=17,000)
Medication Adherence and Service Engagement were measured
over 11 months
RESULTS-Medication Adherence increased significantly in the
experimental group (B=.022, p<.01) but showed no significant
change in the control condition (B=.004, p=.25). Appointment
no shows were also reduced in the experimental group.
National Council Survey
1. On a Scale of 1 to 5, how helpful was it to have your provider
review your note with you at the end of session?
81% stated it was either ‘Very helpful’ (51%) or ‘Helpful’
(30%)
9% stated it was ‘Neither Helpful’ or ‘Nor Not Helpful’
1% stated it was ‘Not Helpful’
5% stated it was ‘Very Unhelpful’
4% had No Opinion/NA
Involvement in Care
2. On a scale from 1 to 5, how involved did you feel in your
care, compared to past experiences? (either with us or another
20. agency)
51% stated they felt ‘Very Involved’
28% felt ‘Involved’
14% felt ‘About the Same’
1% felt ‘Not Involved’
3% felt ‘Uninvolved’
3% N/A or No Opinion
Provider Approach
3. On a Scale of 1 to 5, how well do you think your provider did
in introducing and using this new system?
68% reported ‘Very Good’
25% reported ‘Good’
4% stated ‘Average’
0% reported ‘Poorly’
1% reported ‘Very Poorly’
2% had No Opinion/No Answer
Continue with CD?
4. On a Scale of 1 to 3, in the future, would you want your
provider to continue to review your note with you?
77% said YES!
11% were unsure
6% said NO
6% had No Answer/NA
21. Medication Adherence
Outpatient Pilot
Selected interested clinicians from 4 outpatient sites to go
through a collaborative documentation training (webinar) and
management provided ongoing support/guidance (N=242). Used
the same 4 question survey from National Council
77% of clients reported it either ‘Very Helpful’ or ‘Helpful’ to
have their provider review notes with them at the end of session
(similar to national average)
80% of clients reported they felt either Very Involved or
Involved (Likert Scale) in their care (similar to national data)
Outpatient Data
88% of clients reported their provider did a ‘Very Good’ or
‘Good’ job with introducing the system
72% of clients reported they would want their provider to
continue the CD method
Overall, data from this pilot was similar to national average in
terms of client responses/reactions to CD
22. Staff Reactions to CD
100% of the staff who were surveyed had implemented CD for
one or more months
83% reported it was either ‘Very Easy’ or ‘Easy’ to learn
collaborative documentation vs. 16% of staff who reported it
was ‘Not Easy.’
58% reported CD is helpful to the treatment process vs. 33%
who reported it was ‘Neither Helpful nor Not Helpful.’
50% reported clients were either ‘Very Involved’ or ‘Involved’
in the treatment process as a result of CD (77% of clients
reported feeling involved in their care)
75% reported CD has been helpful with paperwork efficiency
50% reported better workplace satisfaction with the use of CD
Research on Nonverbal Communication
A study out of Northwestern evaluated eye gaze patterns
between PCPs and patients while electronic health records are
used
100 patient visits were observed and video-taped in 10 PCP
offices
Researchers wanted to assess eye contact as it relates to using
electronic health record systems vs. paper charts
Investigators interested in how EHR affects the quality of the
patient/physician interaction
Possible design guidelines indicated
23. Findings
Given that nonverbal communication is being explored as an
important aspect to treatment, eye contact, body language,
posturing, and facial expressions are vital when using an EHR
system
This study found patients eyes go where the physicians eyes go
(patients gazed at their doctor 50% of the visit vs. doctors gaze
patterns towards patients, which was 47% of the visit)
Physician initiated eye gaze was found to be an important driver
of interactions between the patient/physician.
Implementation
Skepticism
Concerns
Healthy work/life balance?
4-6 weeks to transition fully into CD mode
Addressing concerns as they arise
Seeking guidance/support from management during the initial
phase
Questions?
References
Asan, O., Montague, E. (2014). Dynamic modeling of patient
and physician eye gaze to understand the effects of electronic
health records on doctor-patient communication and
attention. International Journal Of Medical Informatics. Vol
83, 225-234.
24. Schmelter, B. (2013). Collaborative documentation gets you off
the compliance treadmill. Retrieved from
TheNationalCouncil.org.
Stanhope, V., Ingolia, C., Schmelter, B., Marcus, S.C. (2013).
Impact of person- centered planning and collaborative
documentation on treatment adherence. Psychiatric Services,
Vol 64, 1, 76-80.