A company should not store Protected Health Information (PHI) in its Human Resource Information System (HRIS) for several reasons. The main reason is that PHI is subject to specific regulations under the Health Insurance Portability and Accountability Act (HIPAA), which sets strict standards for the protection and confidentiality of PHI.
Security requirements: Storing PHI in an HRIS may not meet the security requirements outlined by HIPAA. HRIS systems may not have the same level of security features as systems specifically designed to store PHI, such as encryption and access controls.
Data integrity: Maintaining the integrity of PHI is essential to protect the privacy of employees. Storing PHI in an HRIS may not provide the necessary safeguards to ensure that the data is kept accurate and complete.
Access controls: HRIS systems may not provide the same level of access controls as systems designed to store PHI. This can result in unauthorized access to PHI by HR employees or other unauthorized parties.
Auditing requirements: HIPAA regulations also require auditing of all access to PHI, and HRIS may not provide the necessary auditing capabilities.
Business associate agreements: Employers using third-party HRIS providers will have to sign a business associate agreement (BAA) with their provider, which may not be feasible for many HRIS vendors as they may not be HIPAA compliant.
Instead of storing PHI in an HRIS, companies should consider using a separate system designed specifically for the storage and management of PHI, such as an electronic health record (EHR) system, or ensure that the PHI is stored separately and securely to prevent any breaches. The employer should also ensure that it has in place appropriate safeguards to protect the information, and have a process to ensure that PHI is only shared with the appropriate parties and only when necessary.