No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Featured

Managing Risk with Contact Tracing as Part of a Back-to-Work Strategy

How to Implement the Right Strategy While Mitigating Privacy Risks

by Dan Zitting
August 12, 2020
in Featured, Risk
illustration of smartphone health virus tracking location app with people wearing protection face mask to prevent spread of coronavirus

Companies beginning to reopen might consider contact tracing to mitigate risk. These organizations and their employees alike may have founded worries, however. Galvanize’s Dan Zitting addresses concerns with respect to HIPAA compliance and data privacy.

Cases of COVID-19 are continuing to rise in the U.S., but companies are eager to get back to work and are opening their doors despite the ongoing crisis. However, reopening creates a significant amount of risk. One way to handle this new risk is by implementing contact tracing.

Contact tracing has a reputation for being an expensive, laborious and time-intensive process that requires immense amounts of personal, potentially confidential information. This can be the case if organizations collect employee health information, but many companies already have the data needed to effectively put controls into place to mitigate reopening risk while maintaining data privacy and HIPAA compliance.

Take warehouses filled with sensors or offices that use badge access to enter rooms: With relatively simple analysis of the sensor or badge data, organizations can determine which employees have been in proximity with each other. Companies can get even more granular location data by having employees wear wristbands or adding code to company apps on employee phones.

From a risk perspective, companies may not know who has COVID-19, but they do have access to HR data regarding who has taken sick days. By combining HR data with physical location data from badges or wristbands, companies can make informed decisions about at-risk employees and take appropriate action, like asking potentially infected employees to not come into the office with pay.

When collecting data about employees, privacy is a critical consideration. Most of the information needed to create an effective contact tracing program is already readily available to organizations as part of a standard employee agreement. As seen in the badge and sick day example, neither of these data sets are covered by HIPAA and both are available for companies to use at will.

Compliance Collecting Health Data

When delving beyond standard employee data, companies need to be cautious of data privacy. Once employers ask for employees to self-report health information, HIPAA and additional privacy concerns come into play, creating a much more complex compliance and risk landscape. While these can be tricky and time consuming to navigate, the company is able to benefit from access to more robust data that can provide deeper insight into their risk.

Compliance for private health and employee data is a complicated matter, because a patchwork of differing laws protects employee privacy across the U.S. The rules, regulations and laws surrounding privacy create a complicated legal and compliance picture. State laws may vary, but HIPAA and OSHA regulations are uniform nationwide. OSHA offers resources specific to COVID-19 that cover employee rights and employer responsibility. Additionally, contact tracing that includes health data must also be compliant with privacy laws like the SHIELD Act and the CCPA. Employees must opt into any contact training program that requests health information and understand that sharing is not obligatory.

For any employer storing health information, it’s critical that they document and understand where it’s being stored, who has access, why it was collected and how it will be used. Because pandemic-related compliance laws are evolving, documentation is key. Companies must show that they’re putting their best effort into being as compliant as possible. Compliance software helps by automating risk controls and actively monitoring them. With these GRC software systems in place, companies gain the additional benefit of real-time compliance and risk insights to better manage sensitive data.

Cybersecurity Risk

Because sensitive information is stored, it’s also imperative that organizations maintain proper cybersecurity measures. The Word Health Organization reported a fivefold increase in cyberattacks since the outbreak of COVID-19. Companies are responsible for the employee health information they store, so test security systems and consider implementing additional measures. Furthermore, companies should put plans in place to destroy private employee data once it is no longer needed. Lastly, companies should closely evaluate the user agreements of any third-party apps used for contact tracing. Often these apps do not protect the company or the end user, which can leave the company vulnerable down the line.

Beyond concerns about collecting health data, some employees worry that companies are using the pandemic as a rationale for more granularly monitoring employees. However, by and large, these concerns are often unfounded. For organizations particularly worried about backlash, documentation of how the data is collected and used is key.

Making Contact Tracing a Reality

However, even with this access to data readily available, companies still shy away from contact tracing. One reason for this is a lack of desire to handle contract tracing; many companies are not prepared to go above and beyond what the government requires. But the challenge most companies have to overcome in order to implement contact tracing is in making sense of the data they already have.

Companies may not know what data they have available to them or how to make sense of it, but tech is now playing a crucial role in helping teams overcome this obstacle. Analysis that would have been time consuming or labor intensive for data or risk teams a few years ago is now readily available through risk assessment technology that automates the process of cleaning and correlating data for organizations. From here, it’s a matter of implementing, monitoring and following the controls put in place. With technological advances, there’s no reason why companies should be daunted by making sense of their data in order to keep employees safe.

Contact-tracing programs are not only beneficial for the health of your employees, but can be a critical part of business continuity plans. As a workforce, we’ve never gone through a crisis where returning to work requires managing risk with spatial confinement. This new type of scenario requires adding an updated set of controls to the business continuity plan for the use of physical space. That portion of the plan can be as simple as letting X number of people onto the floor measured by badges, or as complex as the approach that theme parks take in tracking every person in the park.

The final consideration for contact-tracing programs is who at the organization is responsible for them. For most mature corporations, the mandate should come from the enterprise risk management team. For midsize organizations, it may be the legal or internal audit teams. For most companies, HR will lead contact-tracing efforts. No matter the team involved, they should carefully understand compliance requirements and document all program details, especially if they collect health data.

The thought of contact tracing an entire office or organization can be intimidating, but it doesn’t have to be. With the right tech, you can get it off the ground quickly and seamlessly while keeping your strategy nimble and your employees safe.


Tags: Business Continuity PlanningCOVID-19Cyber RiskHIPAAOSHA
Previous Post

Lessons Learned About Lessons Learned

Next Post

Does the New Three Lines Model Give Short Shrift to Compliance?

Dan Zitting

Dan Zitting

Dan Zitting serves as Chief Product & Strategy Officer at Galvanize, the leading provider of SaaS solutions for enterprise governance, risk management and compliance (GRC) globally. Recognized by both Forrester and Gartner as the category leader, more than 6,000 of the largest enterprises and governments in over 130 countries globally use our HighBond platform to run their organization better. His role includes executive leadership of the company’s strategy, products, underlying technology and customer service/success. Dan has been recognized with multiple prestigious awards, including CPA Practice Advisor Magazine’s Forty under 40, ColoradoBiz Magazine 25 Most Influential Young Professionals, IIA Emerging Leaders, BCTIA Team of the Year, GRC 20/20 Technology Innovation and Business in Vancouver Forty under 40. Prior to Galvanize, Dan spent 10 years in professional services, including four years with the Technology & Security Risk Services practice at Ernst & Young. Following E&Y, he co-founded advisory firm Linford & Company LLP, a provider of GRC consulting services that grew to serve clients across North America, Europe and Asia. While building his firm, Dan developed a software platform for use by clients, which ultimately led him to leave to found Workpapers.com, the first truly cloud-based audit and compliance management system in the market. Under Dan’s leadership, Workpapers.com found strong success and was ultimately acquired by Galvanize in 2011, combining the power of cloud collaboration and “big data” analytics under one market-leading brand.

Related Posts

castle pixel art

Building a Defense-in-Depth Culture to Combat Phishing

by Perry Carpenter
March 22, 2023

Phishing attempts are only growing more sophisticated by the day, and effective cybersecurity means defending all the vectors of attack,...

risk tunnel

From Regulation to Volume, There Is No Light at the End of the Data Privacy Tunnel

by Jim DeLoach
March 15, 2023

Data proliferation and data privacy regulatory activity across the globe have created the need for focused boardroom discussions. An underpinning...

ACGS-strikes-riots-civil-commotion-report-2023_f

Strikes, Riots & Civil Commotion 2023 Report

by Corporate Compliance Insights
March 1, 2023

Is your business prepared for permacrisis? Drivers of Civil Unrest Strikes, Riots & Protests Expected to Test Business Resilience What’s...

The 16th ACES Compliance Summit

The 16th ACES Compliance Summit

by Aarti Maharaj
March 1, 2023

Lean-in and actively engage with today's most innovative and experienced trade compliance professionals during this 3 in 1 event. Featuring...

Next Post
Does the New Three Lines Model Give Short Shrift to Compliance?

Does the New Three Lines Model Give Short Shrift to Compliance?

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT