Sensitive Information and Security

I don't like to point fingers.  I really don't.  But in this particular situation, I feel that a bit of awareness is needed.

I’m sure you have, at least once in your life, had a drug screen.   We all have.  It's generally a part of any employee's pre-screening process.  During a drug screen a Chain of Custody form is used.  This form reflects the name of the individual being tested as well as their Social Security Number which is used as an identifier. The Chain of Custody Form has been given a status as a legal document for it has the ability to invalidate a specimen that has been tampered with and does not have complete information written on it.  The key words here are “legal document.”  Based on the information reflected on the COC, the form should be monitored to ensure the security of the information provided on the form. 

For the past year, Excel Urgent Care has been our drug screen program vendor.   To protect the integrity of the information reflected on the COC forms, and due to the lack of a secure fax line in my area, Excel has been instructed to mail the employer section of the COC to me.  *I don't like the idea of the COC, with such sensitive information on it, just sitting in a fax box.*

Last week I received a large envelope that contained approximately 35 employer copies of the COC form.  The problem?  Not one of the COC forms in the envelope represented an employee here at Company T.  This sensitive information had been disclosed to a third party, me.   That afternoon  I made a trip to Excel to return the documents and have a brief discussion with the office staff impressing upon them the seriousness of the situation and how critical it is to ensure that this information is protected.    If I’m receiving information on third parties, where, potentially, is my information going?

Yesterday, I received another envelope from Excel Urgent Care.  It was addressed to “Child Protective Service” but mailed to my office address.  The information contained related to a CPS Investigation and a pending divorce.  Not only were the COC forms enclosed, but other sensitive information as well.  The receipt of this information necessitated a second trip to Excel.  However, this time I was able to meet with the manager to express my concern.  She was not aware of the first incident but promised to take the necessary steps to ensure that this type of error did not reoccur.  Without the words being uttered, she understood the potential legal risk associated with the disclosure of this information.

Let's keep our fingers crossed shall we?

In Closing:  Training is critical to ensure that employees protect and treat this sensitive information like a controlled substance.