HR or Benefits Administrators who leave employment or change roles within an organization should be removed from access to not only HR systems, but also to the systems of vendors, including BAS. MyEnroll.com provides a comprehensive resource for managing employee demographics and benefits data. As such, BAS stores personal information such as Social Security Numbers, dates of birth, mailing address, and in the case of Flexible Spending Accounts, limited claims information. While BAS stores all such data securely in compliance with HIPAA, allowing a former Administrator's log-on information to remain active after the employee no longer has a legitimate business reason for accessing the data places the company and individual employees' data at risk.
The following two steps are suggested to manage Administrator log-on information proactively:
1. Develop a Checklist for Terminations. Make a list of systems that HR or Benefits Administrators can access. Be sure to include internal programs (email, Human Resource Information Systems (HRIS)) and external vendor applications. When an employee leaves employment or changes role responsibilities, use the list to ensure that access has been terminated for each area. Keep copies of email confirmations for audit purposes.
2. Review Administrator Lists Regularly. Consider reviewing Administrator lists on a regular basis, either as part of Open Enrollment or during a less busy time of year. This will provide an opportunity to audit the Terminations Checklist (see above).
However employers decide to manage Administrator access, it is important to develop a process for ensuring timely termination of access in order to minimize risk.
