HIPAA Compliance: Self-Insured Company Reports BreachCase Spotlights Regulatory Responsibilities of Businesses Outside Healthcare Arena
A lawn mower engine manufacturer's notification to federal regulators of a health data breach impacting thousands of its workers highlights the HIPAA compliance duties for businesses that are self-insured for healthcare.
Briggs & Stratton Corp., a Milwaukee, Wisconsin-based maker of gasoline engines for outdoor power equipment, reported to the Department of Health and Human Services' Office for Civil Rights on Sept. 29 a health data breach affecting about 13,000 individuals. It's listed as a "hacking/IT" incident involving the company's health plan, according to the HHS HIPAA Breach Reporting Tool portal, commonly called the "wall of shame."
"Often, companies that are not in the healthcare sector don't realize that their self-insured employee health plans are covered entities under HIPAA and assume that HIPAA doesn't apply to them," says healthcare attorney Elizabeth Hodge of the law firm Akerman LLP.
"In fact, even some HIPAA covered entities don't think of their self-insured group health plan when assessing their HIPAA exposure. This incident serves as a good reminder that just because you are not a hospital or a health insurance company, you can be subject to HIPAA."
In a sample notification letter sent on Sept. 29 to the New Hampshire state attorney general's office, Briggs & Stratton says seven residents of that state were among those impacted. A malware attack on Briggs & Stratton's computer systems at its Milwaukee and Munnsville, New York, locations potentially compromised information from about July 25-28, 2017, the company says.
"Briggs became aware of this incident on July 25 and took immediate steps to both contain and thoroughly investigate the attack," the letter states. "Although Briggs has no evidence of actual misuse of any of the information, it notified individuals out of an abundance of caution because the malware, by its nature, could have allowed a third party to access, use, and/or disclose individuals' account-related, human resources and/or health plan information."
Briggs & Stratton also notified the FBI, the Department of Homeland Security and the Wisconsin Department of Justice about the incident, the letter notes.
The manufacturer is offering one year of free credit and identity monitoring to affected individuals, including those currently and formerly covered by the company's health plan, as well as their dependents.
Information that may have been exposed includes names, addresses, Social Security numbers, date of birth, driver's license numbers, health plan IDs, medical and health insurance information, passport numbers, work-related evaluations, and account log-in information used to access Briggs & Stratton computers systems at the Wisconsin and New York locations, the letter says.
Some of that personal information potentially exposed was for employees who did not participate in the company's health plan, the letter adds.
The company did not immediately respond to an Information Security Media Group inquiry about the incident, including whether the attack involved ransomware.
Understanding HIPAA Responsibilities
Legal experts say the HIPAA compliance responsibilities for health data are often misunderstood at organizations outside of the healthcare sector.
"HIPAA is not limited to the healthcare sector," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "Most employers in the country are impacted by HIPAA through their group health plans. If the group health plan is fully insured, then HIPAA compliance may fall almost entirely on the health insurance issuer. But if the group health plan is self-insured, then the employer is likely to have some responsibility for ensuring HIPAA compliance."
The most important lesson for employers is to be aware that if they receive group health plan data for employees, "they may have to put in place a robust information security program around the data that complies with the HIPAA Security Rule's requirements," Greene says. "Unfortunately, even if they only maintain a small amount of protected health information, they may have to put a robust compliance program in place."
Indeed, Hodge says, the breach incident at Briggs & Stratton "is a reminder that employers/plan sponsors must ensure that their group health plans comply with HIPAA by having in place HIPAA policies and procedures for the health plan and training those employees who work in the company's benefits or human resources department."
Companies must conduct a HIPAA Security Rule risk analysis with respect to their health plan and implement a risk management plan to address vulnerabilities identified in that risk analysis, she points out.
Also, employers need to have HIPAA-compliant breach notification policies and procedures in place for the self-insured plans that they sponsor. "Further, employers should know that OCR included health plans of nonhealth-related companies in its Phase 2 HIPAA desk audits, resulting in these companies having to demonstrate their compliance with HIPAA," Hodge adds.
While the Briggs & Stratton incident apparently affected the information systems of the employer, often the bulk of health plan participant data is stored in the systems of third-party administrators rather than those of the employer, Hodge notes.
"Therefore, nonhealth-related companies should make sure they identify all business associates of the health plan," she says. "It's common for employers who sponsor self-insured health plans to engage one or more third-party administrators, pharmacy benefit management companies, plan consultants and other vendors who may have access to protected health information in the course of providing services for the plan," she says.
Companies need to appropriately vet all these business associates and have BA agreements in place, Hodge says.
Employers also should be aware of the type of protected health information that they may be receiving from their business associates and make sure that they are appropriately safeguarding that PHI, she adds.
"This has become more of an issue as employers have become more focused on employee wellness programs, resulting in some employers receiving health information about their employees to administer the wellness programs," Hodge says.