Just because a firm does not provide healthcare services and does not operate in the field of healthcare, it doesn’t mean that it is not a HIPAA-covered entity. Briggs Stratton Corporation is a manufacturer of lawnmower engines and yet it had to comply with HIPAA Rules when it had a potential breach of employee information. OCR required them to send notification letters to its affected employees.
The reason why Briggs Stratton was required to follow HIPAA Rules is because it has a self-insured group health plan. As an employer or health plan sponsor, Briggs Stratton needs to follow HIPAA policies in the creation, access, storage or transmission of ePHI. It is the company’s responsibility to make sure that the HIPAA Security Rule are strictly adhered to when making business associate agreements with any entity that get access to their data system or to the employees’ ePHI.
The breach at Briggs Stratton was a hacking incident that exposed ePHI to unauthorized access because of malware downloaded to the system where the ePHI was stored. The system was open to access of hackers from July 25 to July 28, 2017. When Briggs Stratton knew about the incident, they responded with steps to manage the attack. But there was a delay in the dispatch of notification letters to employees because law enforcement still investigated the malware attack.
The PHI of about 12,789 employees was exposed which included names, birth dates, addresses, driver’s license numbers, health plan IDs, Social Security numbers, passport numbers, insurance information, work-related evaluations and login information to the company’s system. Since the incident, there were no reports about the misuse of the exposed health plan data. Nevertheless, Briggs Stratton offered free credit monitoring and identity theft protection services for one year to the employees whose PHI was exposed. Additionally, tighter security is implemented to prevent another malware attack.
This news update shows that there are HIPAA covered entities, such as Briggs Stratton, that do not fall under the same category as healthcare providers. Just the same, they must comply with HIPAA Rules when a data breach occurs or they will be penalized for non-compliance.