Share this article on:
Briggs Stratton Corporation, a manufacturer of lawnmower engines, may not appear to be a HIPAA covered entity since the firm is not in the healthcare industry and does not provide services to healthcare organizations as a business associate. However, the company is required to comply with HIPAA Rules.
When the company experienced a potential breach of employee information, the incident was a reportable security breach, OCR required notification, and notification letters had to be issued to its employees. Just because a company does not operate in the healthcare industry does not mean that HIPAA does not apply.
Briggs Stratton was required to comply with HIPAA Rules due to its self-insured group health plan. Employers and health plan sponsors are required to ensure that HIPAA policies are put in place for their group health plans, that any ePHI created, accessed, stored, or transmitted is safeguarded to the standards required by the HIPAA Security Rule and all HIPAA Rules are followed. That includes entering into business associate agreements with any entity that has access to the ePHI of its employees, is provided with ePHI, or has access to systems containing ePHI.
When there is a breach of that information, the HIPAA Breach Notification Rule applies. In the case of Briggs Stratton, the breach was a hacking/IT incident resulting a potential unauthorized disclosure of ePHI. Malware was discovered on its systems which potentially gave unauthorized individuals access to the system where ePHI was stored. Access to the system was possible between July 25 and July 28, 2017. Briggs Stratton became aware of the incident on July 25, and took steps to contain the attack. Notifications were delayed until September 30, 2017 due to a law enforcement investigation into the malware attack.
The breach impacted 12,789 of its employees and potentially resulted in the exposure of names, addresses, dates of birth, driver’s license numbers, Social Security numbers, health plan IDs, insurance information, passport numbers, work-related evaluations, and login details to its work systems. No evidence of misuse of any health plan data has been uncovered, although employees impacted by the breach have been offered credit monitoring and identity theft protection services for 12 months without charge. Steps have also been taken to improve security to prevent similar incidents from occurring in the future.
The incident serves as a reminder that not all HIPAA covered entities fall under the standard classification of healthcare providers, health plans or business associates, and even firms not involved in healthcare may still be required to comply with HIPAA Rules and can face penalties for non-compliance with HIPAA Rules.
In the case of Briggs Stratton, the firm was well aware of its responsibilities, had implemented a HIPAA compliance program, and acted accordingly when a potential data breach occurred.