[BreachExchange] HIPAA Compliance: Self-Insured Company Reports Breach

[Audrey McNeil]

https://www.bankinfosecurity.com/hipaa-compliance-self-
insured-company-reports-breach-a-10394

A lawn mower engine manufacturer's notification to federal regulators of a
health data breach impacting thousands of its workers highlights the HIPAA
compliance duties for businesses that are self-insured for healthcare.

Briggs & Stratton Corp., a Milwaukee, Wisconsin-based maker of gasoline
engines for outdoor power equipment, reported to the Department of Health
and Human Services' Office for Civil Rights on Sept. 29 a health data
breach affecting about 13,000 individuals. It's listed as a "hacking/IT"
incident involving the company's health plan, according to the HHS HIPAA
Breach Reporting Tool portal, commonly called the "wall of shame."

"Often, companies that are not in the healthcare sector don't realize that
their self-insured employee health plans are covered entities under HIPAA
and assume that HIPAA doesn't apply to them," says healthcare attorney
Elizabeth Hodge of the law firm Akerman LLP.

"In fact, even some HIPAA covered entities don't think of their
self-insured group health plan when assessing their HIPAA exposure. This
incident serves as a good reminder that just because you are not a hospital
or a health insurance company, you can be subject to HIPAA."

Notification Letter

In a sample notification letter sent on Sept. 29 to the New Hampshire state
attorney general's office, Briggs & Stratton says seven residents of that
state were among those impacted. A malware attack on Briggs & Stratton's
computer systems at its Milwaukee and Munnsville, New York, locations
potentially compromised information from about July 25-28, 2017, the
company says.

"Briggs became aware of this incident on July 25 and took immediate steps
to both contain and thoroughly investigate the attack," the letter states.
"Although Briggs has no evidence of actual misuse of any of the
information, it notified individuals out of an abundance of caution because
the malware, by its nature, could have allowed a third party to access,
use, and/or disclose individuals' account-related, human resources and/or
health plan information."

Briggs & Stratton also notified the FBI, the Department of Homeland
Security and the Wisconsin Department of Justice about the incident, the
letter notes.

The manufacturer is offering one year of free credit and identity
monitoring to affected individuals, including those currently and formerly
covered by the company's health plan, as well as their dependents.

Information that may have been exposed includes names, addresses, Social
Security numbers, date of birth, driver's license numbers, health plan IDs,
medical and health insurance information, passport numbers, work-related
evaluations, and account log-in information used to access Briggs &
Stratton computers systems at the Wisconsin and New York locations, the
letter says.

Some of that personal information potentially exposed was for employees who
did not participate in the company's health plan, the letter adds.

The company did not immediately respond to an Information Security Media
Group inquiry about the incident, including whether the attack involved
ransomware.

Understanding HIPAA Responsibilities

Legal experts say the HIPAA compliance responsibilities for health data are
often misunderstood at organizations outside of the healthcare sector.

"HIPAA is not limited to the healthcare sector," says privacy attorney Adam
Greene of the law firm Davis Wright Tremaine. "Most employers in the
country are impacted by HIPAA through their group health plans. If the
group health plan is fully insured, then HIPAA compliance may fall almost
entirely on the health insurance issuer. But if the group health plan is
self-insured, then the employer is likely to have some responsibility for
ensuring HIPAA compliance."

The most important lesson for employers is to be aware that if they receive
group health plan data for employees, "they may have to put in place a
robust information security program around the data that complies with the
HIPAA Security Rule's requirements," Greene says. "Unfortunately, even if
they only maintain a small amount of protected health information, they may
have to put a robust compliance program in place."

Indeed, Hodge says, the breach incident at Briggs & Stratton "is a reminder
that employers/plan sponsors must ensure that their group health plans
comply with HIPAA by having in place HIPAA policies and procedures for the
health plan and training those employees who work in the company's benefits
or human resources department."

Companies must conduct a HIPAA Security Rule risk analysis with respect to
their health plan and implement a risk management plan to address
vulnerabilities identified in that risk analysis, she points out.

Also, employers need to have HIPAA-compliant breach notification policies
and procedures in place for the self-insured plans that they sponsor.
"Further, employers should know that OCR included health plans of
nonhealth-related companies in its Phase 2 HIPAA desk audits, resulting in
these companies having to demonstrate their compliance with HIPAA," Hodge
adds.

Other Risks

While the Briggs & Stratton incident apparently affected the information
systems of the employer, often the bulk of health plan participant data is
stored in the systems of third-party administrators rather than those of
the employer, Hodge notes.

"Therefore, nonhealth-related companies should make sure they identify all
business associates of the health plan," she says. "It's common for
employers who sponsor self-insured health plans to engage one or more
third-party administrators, pharmacy benefit management companies, plan
consultants and other vendors who may have access to protected health
information in the course of providing services for the plan," she says.

Companies need to appropriately vet all these business associates and have
BA agreements in place, Hodge says.

Employers also should be aware of the type of protected health information
that they may be receiving from their business associates and make sure
that they are appropriately safeguarding that PHI, she adds.

"This has become more of an issue as employers have become more focused on
employee wellness programs, resulting in some employers receiving health
information about their employees to administer the wellness programs,"
Hodge says.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171023/5b6af379/attachment.html>