Briggs Stratton Corporation, a producer of lawnmower engines, might not seem to be a HIPAA protected unit because the company isn’t in the healthcare business and doesn’t provide facilities to healthcare companies as a BA. Nevertheless, the business is needed to abide by HIPAA Laws.
When the business experienced a possible breach of worker information, the occurrence was a reportable safety breach, OCR needed notice, and notice letters had to be delivered to its workers. Simply because a company doesn’t operate in the healthcare business doesn’t mean that HIPAA doesn’t apply.
Briggs Stratton was needed to abide by HIPAA Laws because of its self-insured group health scheme. Companies and health plan underwriters are needed to make sure that HIPAA plans are set up for their group health policies, that any ePHI generated, retrieved, saved, or conveyed is protected to the standards needed by the HIPAA Safety Law and all HIPAA Laws are obeyed. That contains entering into BAAs with any unit that has entrance to the ePHI of its workers, is supplied with ePHI, or has entrance to systems having ePHI.
When there is a breach of that info, the HIPAA Breach Notification Law applies. In the incident of Briggs Stratton, the breach was a hacking/IT event leading to a possible illegal revelation of ePHI. A malevolent program was found on its systems which possibly gave illegal people access to the system where ePHI was stowed. Entrance to the system was possible from July 25 to July 28, 2017. Briggs Stratton became conscious of the case on July 25, and took measures to control the attack. Notices were postponed until September 30, 2017 because of a police inquiry into the malware attack.
The breach affected 12,789 of its workers and possibly led to the disclosure of names, dates of birth, Social Security numbers, driver’s license numbers, health plan IDs, addresses, passport numbers, insurance information, work-related evaluations, and login particulars to its work systems. No proof of abuse of any health plan files has been found, even though workers affected by the breach have been offered credit checking and identity thievery protection facilities for 12 months free of charge. Measures have also been taken to increase safety to avoid similar events from happening in the time to come.
The case works as a notice that not all HIPAA protected units fall under the normal category of healthcare suppliers, business associates, or health plans and even companies not participating in healthcare might still be needed to abide by HIPAA Laws and can confront fines for non-conformity with HIPAA Laws.
In the instance of Briggs Stratton, the company was well conscious of its duties, had applied for a HIPAA compliance program, and performed appropriately when a possible data breach happened.