Briggs and Stratton is not a healthcare provider – they make gasoline engines for lawn and outdoor power equipment. Yet, on September 29, 2017, the company notified OCR of a breach of unsecured protected health information (PHI). According to the OCR Breach Portal, the breach affected 12,789 individuals as a result of a hacking/IT incident affecting desktop computers, laptops, and network server(s).
Briggs and Stratton is not a health care provider or a business associate under HIPAA. But, it offers an employer-sponsored health plan – which makes it a HIPAA covered entity. This is a reminder that any employer that provides health insurance may need to be HIPAA compliant if PHI is shared with the employer. This includes employers who are self-insured or provide health insurance through a group health plan. Simply put, an employer that handles PHI could be a covered entity that needs to be in 100% compliance with HIPAA’s privacy, security and breach notification requirements.
When does an employer becomes a covered entity?
All health plans are covered entities. But on the surface, a company or employer is a separate legal entity and is not specified as a covered entity under HIPAA. But an employer that offers a health plan and creates, receives, transmits or stores PHI is required to secure the PHI. Here are some examples of health plan information that may contain PHI and may be handled by the employer:
- Enrollment forms
- Premium payment information
- Coordination of benefits
- Claims reports or any claims information
- Assistance with employee in seeking health care
- Assistance with employees in submitting claims, clarifying claims or disputing claims
If an employer is fully insured, it may not receive any PHI from the health plan if it is limited to, for example, enrollment and disenrollment information. But even if the enrollment information is limited to name, or social security numbers or health plan ID numbers, it may be PHI. A self-insured employer has an increased likelihood of handling PHI.
How much PHI should we worry about?
If any employee “touches” PHI, such as a human resources or a designated health plan administrator, the employer must comply with the privacy, security and breach notification rules. In addition, any software or hardware controlled or owned by the employer that creates, receives, transmits or stores PHI must be secured. This includes but is not limited to servers, desktop computers, laptops, USB drives, portable hard drives, websites, cloud storage, email, texts, paper records and verbal communications.
Exposure to PHI should be determined by completing a HIPAA security and privacy rule risk analysis. A thorough analysis will identify all areas of risk. A risk management plan will be needed to address and mitigate all identified risks.
What about business associates?
Another area of potential risk is business associates. An employer that determines itself to be a covered entity must identify all companies or vendors that work with the employer on health-related matters to determine their use of PHI. If a vendor uses, discloses, accesses, maintains, transmits or stores PHI, a business associate agreement is required. This includes a health plan, dental plan, vision plan, third-party administrators, wellness programs, pharmacy benefit management companies, insurance brokers or plan consultants and any other companies or consultants that have access to an employer’s PHI.
Employer Health Plan Information Checklist:
- Identify all health plans. These include but are not limited to health, dental, vision, employee assistance programs, and health spending accounts.
- Identify what information is shared with the employer.
- Summary health plan information or data that does not have identifying data?
- Determine whether other parties are involved in administering any benefit plans. These include but are not limited to insurance brokers, plan administrators, third party administrators, re-insurance companies, stop-loss companies, and claims review or auditing services.
- Determine whether the employer handles any health related information. See list of HIPAA Identifiers below.
Employer responsibility is a little-known twist to HIPAA and all employers who handle PHI are potentially at risk. If you have questions about whether HIPAA applies to you or what your obligations are as a health plan, consult your legal counsel.
There are 18 HIPAA identifiers that are considered personally identifiable information. If any of the 18 identifiers are used in conjunction with any information on physical or mental health or condition, health care related activities or health care payments, the employer needs to secure the information. The 18 identifiers include:
- Address (all geographic subdivisions smaller than state, including street address, city county, and zip code)
- All elements (except years) of dates related to an individual (including birthdate, admission date, discharge date, date of death, and exact age if over 89)
- Telephone numbers
- Fax number
- Email address
- Social Security Number
- Medical record number
- Health plan beneficiary number
- Account number
- Certificate or license number
- Any vehicle or other device serial number
- Web URL
- Internet Protocol (IP) Address
- Finger or voice print
- Photographic image - Photographic images are not limited to images of the face.
- Any other characteristic that could uniquely identify the individual