It’s not just healthcare providers that need to worry about HIPAA compliance. A recent incident demonstrates how self-insured companies are at just as much risk as doctors and medical practices when it comes to HIPAA regulations & violations.
Klaussner Furniture Industries, Inc., a 55-year old privately owned furniture manufacturer based out of Asheboro, North Carolina experienced a hacking incident in early April. The company discovered an unauthorized user gained access on two computers in its networks which contained sensitive employee information.
After investigation, it was determined that approximately 9,300 individuals were affected by the PHI data breach. The hacker gained access to names, addresses, Social Security numbers, financial account information, dates of birth, health information, and health benefit election information. This is the risk that self-insured companies can have when it comes to data breaches. The information that is collected by self-insured companies is considered protected health information (PHI) under HIPAA regulation. PHI is any demographic information that can be used to identify a patient. Under HIPAA compliance, if an organization operates an insurance plan as a self-insured company, they must comply with HIPAA regulatory requirements to keep employee data private and secure.
When the incident was discovered in February 2019, the company took “immediate action” by starting an internal investigation, hiring a forensics firm, and notifying law enforcement, according to Klaussner.
Self-Insured HIPAA Violation?
It remains to be seen if this self-insured data breach will result in a HIPAA violation. Under HIPAA regulation, the HIPAA Breach Notification Rule sets standards for how data breaches involving PHI must be handled. All breaches of unsecured PHI must be reported to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR). Because this breach involved the data of 9,300 individuals, it is considered a Meaningful Breach under HIPAA. A Meaningful Breach is any breach that affects more than 500 individuals.
When it comes to HIPAA compliance, another important piece of guidance that HHS Office of Inspector General (OIG) has issued is called The Seven Fundamental Elements of an Effective Compliance Program.
The Seven Fundamental Elements represent the minimum necessary requirements that HIPAA covered entities and healthcare providers must have in place in order to address HIPAA privacy and security standards.
The 7 Elements of a Compliance Program include:
- Implementing written policies, procedures, and standards of conduct.
- Designating a compliance officer and compliance committee.
- Conducting effective training and education.
- Developing effective lines of communication.
- Conducting internal monitoring and auditing.
- Enforcing standards through well-publicized disciplinary guidelines.
- Responding promptly to detected offenses and undertaking corrective action.
Each of the Seven Elements require robust organization-wide compliance, enforcement, and documentation. Many HIPAA standards also require annual reviews–meaning that HIPAA compliance is an ongoing, evergreen process.
The Klaussner self-insured HIPAA compliance incident highlights how self-insured organizations are still lacking the necessary safeguards to protect their employee information. Employers with self-insured health plans store and transmit information that is protected under HIPAA, which requires them to implement an effective compliance program.
HIPAA for Self-Insured Companies
Compliancy Group gives self-insured organizations the power to take control of HIPAA compliance with our cloud-based compliance solution, The Guard.