HIPAA Marketing Violation Affects 80,000BlueCross BlueShield of Tennessee Used PHI Without Consent
The unauthorized use and disclosure of patient information for marketing purposes by an insurer in Tennessee offers a reminder of the importance of complying with HIPAA's marketing-related provisions.
TRH Health Plan of Columbia, Tenn. discovered the HIPAA violation in November, when it began receiving inquiries from some of its members about a mailing promoting a Medicare Advantage program they had received from BlueCross BlueShield of Tennessee, an administrative partner of TRH, according to a TRH spokeswoman.
TRH immediately launched an investigation into the matter, the company says in a statement. As a result of the mailing, TRH is notifying 80,000 of its members that a "limited amount" of their protected health information, specifically names, addresses, and subscriber IDs, was inappropriately used and disclosed by BCBS Tennessee for marketing purposes, the TRH spokeswoman says.
The PHI was inappropriately shared with a third-party vendor that BCBS Tennessee hired to print the documents and assist in the mailings, TRH says.
"We made a mistake and included TRH members in a BlueCross Medicare Advantage mail marketing campaign," a BCBS Tennessee spokeswoman tells Information Security Media Group. The PHI has been subsequently destroyed by the printing vendor, she says. In addition, "we've ensured that our marketing teams will receive additional training in the use of HIPAA protected data as it relates to marketing purposes."
In a statement, TRH says that it believes "the potential harm to its members has been mitigated" based on the limited amount of PHI involved and the steps taken by BCBS Tennessee and its vendor in response to the incident.
Before the HIPAA Omnibus Rule went into effect in 2013, HIPAA regulations generally required a covered entity to obtain authorization from an individual for any use or disclosure of PHI for marketing purposes, says privacy expert Rebecca Herold partner at HIPAA Compliance Tools and CEO of the consulting firm, The Privacy Professor. The Omnibus Rule added even more restrictions on the use or disclosure of PHI for marketing, she notes. It also expanded all the HIPAA requirements to apply to business associates.
"Even prior to this, though, a BA agreement should have stipulated that a BA could not use PHI for any other purposes than those for which they were contracted," she says. "All CEs and BAs need to document policies, and supporting procedures and processes, detailing how patients, as well as insureds in the case of health insurance companies, will be given the choice to consent [for authorizing use of their PHI], and then how to opt-out of any other already agreed-to marketing and fundraising activities when they choose to."
Privacy expert Kate Borten, president of consulting firm The Marblehead Group, suspects there have been other marketing breaches that haven't come to light "because individuals don't know the regulations."
Nonetheless, she adds, "I believe there's a difference between a technical error and an organization's failure to consider the marketing requirements. In the case of BCBSTN, the cause may have [theoretically] been a software coding error due to incomplete specifications. It's unfortunate, but not a high crime."
Covered entities and business associates are too often ignoring the HIPAA marketing restrictions or choosing to interpret them in favor of their business processes, she adds. "Although [HIPAA Omnibus] helped clarify marketing, the privacy rule leaves room for interpretation. Writing regulations is not as easy as some would think."
In 2010, the Department of Health and Human Services imposed a $35,000 penalty in its enforcement action against a covered entity, Management Services Organization Washington, or MSO, for violations of HIPAA marketing regulations.
An OCR resolution agreement with MSO indicates that the company provided PHI of "numerous individuals" to a sister company, Washington Practice Management, in 2009, for the marketing of Medicare Advantage plans.
In addition to alleged violations of the HIPAA marketing provisions, an OCR investigation of MSO also uncovered other HIPAA privacy and security rule non-compliance, including a lack of "appropriate and reasonable administrative, technical and physical safeguards to protect the privacy of PHI."
Under the resolution agreement with OCR, MSO agreed to a corrective action plan that included developing, maintaining, and revising, written policies and procedures with the HIPAA privacy and security rule, as well as implementing workforce training.
Borten recommends that covered entities carefully monitor all uses and disclosures of PHI to ensure HIPAA Privacy Rule compliance. "BAs should do the same, but their BA contracts further limit what uses and disclosures are permitted," she adds.
"Whenever a new or modified process involving PHI use or disclosure is planned, privacy rule requirements must be explicitly reviewed. This should be a required component of each organization's project management process, along with considering security implications."
As for future OCR enforcement actions against organizations that violate the HIPAA marketing provisions, Herold says she think those actions are necessary. "Otherwise the misuse of PHI for unwanted marketing activities will continue to increase," she says.
Under HIPAA Omnibus, covered entities, as well as business associates, can be fined up to $1.5 million per HIPAA violation.
Previous BCBS HIPAA Violation
In another HIPAA-related incident, Blue Cross Blue Shield Tennessee was the first covered entity to get slapped with a monetary penalty from OCR under the HIPAA breach notification rule, which went into effect in 2009.
In March 2012, the insurer agreed to pay a $1.5 million settlement and carry out a corrective action plan in the wake of a 2009 breach affecting more than 1 million individuals that involved the theft of 57 unencrypted computer hard drives.