The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Error by BlueCross BlueShield of Tennessee Causes HIPAA Privacy Rule Violation

Posted By on Jan 13, 2015

An error at BlueCross BlueShield of Tennessee (BCBST) has lead to the mailing of marketing information to 80,000 members of the TRH Health Plan, and in doing so has inadvertently violated HIPAA Privacy Rule.

The healthcare provider has previously had to settle with the Office for Civil Rights for $1,500,000 for past HIPAA violations after 57 computer hard drives were stolen from its facilities; an incident which exposed the personal identifiers and ePHI of over 1 million individuals.

The latest HIPAA breach came to light when a number of members of the TRH Health Plan, a not-for-profit service company of Farm Bureau, complained about receiving information from BCBST in the mail. TRH conducted an investigation and has now contacted all 80,000 members to advise them that their contact information may have been used for marketing purposes.

The Tennessean was informed by a spokeswoman of BCBST that TRH members were contacted in error. “We made a mistake and included TRH members in a BlueCross Medicare Advantage mail marketing campaign,” she went on to say “The vendors have destroyed the data, and BlueCross has worked swiftly and cooperatively with TRH to prevent any future mailing errors.”

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The breach was first identified by TRH on Nov 16, 2014 and in accordance with breach notification rules, all affected members have been contacted in writing within the 60-day time limit. The majority of affected members should have received the notification by Jan 12.

Ryan Brown, general counsel at TRH in Columbia, confirmed “They have the right to have [the information], but didn’t have the right to use it for marketing.” The use of Protected Health Information for the purposes of marketing is prohibited under HIPAA unless the expressed consent of the patient has first been obtained. An unsolicited marketing mailing violates the Privacy Rule, which restricts how information can be used and shared by a covered entity. In this case, BCBST shared the information with a third-party vendor that prepared the mailings as well as with personnel in the marketing department.

The incident highlights how a simple administration error can result in a breach involving tens of thousands of individuals. This breach is unlikely to lead to any damage or harm for the individuals concerned, although the incident has been reported to the Office for Civil Rights of the Department of Health and Human Services which has the power to impose financial penalties for the violation.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist