Error by BlueCross BlueShield of Tennessee Causes HIPAA Privacy Rule Violation

An error at BlueCross BlueShield of Tennessee (BCBST) has lead to the mailing of marketing information to 80,000 members of the TRH Health Plan, and in doing so has inadvertently violated HIPAA Privacy Rule.

The healthcare provider has previously had to settle with the Office for Civil Rights for $1,500,000 for past HIPAA violations after 57 computer hard drives were stolen from its facilities; an incident which exposed the personal identifiers and ePHI of over 1 million individuals.

The latest HIPAA breach came to light when a number of members of the TRH Health Plan, a not-for-profit service company of Farm Bureau, complained about receiving information from BCBST in the mail. TRH conducted an investigation and has now contacted all 80,000 members to advise them that their contact information may have been used for marketing purposes.

The Tennessean was informed by a spokeswoman of BCBST that TRH members were contacted in error. “We made a mistake and included TRH members in a BlueCross Medicare Advantage mail marketing campaign,” she went on to say “The vendors have destroyed the data, and BlueCross has worked swiftly and cooperatively with TRH to prevent any future mailing errors.”

The breach was first identified by TRH on Nov 16, 2014 and in accordance with breach notification rules, all affected members have been contacted in writing within the 60-day time limit. The majority of affected members should have received the notification by Jan 12.

Ryan Brown, general counsel at TRH in Columbia, confirmed “They have the right to have [the information], but didn’t have the right to use it for marketing.” The use of Protected Health Information for the purposes of marketing is prohibited under HIPAA unless the expressed consent of the patient has first been obtained. An unsolicited marketing mailing violates the Privacy Rule, which restricts how information can be used and shared by a covered entity. In this case, BCBST shared the information with a third-party vendor that prepared the mailings as well as with personnel in the marketing department.

The incident highlights how a simple administration error can result in a breach involving tens of thousands of individuals. This breach is unlikely to lead to any damage or harm for the individuals concerned, although the incident has been reported to the Office for Civil Rights of the Department of Health and Human Services which has the power to impose financial penalties for the violation.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.