Governance & Risk Management , Privacy
Giving a Speech? Be Careful About Privacy ViolationsInsurance Executive's Presentation Raises Serious Concerns
A recent speech by a health insurance company executive is stirring up debate about whether a patient's privacy can be violated even if the patient's name is never revealed.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
An executive from health insurer WellMark Blue Cross and Blue Shield of Iowa, in a speech at a local Rotary Club meeting, tried to illustrate the complexity of health insurance by describing a specific case, according to the Des Moines Register. She said the insurer is spending about $1 million per month to cover medical care for a 17-year-old boy with hemophilia, a blood-clotting disorder.
"Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients' rights are fully protected."
Although Jackson reportedly did not name the hemophilic patient or his hometown, the website Law360 reported that some privacy experts have complained that the details shared by the WellMark executive sure seem to at least come close to a potential HIPAA privacy violation. Here's why.
The advocacy organization Hemophilia Federation of America describes hemophilia as "very rare - only about 20,000 Americans have the disorder."
And consider this: Iowa only has about 3 million residents, and the insurance executive described the patient as a 17-year-old boy, making it feasible for members of the community or the teenagers' friends and extended family to figure out that he's the patient supposedly costing WellMark $12 million a year.
"If there are only a handful of male teens in the state that suffer from hemophilia ... [regulators] could argue that there is a reasonable basis that this information could be used to identify the patient," according to one attorney interviewed by Law360.
HIPAA Enforcer Comments
I asked the Department of Health and Human Services' Office for Civil Rights, which enforces HIPAA, to comment on whether the WellMark executive's presentation constitutes a reportable HIPAA privacy breach or even a near-miss. But an OCR spokeswoman would not specifically address the WellMark incident.
The spokeswoman points out, however, that the agency recently took enforcement action against a healthcare provider in a case involving disclosure of just one patient's information to the news media without the individual's consent. So that shows that the nation's HIPAA enforcer pays attention to even the smallest incidents.
"As reinforced with OCR's recent $2.4 million settlement with Memorial Hermann Health System, organizations must continue to protect patient privacy when making statements to the public and elsewhere," the OCR spokeswoman says. "Senior leadership helps define the culture of an organization and is responsible for knowing and complying with the HIPAA privacy and security requirements to ensure patients' rights are fully protected."
The HIPAA Privacy Rule, she notes, "protects all 'individually identifiable health information' held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral."
Privacy attorney David Holtzman, vice president of compliance at security consulting firm Cynergistek, says balancing the public's right to know with the privacy of the patient is always challenging, especially when a public speaker represents a HIPAA covered entity.
"OCR has taken a very strong stance that covered entities must take steps to prevent the disclosure of PHI to the public without the authorization of the individual. Even the perception of disclosing identifiable health information, especially when it finds its way into the media, could draw scrutiny," he says.
Holtzman says covered entities and business associates can take specific steps to avoid privacy blunders. "Organizations that create or maintain PHI subject to the protections of the HIPAA Privacy Rule should have strong, clear policies that describe scenarios in which PHI can be disclosed and where it can't," he says. "Don't limit training on how organizational policies protect PHI just to front-line staff. Require key executives and board leaders to understand how and where the HIPAA rules apply. Demonstrate a top-down approach to adopting a culture of compliance in your organization."
WellMark did not immediately respond to my request for comment on its executive's recent presentation.
So what do you think? Did the WellMark executive divulge too many details about the case? Share your comments in the space below.