A BlueCross BlueShield HIPAA breach has been announced, this time for a violation of regulations covering the use of patient data for marketing purposes. BlueCross BlueShield of Tennessee (BCBST) has fallen afoul of HIPAA legislation in the past. In 2012, the theft of 57 computer hard drives exposed the data of over a million patients and earned the healthcare provider a financial penalty of $1,500,000 from the Office for Civil Rights.
The Privacy Rule, and more latterly the Omnibus Rule of 2013, both prohibit the use of patient data for the purposes of marketing, unless prior authorization has already been received from the patient permitting the organization to communicate with them.
BlueCross BlueShield of Tennessee (BCBST) has recently mailed marketing information to 80,000 members of the TRH Health Plan as a result of an error by a Business Associate. The HIPAA violation came to light when TRH Health Plan members complained to Farm Bureau that they had received unsolicited correspondence from BCBST in the mail.
The mass mailing of patients has been attributed to an administration error at a BCBST vendor. An internal investigation at TRH revealed that TRH health plan members had accidentally been selected for a BlueCross Medicare Advantage mail marketing campaign and received the correspondence in error.
A spokesperson for BCBST informed The Tennessean that “The vendors have destroyed the data, and BlueCross has worked swiftly and cooperatively with TRH to prevent any future mailing errors.”
All affected parties have been contacted to advise them of the error, in accordance with HIPAA Breach Notification Rules, and all affected parties should receive a letter by post by Jan 12.
Under the Privacy Rule, all plan members and healthcare patients are afforded rights, one of which is their personal information cannot be shared with an unauthorized third party without their permission. It is also not permissible to use that information for the purposes of marketing.
The latest BlueCross BlueShield HIPAA breach is unlikely to cause any lasting harm or damage to the victims, but it is a clear violation of HIPAA rules. Since the introduction of the Omnibus Rule, Business Associates can be held liable for their actions and are covered by HIPAA and potentially be fined for violations. Ignorance of data privacy and security rules and well as accidental exposures are certainly grounds for the OCR to issue a fine.