Executive Speech Likely Violated HIPAA Privacy Rules'

June 07, 2017

Table of Contents:


HIPAA (Health Insurance Portability and Accountability Act) illustration by Purplebox



Late in May, Iowa’s largest health insurer, Wellmark Blue Cross & Blue Shield, cited a case of a 17-year-old boy with hemophilia who had $1 million of monthly prescription costs as an example of increasing health care costs to the 100+ attendees of a Des Moines Rotary Club meeting.

Describing a patient to an audience (or anyone, for that matter) in a way that could directly identify the individual is a significant privacy concern and a likely HIPAA (Health Insurance Portability and Accountability Act of 1996) violation. HIPAA generally does not allow information to be shared about patients and insureds if “there is a reasonable basis to believe that the information can be used to identify the individual.”

The gender, age, and health problem of a patient is a sufficient amount of data to pinpoint an individual which could cause a potential HIPAA Privacy violation that may result in a penalty and possibly a civil suit to follow. It will be interesting to see how this plays out.

Image shows key elements of security and privacy management

Lessons Learned:

A HIPAA Privacy Training program is critical to ensure all employees are aware of the privacy rules and how to handle Protected Health Information (PHI) in situations like this. Although this was a very specific case that may not be addressed in a single training session, an effective HIPAA Privacy Training program should include regular ongoing sessions that cover Privacy rules, employees' responsibilities in handling PHI, different scenarios, and case studies to prepare employees for unexpected situations like this.

Employees at all levels, especially executives that speak in public forums should not release any type of information to the public that could be used to specifically identify an individual; this goes beyond consideration of just specific types of individual data items.

More information about this topic can be found in these articles:

Check out our Risk & Compliance services or contact us to get more information about PurpleBox HIPAA Compliance Services or request a FREE HIPAA Evaluation.