Late in May, Iowa’s largest health insurer, Wellmark Blue Cross & Blue Shield, cited a case of a 17-year-old boy with hemophilia who had $1 million of monthly prescription costs as an example of increasing health care costs to the 100+ attendees of a Des Moines Rotary Club meeting.
Describing a patient to an audience (or anyone, for that matter) in a way that could directly identify the individual is a significant privacy concern and a likely HIPAA (Health Insurance Portability and Accountability Act of 1996) violation. HIPAA generally does not allow information to be shared about patients and insureds if “there is a reasonable basis to believe that the information can be used to identify the individual.”
The gender, age, and health problem of a patient is a sufficient amount of data to pinpoint an individual which could cause a potential HIPAA Privacy violation that may result in a penalty and possibly a civil suit to follow. It will be interesting to see how this plays out.
A HIPAA Privacy Training program is critical to ensure all employees are aware of the privacy rules and how to handle Protected Health Information (PHI) in situations like this. Although this was a very specific case that may not be addressed in a single training session, an effective HIPAA Privacy Training program should include regular ongoing sessions that cover Privacy rules, employees' responsibilities in handling PHI, different scenarios, and case studies to prepare employees for unexpected situations like this.
Employees at all levels, especially executives that speak in public forums should not release any type of information to the public that could be used to specifically identify an individual; this goes beyond consideration of just specific types of individual data items.
More information about this topic can be found in these articles:
- Giving a Speech? Be Careful About Privacy Violations by Gov Info Security
- The Story of the $1-million-per-month Iowa teen with Hemophilia outed by a Health Insurance Executive: Reflections from a Hemophilia Parent by Erik Westlund
- Iowa teen’s $1 million-per-month illness is no longer a secret by Des Moines Register
Contact us to get more information about PurpleBox HIPAA Compliance Services or request a FREE HIPAA Evaluation.