With the rise of healthcare data breaches and the increasing importance of protecting patient privacy, it’s more important than ever for organizations to take HIPAA regulations seriously. Unfortunately, not everyone is aware of the potential consequences of violating HIPAA rules.

Recently, an executive speech by Wellmark Blue Cross & Blue Shield drew attention to its potential HIPAA Privacy violation. Today, we’ll explore the details of this case and the lessons organizations can learn from it to avoid similar mistakes.



Late in May, Iowa’s largest health insurer, Wellmark Blue Cross & Blue Shield, cited a case of a 17-year-old boy with hemophilia who had $1 million of monthly prescription costs as an example of increasing health care costs to the 100+ attendees of a Des Moines Rotary Club meeting.

Describing a patient to an audience (or anyone, for that matter) in a way that could directly identify the individual is a significant privacy concern and a likely HIPAA (Health Insurance Portability and Accountability Act of 1996) violation. HIPAA generally does not allow information to be shared about patients and insureds if “there is a reasonable basis to believe that the information can be used to identify the individual.”

The gender, age, and health problem of a patient is a sufficient amount of data to pinpoint an individual which could cause a potential HIPAA Privacy violation that may result in a penalty and possibly a civil suit to follow. It will be interesting to see how this plays out.

Security and Privacy Management

Lessons Learned:

A HIPAA Privacy Training program is critical to ensure all employees are aware of the privacy rules and how to handle Protected Health Information (PHI) in situations like this. Although this was a very specific case that may not be addressed in a single training session, an effective HIPAA Privacy Training program should include:

  • Regular ongoing sessions that cover Privacy rules, employees’ responsibilities in handling PHI,
  • Different scenarios, and case studies to prepare employees for unexpected situations like this.

Employees at all levels, especially executives that speak in public forums should not release any type of information to the public that could be used to specifically identify an individual. This goes beyond consideration of just specific types of individual data items.

More information about this topic can be found in these articles:


The potential HIPAA Privacy violation in the executive speech by Wellmark Blue Cross & Blue Shield highlights the importance of proper HIPAA training for employees at all levels. Organizations must ensure that all employees are aware of the privacy rules and how to handle Protected Health Information (PHI) to avoid similar mistakes.

By implementing effective HIPAA Privacy Training programs and regularly conducting sessions that cover privacy rules and different scenarios, organizations can avoid HIPAA violations and protect patient privacy.

Check out our Risk & Compliance services or contact us to get more information about PurpleBox HIPAA Compliance Services or request a FREE HIPAA Evaluation.