HIPAA privacy violations are a concern during public presentations, as highlighted in a report of a presentation by an executive from a national health insurer at a local Rotary Club meeting. The health insurance executive described a specific case of a 17-year-old boy for whom the carrier is spending $1 million per month to cover the cost of medical care related to his hemophilia, a blood-clotting disorder. While the patient was not named, sufficient detail was disclosed that there is some potential that this patient could be individually identified, which creates the potential for this to have been a HIPAA privacy violation.
Hemophilia is a rare condition and the community in which the presentation was given is relatively small; just 3 million residents. Describing the patient’s age and gender makes narrows those numbers further, making identification of this patient a possibility. While the Department of Health and Human Services’ Office of Civil Rights, the branch of government charged with enforcing HIPAA, has not commented upon the specific incident, a spokesperson from the office has reinforced the significance of such breaches by citing to a recent $2.4 million settlement with an organization for failing to protect patient privacy while making public statements.
When giving a public presentation, it is important to vet your material to ensure that you are not inadvertently disclosing personally identifiable information that could result in a HIPAA privacy violation. Doing so could subject your organization to very large HIPAA penalties, civil lawsuits, as well as negative media coverage of your organization.
Further information concerning this news story can be obtained from The DesMoines Register (Iowa Teen’s $1 Million-Per-Month Illness Is No Longer a Secret) and additional analysis of the patient privacy and HIPAA concerns is available at Information Security Medical Group (Giving a Speech? Be Careful About Privacy Violations).
Compliant Legal Solutions, LLC, provides a secure cloud-based service that can assist you in tracking and meeting your compliance obligations before a cyber attack occurs, and then assist in guiding you through the response and reporting phase. Your compliance efforts will be documented and available should you be subject to an audit and find the need to demonstrate your compliance efforts over time. Learn more about our services here, or feel free to call us as we would very much like to speak with you.