Skip to Content

Privacy & Data

But What About the Potential HIPAA Violation?

Last month, we blogged about how Humana (and maybe some other health plans) sent warnings through letters to its Medicare beneficiaries that they could lose their health care benefits and services due to health care reform legislation pending in Congress. In response, the Centers for Medicare and Medicaid Services (CMS) issued an order to all health plans serving Medicare beneficiaries to stop sending letters. Some reacted to this order by accusing CMS of attempting to censor “free speech.” Free speech, however, is not the only issue implicated by Humana’s activity. Humana arguably violated the HIPAA Privacy Rule (the federal health privacy Rule that limits how health plans (and other covered entities) can use and disclose personal health data (including mere demographic information)) when it used beneficiaries’ names and addresses to send the letters. Yet, everyone continues to ignore the privacy issue! Health care entities do not have unfettered use of individuals’ health data. Should health plans like Humana be able to use this data for whatever reason they find important? The answer is no — and the HIPAA Privacy Rule makes this clear. The Privacy Rule requires Humana and other health plans in general to be good stewards of personal data — the same data that individuals entrust to them to manage their health care. After they share their data, individuals expect the data will be protected, kept confidential, and only used for legitimate purposes — not misused as Humana (and potentially others) have in this case. Now Humana may try to legitimize its action by arguing that sending letters to beneficiaries is permitted under the Privacy Rule as a “health care operation” — a laundry list of business and administrative activities under the Rule for which personal data can be used without needing to get the consent of the individual. However, such an interpretation would only underscore the need to narrow this overly broad category — a recommendation CDT has made in the past. Regrettably, The Office of Civil Rights (OCR) within the U.S. Dept. of Health and Human Services (HHS), which has the authority to enforce the HIPAA Privacy Rule, has yet to speak up on this issue. As far as we can tell, no further inquiry will be done on this issue. CDT continues to urge OCR (and HHS) to prioritize enforcement of HIPAA rules and make clear that ensuring protections for personal health data is a high priority.