Published: 2009-12-02 14:29:30
Author: Atlantic Information Services | November 23, 2009
Health plans could face stiff penalties under HIPAA if they use enrollment information to contact members without their permission and urge them to join grassroots advocacy campaigns or take a stance on a political issue.
Case in point:In September, Humana Inc. pulled 900,000 names and addresses from its Medicare Advantage database and sent those beneficiaries letters recommending that they fight against proposed “significant cuts” to the MA program. CMS ordered Humana to cease all such mailings, which it says violated the health insurer’s Medicare contract. CMS also says the letters might have violated HIPAA, and asked the HHS Office for Civil Rights (OCR) to investigate.
In an Oct. 16 “notice of non-compliance,” CMS told Humana that it should have obtained prior authorizations from its members or from the government before mailing the letters. Simultaneous with the non-compliance letter, CMS issued “guidance” clarifying permitted and prohibited mailings to enrollees of all Medicare plans. Under that guidance, before health plans can engage their MA, Medicare Part D and cost-plan members, they must first contact them and obtain authorization to communicate further on an issue, CMS says. Specifically, communications that require member authorization include “volunteer or community activities, pending state or federal legislation and joining grassroots advocacy organizations and information about such advocacy,” the agency says.
“It is a privacy-rule violation to use patient demographic information in this way without consent,” says Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.
Humana spokesperson Thomas Noland tells HPWhe has no information to indicate whether OCR is investigating the plan for possible HIPAA violations. He declined further comment except to say that Humana was “pleased” CMS had resolved its issues with the plan.
So far, Humana is the only health plan known to have been admonished for using member information in this way. Blue Cross Blue Shield of North Carolina sent letters asking members to contact a U.S. senator to oppose a public option in national health reform, but a plan spokesperson says it used voter records, not patient records, to select those who received the mailings.