Tennessee Rural Health Improvement Association

A business associate (BA), BlueCross BlueShield, created a mailing list of its members for the purpose of selling Medicare Advantage marketing products, an activity that was outside of that permitted by the BA agreement. This breached affected 79,000 individuals and included their demographic information. The covered entity (CE), Tennessee Rural Health Improvement Association, provided breach notification to its members that were enrolled in the Medicare supplement insurance plans and non-Medicare insurance plans, as well as to HHS and the media. Following the breach, the CE revised its policies, implemented new technical safeguards, and improved physical security. In addition, it retrained its workforce on the appropriate usage of protected health information (PHI), and minimum necessary determinations for the use and disclosure of PHI. OCR reviewed the BA agreement in place between the CE and BA and determined that it met the requirements of the HIPAA Breach Notification Rule. OCR obtained assurances that the CE implemented the corrective actions listed above.
Location of breached information: Other
Business associate present: No