BCBSNC defends practice of sharing patient data


Blue Cross Blue Shield of North Carolina has drawn attention this week after an article in the Charlotte News & Observer questioned its periodic sharing of members' private health information with a third-party software company.

Of particular concern to the article's reporter is that BCBSNC doesn't "mask" the information, including name, date of birth, Social Security number, address, medical history and banking information, before sending it to software designer DST Healthcare to test software with the information.

"Security is a very high priority at Blue Cross," Chief Information Officer Jo Abernathy told the News & Observer. Although BCBSNC doesn't mask the data, it implements a myriad of other tools to protect the information, including strict contractual agreements, limited access to the data and robust software and hardware controls, Abernathy said. And insurers commonly use outside vendors to test and create their computer systems with private, unmasked information, she added. 

"We certainly want our customers to understand that we do everything we can and follow the letter of the law," BCBSNC spokesperson Lew Borman told FierceHealthPayer. "But there's no alarm; there's no breach."

On the same day as the News & Observer article was published, BCBSNC CEO Brad Wilson issued a statement, saying the insurer's privacy protections go beyond federal and state law requirements. "Our use of protected health data complies with laws, regulations and our own high standards," he said. "We exceed industry standards by using multiple layers of data security to protect our customers' personal information from accidental, unauthorized or illegal access or transfer."

What's more, "multiple audits by independent third party sources consistently find that we meet or exceed industry standards and follow best practices when it comes to customer data security," Borman told FierceHealthPayer. Additional steps the insurer takes include auditing and conducting site visits of its vendors, he added.

"And the companies that we work with, which are few in number ... have to comply with the same strict laws and are also subject to penalties if there's an issue," he said.

Borman added that BCBSNC is investigating whether to mask data and exploring the technology in a pilot project--even though it's not required by federal guidelines. "We're always exploring options and improvements" to data security and privacy, he said.

To learn more:
- here's the BCBSNC statement
- read the Charlotte News & Observer article

Related Articles:
WellPoint pays $1.7M for HIPAA breach
Privacy experts: Health data security efforts too reactive
Stolen health data increasingly sought after for commercial ventures
Adopting best practices key to data security, HHS officials say