HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Did Siobhan Dunnavant Violate HIPAA? Senate Candidate Investigated by OCR

A complaint has been sent to the Department of Health and Human Services’ Office for Civil Rights regarding a Republican State Senate Candidate who sent a mailing to her patients to notify them of her intention to stand for office, and to solicit assistance with her campaign.

Questions have been raised about whether Dr. Siobhan Dunnavant violated the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy Rule by doing so.

Did Siobhan Dunnavant Violate HIPAA?

Dr. Dunnavant used her patient database to obtain the contact information of her patients, and subsequently sent emails and a letter announcing her candidacy, in an apparent effort to secure votes, contributions and volunteers to help her with her campaign.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Emails and letters are to be expected from a state senate candidate; however due to the strict rules covering the use of patient information under HIPAA, Dr. Dunnavant may have violated HIPAA Rules by doing so. Dr. Dunnavant also emailed her patients on three separate occasions in the run up to the primary elections in June.

HIPAA Rules cover a number of different situations concerning the use of the Protected Health Information (PHI) and Personally Identifiable information (PII) of patients, although they do not specifically cover the mailing of patients for political purposes.

The information used, which in the case of the emails included a patient names and email address, and in the case of the letters, patient names and address, does fall under the definition of PHI under HIPAA Rules.

The letter sent to her patients explicitly states that Dr. Dunnavant was not sending the letter for financial reasons, with the exact words being “My friends, I am not sending you this email to ask for money (although we all know it would help).”

The letter was not in any way related to the provision of healthcare services and was clearly a campaign email. It was identified as such in the letter.

Under the circumstances it is reasonable for Dr. Dunnavant to notify her patients that she is to be a candidate for the senate. Were her patients to discover this via the media, they may be concerned as to whether they would have to find a new physician.

In the letter Dr. Dunnavant explains that she will not be leaving the practice and will continue to be involved in the provision of healthcare services. She would be required to take two months every winter, during which time a nurse practitioner and her partners would provide cover. She explained that she will remain in contact via the patient portal, and will continue to review lab test results and patient charts. The letter also states it was “paid for and authorized by Friends of Siobhan Dunnavant.”

Complaint Sent to the OCR: HIPAA Investigation will be Launched


The complaint was made to the OCR via Blogger Thomas White, editor of website varight.com. The person who sent the letter and brought the matter to his attention had alleged that Dr. Dunnavant had violated HIPAA Rules, not by sending the letter, but by disclosing PHI to her campaign.

No medical information was used in the mailing or shared with any individual. However, HIPAA Rules could potentially have been violated if the mailing was not performed by Dr. Dunnavant personally. If the task was handled by members of her campaign team, data classed as PHI would have needed to have been shared.

The OCR has now received the complaint and will be conducting an investigation to determine whether HIPAA Rules have in fact been violated. Should the OCR discover that to be the case, Dr. Dunnavant could potentially be fined for breaching the HIPAA Privacy Rule.

According to Jonathan Carman, a spokesperson for her campaign “Dr. Dunnavant discussed the matter with both her practice and legal counsel and no violation of patient privacy took place.” Did Siobhan Dunnavant Violate HIPAA? That is now a matter for the OCR to decide.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.