OCR Rules Townsend Violated the HIPAA Privacy Rule

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently ruled that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year when he posting an “information packet” online containing the protected health information of individuals who had used the town’s ambulance service.

The information was intended to be viewed by Selectmen in order that a vote could be taken about whether or not to write off the unpaid bills. Rather than sharing the document securely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only accessible for 18 hours before it was removed, but during that time it had been downloaded and shared on social media. The privacy breach was also reported to the OCR.

The information packet contained the names of patients who had not yet paid their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now living in a hospice.

Prior to the uploading of the files, all identifying personal information should have been redacted from the document to prevent a HIPAA Privacy Rule violation.

The town had previously sought a legal opinion on whether federal laws had been breached, and was informed by the town’s legal counsel – Brian Riley – that HIPAA Rules had not been violated, although Riley did inform the town that sensitive information should not be posted on the website, and certainly not without personally identifiable information first being removed.

Since HIPAA Rules were not deemed to have been violated, affected patients were not notified of the privacy breach at the time. Now that the OCR has ruled that a HIPAA Privacy Rule violation did occur, the town must now determine which individuals had their PHI exposed and breach notification letters must now be sent to inform them of the privacy breach.

In this instance, OCR chose not to issue a financial penalty, although the town has been instructed to provide training to all individuals who are required to come into contact with data protected under HIPAA. The town must also cover the “significant” legal costs of defending the town’s actions in the OCR case and for obtaining Riley’s legal opinion on the privacy breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.