Townsend Violated the HIPAA Privacy Rule: OCR Ruling

by Ryan Coyne | Jun 3, 2016

In a recent ruling the Department of Health and Human Services’ Office for Civil Rights (OCR) found that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year. This occurred when he posted an “information packet” online containing the protected health data of individuals who had used the town’s ambulance service.

The information was meant to be viewed by Selectmen so that a vote could be taken about whether or not to write off the unsettled bills. Rather than sharing the document safely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only publicly accessible for 18 hours before it was taken down, but during that time it had been downloaded and shared publicly on social media. The privacy breach was also made known to the OCR.

The information packet included the names of patients who had not yet settled their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now residents in a hospice.

Before the files were uploaded, all identifying personal data should have been redacted from the document to prevent a HIPAA Privacy Rule violation.

The town had, on a previous occasion, sought a legal opinion on whether federal laws had been violated, and was informed by the town’s legal counsel – Brian Riley – that HIPAA Rules had not been breached, although Riley did advise the town that sensitive information should not be posted publicly on the website, and certainly not without personally identifiable information first being taken down.

Since HIPAA Rules were not found to have been violated, affected patients were not notified of the privacy breach at the time. Now that the OCR has decreed that a HIPAA Privacy Rule violation did happen, the town must now decide which individuals had their PHI exposed and breach notification letters must now be sent to advise them of the privacy breach.

In this instance, OCR opted not to issue a financial penalty, although the town has been advised to provide training to all people who are required to come into contact with data protected under HIPAA. The town must also pay the “significant” legal costs of defending the town’s actions in the OCR case and for availing of Riley’s legal opinion on the privacy breach.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Used in 1000+ Healthcare Organizations and 100+ Universities

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter