Townsend Violated the HIPAA Privacy Rule: OCR Ruling

by | Jun 3, 2016

In a recent ruling the Department of Health and Human Services’ Office for Civil Rights (OCR) found that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year. This occurred when he posted an “information packet” online containing the protected health data of individuals who had used the town’s ambulance service.

The information was meant to be viewed by Selectmen so that a vote could be taken about whether or not to write off the unsettled bills. Rather than sharing the document safely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only publicly accessible for 18 hours before it was taken down, but during that time it had been downloaded and shared publicly on social media. The privacy breach was also made known to the OCR.

The information packet included the names of patients who had not yet settled their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now residents in a hospice.

Before the files were uploaded, all identifying personal data should have been redacted from the document to prevent a HIPAA Privacy Rule violation.

The town had, on a previous occasion, sought a legal opinion on whether federal laws had been violated, and was informed by the town’s legal counsel – Brian Riley – that HIPAA Rules had not been breached, although Riley did advise the town that sensitive information should not be posted publicly on the website, and certainly not without personally identifiable information first being taken down.

Since HIPAA Rules were not found to have been violated, affected patients were not notified of the privacy breach at the time. Now that the OCR has decreed that a HIPAA Privacy Rule violation did happen, the town must now decide which individuals had their PHI exposed and breach notification letters must now be sent to advise them of the privacy breach.

In this instance, OCR opted not to issue a financial penalty, although the town has been advised to provide training to all people who are required to come into contact with data protected under HIPAA. The town must also pay the “significant” legal costs of defending the town’s actions in the OCR case and for availing of Riley’s legal opinion on the privacy breach.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy