Townsend Violated the HIPAA Privacy Rule: OCR Ruling

In a recent ruling the Department of Health and Human Services’ Office for Civil Rights (OCR) found that a former town administrator of Townsend, MA., violated the HIPAA Privacy Rule in June last year. This occurred when he posted an “information packet” online containing the protected health data of individuals who had used the town’s ambulance service.

The information was meant to be viewed by Selectmen so that a vote could be taken about whether or not to write off the unsettled bills. Rather than sharing the document safely, former town administrator Andrew Sheehan posted the information on the town website. The packet was only publicly accessible for 18 hours before it was taken down, but during that time it had been downloaded and shared publicly on social media. The privacy breach was also made known to the OCR.

The information packet included the names of patients who had not yet settled their ambulance bills along with some sensitive medical information including medical conditions and whether patients were alive, dead, or were now residents in a hospice.

Before the files were uploaded, all identifying personal data should have been redacted from the document to prevent a HIPAA Privacy Rule violation.

The town had, on a previous occasion, sought a legal opinion on whether federal laws had been violated, and was informed by the town’s legal counsel – Brian Riley – that HIPAA Rules had not been breached, although Riley did advise the town that sensitive information should not be posted publicly on the website, and certainly not without personally identifiable information first being taken down.

Since HIPAA Rules were not found to have been violated, affected patients were not notified of the privacy breach at the time. Now that the OCR has decreed that a HIPAA Privacy Rule violation did happen, the town must now decide which individuals had their PHI exposed and breach notification letters must now be sent to advise them of the privacy breach.

In this instance, OCR opted not to issue a financial penalty, although the town has been advised to provide training to all people who are required to come into contact with data protected under HIPAA. The town must also pay the “significant” legal costs of defending the town’s actions in the OCR case and for availing of Riley’s legal opinion on the privacy breach.