Total Medical Compliance logo in white
LOGIN
Total Medical Compliance logo in white
LOGIN
Total Medical Compliance logo in white
LOGIN

HIPAA Reminder: Cadia Healthcare Settles OCR Investigation Over Unauthorized PHI Disclosures

The U.S. Department of Health and Human Services (HHS), through its Office for Civil Rights (OCR), recently announced a settlement with five healthcare providers collectively known as Cadia Healthcare Facilities. This settlement resolves potential violations of the HIPAA Privacy and Breach Notification Rules. Cadia Healthcare provides rehabilitation, skilled nursing, and long-term care services in Delaware.

What Happened

OCR opened an investigation after a complaint in September 2021 alleged that Cadia Healthcare had publicly shared a patient’s name, photograph, and detailed treatment information as part of a “success story” on its website. OCR confirmed that the PHI of 150 patients had been posted online without valid, written HIPAA authorizations.

This violated the HIPAA Privacy Rule, which sets national standards to safeguard individuals’ PHI. Sharing patient stories online without consent exceeded what is permitted, and Cadia Healthcare also failed to implement appropriate administrative, technical, and physical safeguards. Additionally, the facility did not notify affected individuals as required under the HIPAA Breach Notification Rule.

The Consequences

Under the resolution agreement, Cadia Healthcare Facilities agreed to:

  • Pay $182,000 to OCR.
  • Implement a two-year corrective action plan monitored by OCR.
  • Review and update written HIPAA policies and procedures.
  • Train all workforce members, including marketing personnel, on HIPAA compliance.
  • Notify all individuals whose PHI was disclosed without authorization.

 

OCR Director Paula M. Stannard emphasized that social media and websites can be valuable for business promotion, but HIPAA-covered entities must ensure patient authorization before disclosing PHI. Without proper consent, even a seemingly simple marketing post can become a serious violation.

Lessons Learned

The Cadia Healthcare case highlights several critical lessons for healthcare providers and business associates:

  1. Always Obtain Written Authorization – Patients must provide valid, written consent before their PHI can be used in testimonials or online stories.
  2. Limit PHI Disclosures – Only share the minimum necessary information. Avoid including full names, photos, or detailed medical data unless specifically authorized.
  3. Implement Strong Safeguards – Protect PHI with proper administrative, technical, and physical measures, including secure storage and controlled website access.
  4. Train Your Workforce – Ensure all staff, especially marketing and communications personnel, understand HIPAA rules and organizational policies.
  5. Respond Promptly to Breaches – Follow breach notification procedures immediately if PHI is shared without authorization.

 

HIPAA compliance protects both patients and healthcare providers. Cadia Healthcare’s experience is a reminder that sharing patient stories online may seem harmless, but without proper authorization, it can lead to regulatory penalties, financial consequences, and reputational damage. Reviewing online marketing practices, training staff, and following HIPAA rules ensure patient trust is maintained while staying compliant.

HIPAA Compliance Quick Checklist: Sharing Patient Stories Online

☐ Obtain Written Authorization

  • Never post patient names, photos, or medical details without a signed HIPAA authorization.
  • Authorization must clearly state what information can be shared, where, and for how long.

☐ Follow Minimum Necessary Rule

  • Share only the information needed for the intended purpose. Avoid unnecessary identifiers or medical details.

☐ Implement Safeguards

  • Use strong access controls for websites and social media accounts.
  • Secure PHI in both digital and physical formats.
  • Define who is authorized to access and share PHI.

☐ Train Your Workforce

  • Include marketing, social media, and communications staff in HIPAA training.
  • Reinforce policies on proper use and disclosure of PHI.

☐ Respond Promptly to Breaches

  • Follow breach notification procedures immediately if PHI is disclosed without authorization.
  • Notify affected individuals and implement corrective actions.

 

Tip: When in doubt, don’t post it. Always confirm authorization before sharing any PHI publicly.