The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has reached a settlement with Cadia Healthcare Facilities over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Breach Notification Rules. Cadia Healthcare Facilities, which provide rehabilitation, skilled nursing, and long-term care services in Delaware, were investigated after a complaint was filed in September 2021.
According to the OCR, the complaint alleged that Cadia Healthcare Facilities had posted a patient’s name, photograph, and details about their condition and treatment as part of a “success story” on its website without obtaining proper authorization from the patient. The investigation confirmed that protected health information (PHI) was disclosed publicly without written HIPAA authorization not only for this individual but also for 150 patients through similar postings.
OCR Director Paula M. Stannard stated: “The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure. Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”
The investigation found that Cadia Healthcare Facilities failed to implement appropriate safeguards to protect PHI privacy and did not notify affected individuals as required by breach notification regulations.
Under the terms of the resolution agreement, Cadia Healthcare Facilities will pay $182,000 to OCR and will implement a corrective action plan monitored by OCR for two years. The plan requires reviewing policies related to HIPAA compliance, providing workforce training—including marketing staff—on these policies, and notifying individuals whose PHI was disclosed without valid authorization via facility websites or other marketing channels.
More details on the resolution agreement are available at https://www.hhs.gov/sites/default/files/ocr-ra-cap-cadia-healthcare-facilities.pdf.
OCR continues its efforts to enforce HIPAA rules designed to protect health information privacy. Guidance regarding HIPAA Privacy, Security, and Breach Notification Rules is accessible on OCR’s website.
Individuals who believe their health information privacy rights have been violated may file complaints with OCR.
