HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information

Settlement Resolves Potential Violations of the HIPAA Privacy and Breach Notification Rules

Today, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with five health care providers, collectively known as Cadia Healthcare Facilities, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Breach Notification Rules. The Cadia Healthcare Facilities are rehabilitation, skilled nursing, and long-term care services providers located in Delaware.

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules), which set forth the requirements that covered entities (health plans, health care clearinghouses, and most health care providers), and business associates must follow to protect the privacy and security of protected health information (PHI). The HIPAA Privacy Rule establishes national standards to protect individuals' PHI; sets limits and conditions on the uses and disclosures of PHI; and gives individuals certain rights, including the right to timely access their health records. The Breach Notification Rule requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

"The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure," said OCR Director Paula M. Stannard. "Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual's PHI in a website testimonial or through a social media campaign."

The settlement resolves an investigation of Cadia Healthcare Facilities that OCR initiated after receiving a complaint in September 2021 alleging that Cadia Healthcare Facilities had impermissibly disclosed a patient's name, photograph and information pertaining to the patient's conditions, treatment, and recovery in the form of a "success story" posted to Cadia Healthcare Facilities' website. OCR's investigation confirmed that Cadia Healthcare Facilities had posted the patient's PHI to its public facing website without first obtaining a valid, written HIPAA authorization from the patient. OCR's investigation also determined that Cadia Healthcare Facilities disclosed the PHI of a total of 150 patients to its websites through its "success story" program without first obtaining valid, written HIPAA authorizations. OCR determined that Cadia Healthcare Facilities impermissibly disclosed PHI, failed to have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI, and failed to provide breach notification to the affected individuals.

Under the terms of the resolution agreement, Cadia Healthcare Facilities agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $182,000 to OCR. Cadia Healthcare Facilities will also take steps to improve its compliance with the HIPAA Privacy and Breach Notification Rules, including:

• Reviewing and, to the extent necessary, developing, maintaining, and/or revising, its written policies and procedures to comply with the HIPAA Privacy and Breach Notification Rules;
• Providing all members of their workforce, including marketing personnel, with training on their HIPAA policies and procedures; and
• Notifying any and all individuals, or the individual's personal representative, whose PHI was disclosed by Cadia Healthcare Facilities on any of its facility websites, social media accounts, or through other marketing or promotional materials without a valid authorization, that their PHI has been breached.

The resolution agreement and corrective action plan may be found at https://www.hhs.gov/sites/default/files/ocr-ra-cap-cadia-healthcare-facilities.pdf.

OCR is committed to enforcing the HIPAA Rules that protect the privacy and security of peoples' health information. Guidance about the Privacy Rule, Security Rule, and Breach Notification Rule can also be found on OCR's website.

If you believe that your or another person's health information privacy or civil rights have been violated, you can file a complaint with OCR.

Follow HHS OCR on X (formerly Twitter) at @HHSOCR.