On September 30th, 2025, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with Cadia Healthcare Facilities for potential violations of the HIPAA Privacy and Breach Notification Rules. The Cadia Healthcare Facilities (Cadia) that are the subject of this settlement include five providers located in Delaware that specialize in rehabilitation, skilled nursing, and long-term care services. This settlement follows an OCR investigation of Cadia in which Cadia posted a “success story” of a patient to its public website without first receiving a valid HIPAA authorization from the patient. The success story post included PHI such as the patient’s name, their photograph, and information regarding their condition, treatment, and recovery. OCR’s investigation further revealed that, through their “success story” program, Cadia compromised the PHI of 150 total patients.
Because Cadia did not receive written HIPAA authorization from these patients before posting their success stories online, OCR’s investigation determined that it breached several of its obligations under HIPAA, including: (i) impermissible disclosure of PHI, (ii) failure to have appropriate safeguards in place to protect PHI, and (iii) failure to notify the affected individuals. Under the Resolution Agreement, Cadia agreed to pay $182,000 to OCR and implement a two-year Corrective Action Plan under OCR’s monitoring. Cadia agreed to take further remedial steps, including reviewing its existing HIPAA compliance policies, providing appropriate training to its entire workforce, and notifying each individual whose PHI was compromised. Additionally, as part of its ongoing implementation reports to OCR, Cadia must ensure that PHI is not included in any of its “websites, affiliated web domains, and social media websites” as well as all “written marketing and promotional materials, whether in paper, electronic or digital format, including any photographs and videos.”
Cadia is not the first healthcare provider that OCR has penalized for disclosing PHI via online marketing. On numerous occasions, OCR has investigated and entered into settlement agreements with providers for engaging in similar online PHI disclosure. For instance, in February 2016, OCR settled with physical therapy provider Complete P.T. for posting patient testimonials with full names and photos on its website without obtaining prior HIPAA-compliant authorizations. Complete P.T. was required to pay OCR a fine of $25,000, implement a Corrective Action Plan, and report its compliance efforts to OCR for one year.
Key Takeaways
- HIPAA Compliance Extends Beyond Clinical Care: OCR continues to enforce HIPAA rules in non-clinical contexts, including marketing and public communications, as demonstrated by Cadia’s use of patient “success stories” online without proper authorization.
- Marketing and Social Media Personnel Should Be Aware of HIPAA Requirements: OCR has previously penalized providers like Complete P.T. for similar online disclosures, reinforcing that marketing and social media staff of regulation entities must be trained on HIPAA’s Privacy and Breach Notification Rules.
- Public-Facing Platforms are High Risk: Websites and social media pages are high-risk platforms for PHI exposure. In the past, OCR has also investigated health care entities for impermissibly disclosing PHI through other kinds of public websites, such as social review platform Yelp. On public platforms especially, it is crucial that any information related to patients is carefully reviewed for compliance before it is posted.
Cases like Cadia and Complete P.T. further demonstrate the importance of HIPAA compliance beyond the scope of the clinical setting. Covered entities and business associates should ensure staff, regardless of role, are well-versed in these Privacy and Breach Notification Rule as they relate to social media and marketing.