Nursing Home Penalized $182K for Sharing Patient Photos Online

A marketing initiative titled “Success Stories” by a Delaware nursing home has culminated in a federal fine of $182,000. Regulators assert that the initiative resulted in the inappropriate disclosure of patients’ protected health information (PHI), violating HIPAA regulations. The U.S. Department of Health and Human Services’ Office for Civil Rights (HHS OCR) initiated an investigation after a complaint was lodged in September 2021 regarding the company’s unauthorized use of PHI on its website.

The allegations claimed that Cadia Healthcare disclosed a complainant’s name, photo, and medical details without consent. Following their findings, HHS OCR indicated that a staff member had posted the complainant’s picture as part of a success story, bypassing the necessary written authorization. Cadia took swift action by removing the post after being contacted by OCR.

However, upon further investigation, it was discovered that from February 2022, Cadia had similarly revealed the PHI of approximately 150 individuals through its social media channels without obtaining the requisite patient authorizations. Despite retracting the success stories in March 2022, HHS OCR noted that the company failed to inform all impacted individuals of the breach.

Officials from HHS OCR emphasized the importance of adhering to HIPAA regulations, particularly before revealing any PHI on public platforms. Director Paula Stannard highlighted that valid written authorization is essential before posting testimonials or success stories online.

Apart from the financial penalty, Cadia is required to implement a corrective action plan, which will be monitored by HHS OCR over the next two years. This plan mandates updating HIPAA compliance policies, providing HIPAA training to all staff, particularly those in marketing, and notifying all affected individuals about the unauthorized disclosures.

Currently, Cadia has communicated through its website that it cannot definitively identify all participants in the success stories due to the program’s cancellation and subsequent data deletion. In an abundance of caution, the organization is reaching out to individuals from whom it could not locate valid consent forms.

This instance is not isolated, as HHS OCR has previously sanctioned organizations for similar violations related to PHI disclosures on marketing platforms. The trend underscores the necessity for healthcare providers to interact with social media cautiously, ensuring that all promotional materials comply with existing legal frameworks.

Experts advise businesses to remain vigilant when engaging in marketing, ensuring that patient information is disclosed only with appropriate consent and in accordance with HIPAA requirements. Failure to do so not only carries financial repercussions but also risks damaging the trust and privacy that are paramount in healthcare relationships.