October 6, 2025
Remember: sometimes, it’s not your story to tell.
While your practice might be excited to share the positive results of quality patient care, it’s your patients’ right to share their stories. Patients’ medical histories and treatment plans are considered Protected Health Information (PHI), and it’s your practice’s responsibility to safeguard all sensitive patient data.
Cadia Healthcare Facilities is the latest rehabilitation organization caught in the Office for Civil Rights’ (OCR) crosshairs after improperly disclosing patient health stories online. Notified by a patient complaint, the OCR investigated the organization and settled the violation with a $182,000 fine and a two-year Corrective Action Plan (CAP). A major financial and reputational hit, paired with thorough government monitoring, is a lesson learned for the organization.
The 20th fine of the year teaches healthcare practices the importance of HIPAA-compliant marketing, website management, and patient consent.
What Happened?
The rehabilitation organization implemented a Success Story section on its site, with 150 patients’ stories publicly highlighted on the page. This page had extensive PHI, including a patient’s name, image, conditions, treatment, and recovery plans.
While Cadia Healthcare Facilities utilized the website with good intentions, these Success Stories quickly turned into HIPAA horrors. The reason why? Missing HIPAA authorization forms for all 150 featured patients.
Then, a patient contacted the OCR with concerns about their image being used without permission on the Cadia Healthcare Facilities website. That’s when the OCR discovered the rehabilitation organization’s noncompliant website and impermissible disclosures.
In addition to the fine and government monitoring, the organization must notify all impacted patients that their information was breached on its site, per the Breach Notification Rule.
Share Online Compliantly
Posting your practice’s accomplishments online might be exciting, but your practice must handle it carefully.
Your practice must obtain a HIPAA authorization form before publicly sharing patients’ PHI. This includes before-and-after photos, testimonials, and, in this case, success stories. The forms must be written and specific, and patients can withdraw permission at any time.
Your practice’s online presence is likely a new patient’s first impression, so it’s essential to maintain and update your webpage. However, having more likes and views should never outweigh your commitment to compliance and patient protection.
Are you confident your staff understands how HIPAA compliance extends to social media and other forms of marketing? With smart software, your practice can easily train and provide staff with the required documents for HIPAA-compliant social media use. The right compliance solution will empower your staff to handle HIPAA compliance with ease, allowing them to build an online presence while keeping patient data safe.
To learn more about HIPAA compliance for your practice, meet with a compliance expert today.