From Success Stories to HIPAA Violations: Cadia Healthcare’s $182K Lesson

October 6, 2025

 

Remember: sometimes, it’s not your story to tell. 

While your practice might be excited to share the positive results of quality patient care, it’s your patients’ right to share their stories. Patients’ medical histories and treatment plans are considered Protected Health Information (PHI), and it’s your practice’s responsibility to safeguard all sensitive patient data. 

Cadia Healthcare Facilities is the latest rehabilitation organization caught in the Office for Civil Rights’ (OCR) crosshairs after improperly disclosing patient health stories online. Notified by a patient complaint, the OCR investigated the organization and settled the violation with a $182,000 fine and a two-year Corrective Action Plan (CAP). A major financial and reputational hit, paired with thorough government monitoring, is a lesson learned for the organization. 

The 20th fine of the year teaches healthcare practices the importance of HIPAA-compliant marketing, website management, and patient consent. 

 

What Happened? 

The rehabilitation organization implemented a Success Story section on its site, with 150 patients’ stories publicly highlighted on the page. This page had extensive PHI, including a patient’s name, image, conditions, treatment, and recovery plans. 

While Cadia Healthcare Facilities utilized the website with good intentions, these Success Stories quickly turned into HIPAA horrors. The reason why? Missing HIPAA authorization forms for all 150 featured patients.

Then, a patient contacted the OCR with concerns about their image being used without permission on the Cadia Healthcare Facilities website. That’s when the OCR discovered the rehabilitation organization’s noncompliant website and impermissible disclosures. 

In addition to the fine and government monitoring, the organization must notify all impacted patients that their information was breached on its site, per the Breach Notification Rule.

 

Share Online Compliantly

Posting your practice’s accomplishments online might be exciting, but your practice must handle it carefully. 

Your practice must obtain a HIPAA authorization form before publicly sharing patients’ PHI. This includes before-and-after photos, testimonials, and, in this case, success stories. The forms must be written and specific, and patients can withdraw permission at any time. 

Your practice’s online presence is likely a new patient’s first impression, so it’s essential to maintain and update your webpage. However, having more likes and views should never outweigh your commitment to compliance and patient protection.

Are you confident your staff understands how HIPAA compliance extends to social media and other forms of marketing? With smart software, your practice can easily train and provide staff with the required documents for HIPAA-compliant social media use. The right compliance solution will empower your staff to handle HIPAA compliance with ease, allowing them to build an online presence while keeping patient data safe. 

To learn more about HIPAA compliance for your practice, meet with a compliance expert today

RECENT POSTS

Related posts

HIPAA marketing compliance
Abyde News, Best Practices, HIPAA

Likes Without Liability: HIPAA-Safe Ways to Connect with Patients Online

October 1, 2025 No comments yet

October 1, 2025   Doing a TikTok with a patient might make your practice go viral for all the wrong reasons.  In a world of social media, email marketing, and overall digital communication, connecting with your patients online is a no-brainer.  However, the moment you step into the world of patient engagement, you run straight into red tape, the Health Insurance Portability and Accountability Act (HIPAA) regulations. While a photo of a patient might not seem like a big deal, your practice needs to safeguard patient data, or Protected Health Information (PHI). Typical forms of PHI include a patient’s name, image, Social Security Number, and health records.  The internet provides numerous ways to connect and market to patients; your practice must do this carefully, securely, and compliantly.    Social Media Landmines The very nature of social media sites like TikTok, Instagram, and Facebook encourages quick, personal sharing of content. These all directly conflict with the strict privacy requirements HIPAA upholds.  The good news is, your practice can post with patients if the proper steps are followed to ensure HIPAA marketing compliance.  First, your patient must sign a media consent form if their image is posted. This includes testimonials as well. Even if a patient had a great experience with your practice and wants to share, this documentation must be completed. This form must be specific and written, allowing the patient to withdraw permission easily. A verbal agreement isn’t going to cut it.  PHI also can’t be shared when responding to Google or Yelp reviews. And yes, acknowledging that a patient attended your practice is considered PHI. Keep all responses brief and respectful. If a patient had a bad experience at your practice, try to take it offline and provide a secure channel to continue communication.  Remember that HIPAA violations are not limited to your official practice accounts. Any of your practice’s staff is bound to HIPAA legislation. So, train and ensure staff know their responsibilities to keep PHI secure. No selfies at work!    Safeguarding your Inbox Chances are, you’re sending emails every day in your practice. Let’s make sure your practice is sending emails compliantly. First up: encryption. Patient emails are considered PHI, so ensure all the necessary technical safeguards are in place to protect your inbox. After double-checking that the right patient receives an email, keep it simple and send only the minimum necessary information. A quick appointment reminder doesn’t need someone’s full health record attached. Next, consent matters. Your patients might be fine getting reminders or lab results by email, but that doesn’t mean they want marketing messages about specials at another location. Respecting their preferences keeps their information safe and your practice out of trouble. Make sure your practice documents this consent, and like media consent forms, allow your patients to change their permissions at any time.   Posting with Peace of Mind This is just a quick roadmap for using marketing tools  and HIPAA marketing compliance in your practice, but if done correctly, social media and email can be powerful ways to connect with your patients. Staying compliant isn’t just about following rules; it helps build trust with your patients, which is far more valuable than any number of Instagram followers.  While your IT provider can always offer guidance on technical safeguards, understanding these basics is essential for keeping your practice and patient information safe.  Smart, practical solutions can make HIPAA compliance easier for your practice.  Connect with a compliance expert today to take the guesswork out of compliance.

HIPAA Dental Photography
Abyde News, Best Practices, HIPAA

Smile Safely: What Dental Practices Need to Know About Patient Photos

September 25, 2025 No comments yet

September 25, 2025   Smile! Members of your dental practice look at countless images of your patients’ pearly whites daily. However, it can be a major HIPAA violation if your practice doesn’t handle these images carefully. While X-rays of a patient seem anonymous, X-rays and patient medical imaging are considered Protected Health Information (PHI). PHI is health data that can easily be linked to an individual patient. In fact, X-rays also usually include further information, including a patient’s full name and birthday, to ensure they are appropriately assigned and shared with the right patient. The same goes for images of patients’ teeth taken with a traditional camera. HIPAA is about keeping patient information safe, protecting healthcare data, and holding everyone accountable.  So, your practice’s job is to keep patient images from curious eyes peeking where they shouldn’t.   No Peeking! When handling X-rays and other forms of dental photography, ensure that role-based permissions are correctly assigned. In other words, ensure that whoever has access to these images truly needs access. For example, your receptionist most likely doesn’t need access to a patient’s X-rays, but your head dentist would. Your practice must assign these roles to keep patient data safe and terminate any access once an employee leaves or roles change. A recent HIPAA fine highlights the importance of this, with an $800,000 fine after one patient became aware of improper staff access. Your practice should also routinely monitor access to PHI, ensuring that a) the viewer can view specific patient images and b) it makes sense when and how long they review PHI. For example, your practice’s billing staff doesn’t need to look at a patient’s health records at 3 a.m. Noticing odd access to PHI can let your practice catch issues quickly, like hackers.   Smile for the Camera (and get an Autograph!) While it’s vital to keep patients’ medical images, such as X-rays and traditional photos, under lock and key, with the right documentation, you can share these images publicly. Let’s say your practice wants to share a patient’s orthodontic journey with braces on social media with a before-and-after post. Before posting anything, make sure your patient signs a media consent form. These forms should be thorough and documented by your practice. A patient must be able to revoke consent easily at any time. While you have this consent, keeping any images as anonymous as possible is still best practice. You shouldn’t be tagging your patients in social media posts!   Smile with Compliance Confidence As they say, a picture is worth a thousand words, and in healthcare, those words are PHI that must stay protected. Dental images play a key role in diagnosing and treating patients, which is why your practice needs to keep this form of PHI secure. With the right compliance solution, your practice can simplify HIPAA by managing everything in one centralized hub. Important documents, like media consent forms, are always easy to access. Connect with a HIPAA expert today to learn how to streamline compliance.

Security Risk Analysis software for healthcare
Abyde News, HIPAA

Introducing Abyde’s Security Risk Analysis for Covered Entities

September 23, 2025 No comments yet

September 23, 2025   At the foundation of every HIPAA-compliant practice is a Security Risk Analysis (SRA).  The SRA is a thorough assessment of all administrative, physical, and technical safeguards your practice has in place to secure Protected Health Information (PHI). The comprehensive SRA needs to include everything your practice does, from using a sign-in sheet to alarms in the practice to how your computer systems are handled. This documentation must be updated annually and completed for every location of a practice. It is also required for MIPS.  This analysis allows your practice to identify vulnerabilities before an issue occurs. If your SRA shows a server running an outdated version, fix it now; don’t wait for it to become a breach.  A missing SRA is one of the most common HIPAA violations discovered by the Office for Civil Rights (OCR). In fact, during the last round of audits, 86% of Covered Entities, or practices, couldn’t produce a compliant SRA.  The OCR has also introduced the Risk Analysis Initiative, focusing on this document when investigating practices. Since the end of 2024, there have been 10 enforcements of this initiative, totalling over a million dollars in fines. During any investigation, the OCR can and will ask you to provide proof of this document.  This document sets the groundwork for compliance in your practice and is key to proving proactive compliance if a situation arises.  However, completing an SRA is easier said than done. With intricate complexities and the different areas of your practice that must be reviewed, it’s tough to figure out where to start.  Manually completing an SRA takes time and is prone to mistakes. Hiring a third-party consultant can get expensive, and you could lose patient time if they need to close your practice while completing the documentation.    Streamlining the SRA There is a better way.  Abyde has released its Security Risk Analysis for Covered Entities solution to simplify completing this documentation.  While this feature is implemented in the full HIPAA for Covered Entities product, alongside training, dynamic policy and procedure documentation generation, Business Associate Agreements, event logs, live support, and more, Abyde has created our latest product to assist practices in taking their first step toward compliance.  The Security Risk Analysis for Covered Entities solution is crafted for healthcare practices and streamlines the SRA into an intuitive questionnaire. Instead of closing your practice for the day, complete this questionnaire within an hour with cloud-based software.  After completion, the Security Risk Analysis software for healthcare will generate a Scorecard report, highlighting any recommendations for your practice to achieve compliance.  The full SRA only needs to be completed once. After that, the software prompts you with ongoing questions whenever updates are required. For example, if your practice isn’t encrypting emails, it will flag this as a high risk and remind you on a monthly basis until your practice takes the proper precautions.  Enjoy the SRA? You can easily upgrade the Security Risk Analysis software for healthcare to Abyde’s full HIPAA for Covered Entities product and maintain your SRA.    Get Compliant Today A Security Risk Analysis doesn’t have to be complicated or time-consuming.  With Abyde’s Security Risk Analysis for Covered Entities software, your practice can complete a thorough, compliant SRA quickly and accurately, without disrupting patient care.  Ready to streamline your SRA? Meet with a compliance consultant today.

Are you ready for an audit? Use our new HIPAA Audit Checklist to get prepared.

DOWNLOAD NOW
X