On September 30, 2025, the US Department of Health and Human Services (HHS), Office for Civil Rights (OCR), announced a settlement with a group of healthcare providers for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Breach Notification Rules. The providers, which offer rehabilitation, skilled nursing, and long-term care services in Delaware, were part of a coordinated investigation by OCR.
The settlement resolves an investigation initiated by OCR following a September 2021 complaint. The complaint alleged that the providers had impermissibly disclosed a patient’s name, photograph, and information related to the patient’s condition, treatment, and recovery by featuring the individual in a publicly accessible “success story” on their website.
OCR’s investigation confirmed that the providers had posted the patient’s protected health information (PHI) online without first obtaining a valid, written HIPAA authorization.
Further investigation revealed that PHI for a total of 150 patients had been similarly disclosed through the “success story” program without proper authorization. OCR concluded that the providers had impermissibly disclosed PHI, lacked adequate administrative, technical, and physical safeguards to protect patient privacy, and failed to provide required breach notifications to affected individuals.
Under the terms of the resolution agreement, the providers agreed to implement a corrective action plan that will be monitored by OCR for two years, and to pay $182,000 to the agency.
They will also take steps to improve their compliance with the HIPAA Privacy and Breach Notification Rules, including:
- Reviewing and, to the extent necessary, developing, maintaining, and/or revising their written policies and procedures to comply with the HIPAA Privacy and Breach Notification Rules;
- Providing all members of their workforce, including marketing personnel, with training on their HIPAA policies and procedures; and
- Notifying any and all individuals, or the individual’s personal representative, whose PHI was disclosed by the providers on any of their facility websites, social media accounts, or through other marketing or promotional materials without a valid authorization, that their PHI has been breached.
Compliance Perspective
Issue
OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules (the HIPAA Rules), which establish the standards that covered entities — including most healthcare providers, health plans, and healthcare clearinghouses — and their business associates must follow to safeguard PHI. The HIPAA Privacy Rule sets national standards to protect individuals’ medical records and other personal health information. It limits the use and disclosure of PHI without patient authorization and gives individuals key rights, including the right to access their health information. The Breach Notification Rule requires entities to provide prompt notice following any breach involving unsecured PHI. Ensuring compliance with these rules is essential, particularly when PHI is used in marketing, public relations, or other external-facing materials. Without the appropriate policies, training, and oversight in place, organizations may risk impermissible disclosures, regulatory penalties, and damage to patient trust.
Discussion Points
- Review and, if necessary, revise policies and procedures related to the use and disclosure of PHI, especially in marketing, public relations, and patient recognition efforts. Organizations should have clearly defined protocols for obtaining valid HIPAA authorizations before any PHI is shared externally, including through websites, social media, or promotional content. Facilities may benefit from periodic reviews conducted in coordination with external consultants who specialize in regulatory compliance and can help identify potential gaps before they lead to violations.
- Ensure that staff are trained on HIPAA’s Privacy and Breach Notification Rules. Training should include how to recognize PHI, when authorizations are required, and the risks of unauthorized disclosure. Med-Net Academy offers the course Privacy and HIPAA Compliance, which provides an overview of privacy requirements using real-world case studies. The program defines PHI, outlines the circumstances under which PHI may be released without consent, addresses common social media myths that may impact privacy, and explains key considerations related to texting and email.
- Regularly audit processes related to the use of patient information in public-facing materials. Audits should verify that authorizations are properly obtained, retained, and tracked. Facilities may also consider engaging with an external compliance consultant to conduct focused mock surveys or targeted assessments. These reviews can help organizations proactively identify deficiencies and improve readiness for OCR oversight or state-level audits.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*