The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a settlement with five healthcare providers, collectively known as Cadia Healthcare Facilities, for potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Breach Notification Rules. The Cadia Healthcare Facilities are rehabilitation, skilled nursing, and long-term care services providers located in Delaware. The settlement resolves an investigation of Cadia Healthcare Facilities that OCR initiated after receiving a complaint in September 2021 alleging that Cadia Healthcare Facilities had impermissibly disclosed a patient’s name, photograph, and information pertaining to the patient’s conditions, treatment, and recovery in the form of a “success story” posted to Cadia Healthcare Facilities’ website.
OCR’s investigation confirmed that Cadia Healthcare Facilities had posted the patient’s PHI to its public facing website without first obtaining a valid, written HIPAA authorization from the patient. OCR’s investigation also determined that Cadia Healthcare Facilities disclosed the PHI of a total of 150 patients to its websites through its “success story” program without first obtaining valid, written HIPAA authorizations. OCR determined that Cadia Healthcare Facilities impermissibly disclosed PHI, failed to have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI, and failed to provide breach notification to the affected individuals.