OCR Settles HIPAA Privacy & Breach Notification Rule Violations with Five Delaware Healthcare Facilities

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its 20th HIPAA enforcement action of the year. The latest action resolves alleged violations of the HIPAA Privacy Rule and HIPAA Breach Notification Rule at five Delaware healthcare facilities, collectively referred to as Cadia Healthcare Facilities. The settlement agreement includes a $182,000 financial penalty and a corrective action plan to address the identified areas of noncompliance with the HIPAA standards.

The five facilities are rehabilitation, skilled nursing, and long-term care services providers, and individually are HIPAA-covered entities, since they transmit health information electronically in connection with transactions for which the HHS has adopted standards. They are:

  • Cadia Rehabilitation Broadmeadow
  • Cadia Rehabilitation Capital
  • Cadia Rehabilitation Silverside
  • Cadia Rehabilitation Renaissance
  • Cadia Rehabilitation Pike Creek

OCR launched an investigation in response to a complaint rather than a data breach report. Complaints can be filed by anyone who suspects that the HIPAA Rules may have been violated, including staff members, patients, or the general public. OCR received a complaint on September 20, 2021, about an impermissible disclosure of protected health information online.

The complainant discovered that a photograph, along with their name and information about their medical conditions, treatment, and recovery at a Cadia facility, had been added to the Cadia website as part of a success story, but the complainant had not consented to that use and disclosure. OCR’s investigation determined that a Cadia employee had posted a photograph of the complainant to Cadia’s social media page, without first obtaining a written, signed authorization from the subject of that protected health information. OCR notified Cadia about the finding, and the post was immediately removed. The complainant was informed that the success story had been removed from the website and social media page.

Further investigation revealed that as of February 22, 2022, Cadia had impermissibly disclosed the protected health information of 150 patients on social media through its success story program, yet failed to obtain valid patient authorizations; therefore, the posting of photographs and protected health information was not permitted under the HIPAA Privacy Rule. The Success Story program was discontinued in March 2022, and the success stories were removed, yet notification letters were not mailed to the 150 individuals.

OCR determined that the Cadia Healthcare Facilities violated the HIPAA Privacy Rule – 45 C.F.R. § 164.530(c); 45 C.F.R. § 164.502(a) – and the HIPAA Breach Notification Rule – 45 C.F.R. § 164.404(a) – and that the violations were sufficiently severe to warrant a financial penalty. OCR agreed to settle the alleged HIPAA violations with a $182,000 financial penalty and a corrective action plan, which includes reviewing and updating its HIPAA policies and procedures, providing HIPAA training to all members of the workforce, and issuing notification letters to the individuals affected. A website notification has now been published, and individual notifications have been mailed to all individuals potentially affected, for whom valid authorizations have not been obtained.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

“The internet and social media are important business development tools.  But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/