A $182,000 settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.
Cadia Healthcare is a provider of rehabilitation, skilled nursing, and long-term care services at five facilities in Delaware. Those facilities are Cadia Rehabilitation Broadmeadow in Middletown, Cadia Rehabilitation Renaissance in Millsboro, Cadia Rehabilitation Capital in Dover, and Cadia Rehabilitation Pike Creek and Cadia Rehabilitation Silverside in Wilmington, collectively referred to as the Cadia Healthcare Facilities (Cadia).
Each of the Cadia facilities is a HIPAA-covered entity that is required to comply with the HIPAA Rules. OCR launched an investigation after receiving a complaint on September 20, 2021, about an alleged impermissible disclosure of PHI online. The complainant alleged that Cadia had used their photograph, name, and information about their condition, treatment, and recovery in an online post but had not obtained authorization to use the information for that purpose.
OCR’s investigation substantiated the allegation and determined that a Cadia employee had posted the patient’s PHI to Cadia’s social media page as part of a success story; however, a signed authorization form had not been obtained prior to that use and disclosure. Under HIPAA, PHI cannot be posted online on websites or social media pages unless a HIPAA-compliant authorization has been obtained from an individual in advance.
OCR notified Cadia about the allegations and the findings of the investigation, and Cadia removed the post and notified the patient that the success story had been removed. OCR also identified other patients whose treatment had been included in a series of success stories. As of February 22, 2022, Cadia had created and posted success stories containing the PHI of 150 patients without obtaining valid HIPAA authorizations. According to OCR, Cadia shut down the success story program in March 2022, but failed to issue notifications to the affected individuals, as required by the HIPAA Breach Notification Rule.
“The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”
In April 2025, OCR entered into a settlement agreement with Cadia to resolve the alleged violations of the HIPAA Rules. The alleged violations related to two Privacy Rule and one Breach Notification Rule provisions:
- 45 C.F.R. § 164.530(c) – The failure to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and reasonably safeguard PHI from any intentional or unintentional use or disclosure.
- 45 C.F.R. § 164.502(a) – The impermissible use or disclosure of PHI
- 45 C.F.R. § 164.404(a) – The failure to issue timely breach notifications
In addition to paying the financial penalty, the settlement agreement includes a corrective action plan (CAP). Cadia will be monitored for compliance with the CAP for 2 years. The corrective action plan requires Cadia to review and revise, as necessary, its policies and procedures to ensure compliance with the HIPAA Rules. Those policies and procedures must be distributed to the workforce, and HIPAA training must be provided to workforce members. Policies and procedures must be reviewed at least annually and updated as necessary to ensure continued HIPAA compliance. Cadia is also required to issue breach notifications concerning the impermissible disclosures of PHI under the success story program.
Notifications have already been issued, and the Cadia websites currently display a notice about the privacy violations. Cadia confirmed that it had policies and procedures in place requiring patients to sign a written consent form prior to using their information in its success story program. “On February 22, 2022, we learned that one or more of these success stories may have been posted without a valid consent form on file for the patient highlighted in the story. We promptly launched an investigation, removed all success stories from our social media pages, and on March 2, 2022, eliminated the success story program in its entirety,” explained Cadia in its substitute breach notice. “Because we deleted all success stories in 2022, we were unable to definitively determine all individuals who participated in the success story program. Accordingly, out of an abundance of caution, we are notifying individuals who may have participated and for whom we could not locate a valid consent form.”
This is the 20th HIPAA penalty to be imposed by OCR to resolve violations of the HIPAA Rules so far in 2025, making it one of the most active years of HIPAA enforcement. So far this year, OCR has collected more than $8.2 million in civil monetary penalties and settlements.
The post Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations appeared first on The HIPAA Journal.
