Anyone who’s ever felt the healing touch of a skilled physical therapist (PT) or benefitted from other rehab services knows that such providers can be worth their weight in gold, helping to restore basic functions like walking and speaking and otherwise relieving pain. So, if you have a “success story,” why not share that with the world?
That’s what Delaware-based Cadia Healthcare was trying to do. In service of its “mission to help our patients,” it posted success stories “as a means to encourage, motivate, and instill hope in our patients by celebrating our patients’ progress towards recovery and rehabilitation on our social media pages. These success stories typically included the patient’s photograph and a short testimonial highlighting their success.”[i]
Unfortunately for Cadia, the description of this practice comes from what it called a “Notice of Success Story Incident,” but what the HHS Office for Civil Rights (OCR) called a violation of the Privacy Rule (and the Breach Notification Rule for what Cadia didn’t do afterward).
In a settlement signed in April but only recently released, OCR alleged that Cadia actually posted 150 such stories without the signed patient authorizations that are required under the Privacy Rule.[ii] To close OCR’s investigation—prompted by a 2021 complaint—Cadia officials agreed to pay $182,000 and implement a two-year corrective action plan (CAP), which requires it, among other things, to notify affected patients as mandated by the Breach Notification Rule.
Cadia offers rehabilitation, skilled nursing and long-term care services providers, according to OCR. The settlement encompasses Cadia Rehabilitation Broadmeadow, Cadia Rehabilitation Capital, Cadia Rehabilitation Silverside, Cadia Rehabilitation Renaissance and Cadia Rehabilitation Pike Creek. Officials did not respond to RPP’s request for comment on the settlement, nor its questions about the success stories campaign.
There’s no denying that health care is a business—regardless of profit status—and that good reviews and patient testimonials can increase patient volumes. But there’s just one catch: Although patients are free to crow (or complain) about their experiences on Facebook, Instagram or any other social media platform of their choosing, providers are not—unless they have a signed authorization.
For insights on how to do this properly, see “Social Media Mistakes Stem From HIPAA ‘Knowledge Deserts.’”[iii] RPP is also providing a sample authorization form.[iv]
That was the point that OCR Director Paula Stannard made—and this isn’t the only such case in the agency’s enforcement history. In fact, OCR’s first such enforcement action, back in 2016, also involved a PT provider. Los Angeles-based Complete P.T., Pool & Land Physical Therapy admitted that it posted testimonials without an authorization. OCR took four years to resolve that case, which ended with a one-year CAP and a $25,000 payment. In other cases, it has collected fines for unauthorized disclosures of protected health information (PHI) in response to bad reviews posted online.
“The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities [CEs] and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” Stannard said in announcing the settlement. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”[v]
Signed authorizations are generally required for the use and disclosures of PHI for everything that’s not for treatment, payment or health care operations (TPO).
Cadia: Policies Weren’t Followed
So, what went wrong here?
In its undated incident notice that still appears on its website, Cadia acknowledged there was noncompliance, but said nothing about how or why this happened, nor whether any members of its workforce were disciplined. There also was a discrepancy about what it and what OCR said about the extent of the unallowable campaign.
“Pursuant to our policies and procedures, Cadia employees were required to obtain a written consent form from any patient participating in the success story program prior to posting a story,” the notice states. “However, on February 22, 2022, we learned that one or more of these success stories may have been posted without a valid consent form on file for the patient highlighted in the story. We promptly launched an investigation,” deleted the stories and axed the campaign.
OCR said its investigation found that, as of the date Cadia referenced, there were actually 150 stories posted without authorization.
As is generally its practice with settlements (as opposed to penalties it imposes), OCR did not explain how it arrived at the $182,000 payment amount.
Removal May Make Notification Difficult
In addition to the payment, the agreement obligates Cadia, within 60 days of the effective date of the settlement, to “notify any and all individuals, or an individual’s personal representative, whose PHI was disclosed by Cadia on any Cadia website, a social media website, or through other marketing or promotional materials without a valid authorization, that their PHI has been breached.” Moreover, Cadia was required to “submit to HHS, through HHS’ breach portal, breach reports regarding the individuals identified” whose PHI was part of the success stories postings.
But Cadia’s “incident” notice indicated it likely was going to struggle with this requirement. The company “removed all success stories from our social media pages, and on March 2, 2022, eliminated the success story program in its entirety,” it said. “As part of our investigation, we reviewed our records to identify any patients without a valid consent form on file. Because we deleted all success stories in 2022, we were unable to definitively determine all individuals who participated in the success story program.”
This seems like something of a misstep for a—it would be a good practice to keep records of all marketing materials and campaigns, particularly those involving patients. In the absence of a pool of people it could “definitively” contact, the notice said Cadia, “out of an abundance of caution, [was] notifying individuals who may have participated and for whom we could not locate a valid consent form. If you believe you were impacted by this incident and have additional questions, please contact Elizabeth Price at cadiaprivacyofficer@cadiahealthcare.com.”
CAP Addresses ‘Social Media Campaigns’
The CAP, which Cadia and OCR representatives signed April 21 and 22, respectively, contains specific provisions that relate to social media and other non-TPO uses of PHI:
◆ Cadia’s policy and procedures must include “a specific prohibition on the use or disclosure of [PHI] by Cadia workforce members, agents, and business associates for any marketing related purposes, including website testimonial or social media campaigns, without the written authorization of the patient who is the subject of the PHI sought to be disclosed, or the personal representative of that patient pursuant to 45 C.F.R. § 164.502 and 45 C.F.R. § 164.508.”
◆ Those policies and procedures must “specifically address permissible and impermissible uses and disclosures of PHI and appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. (Uses and disclosures of protected health information [PHI] 45 C.F.R. § 164.502 and Safeguards 45 C.F.R. § 164.530(c)).”
◆ They also must address “uses and disclosures that require an individual’s authorization, including all required elements of a valid authorization.”
Cadia agreed to “revise its authorization form(s) to comply with the requirements of the Privacy Rule, including inclusion of an expiration date or event and statement that information disclosed pursuant to the authorization may be subject to redisclosure and no longer be protected by the Privacy Rules. (Authorizations 45 C.F.R. § 164.508).”
It also must implement “a process to evaluate and approve authorizations in place prior to the use or disclosure of PHI.”
OCR specified that Cadia’s policies and procedures related to the Breach Notification Rule, “including Cadia’s internal reporting procedures…will require all workforce members to report to the designated person or office at the earliest possible time any potential violations of the Privacy, Security or Breach Notification Rules or of Cadia’s privacy and security policies and procedures.”
Finally, Cadia must “promptly investigate and address all received reports in a timely manner.” The organization agreed to train all its workforce, “including marketing personnel,” on the Privacy Rule policies and procedures “within sixty (60) days of the implementation of the Policies and Procedures, or within thirty (30) days of when they become a member of Cadia’s workforce.”
Rule is Unequivocal
For reference, the following is OCR’s summary of the Privacy Rule’s authorization provisions:
◆ “A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.
◆ “An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization, or by a third party. Examples of disclosures that would require an individual’s authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer of the results of a pre-employment physical or lab test, or disclosures to a pharmaceutical firm for their own marketing purposes.
◆ “All authorizations must be in plain language, and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003.”[vi]
