A company that runs five nursing homes in Delaware recently agreed to pay a $182,000 fine to settle an investigation for alleged HIPAA violations. The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) investigated the company, referred to collectively as the Cadia Healthcare Facilities, after it received a complaint that the nursing homes were disclosing patients’ names, photographs and health information on the homes’ website and social media accounts. OCR indicated that the information was shared publicly without obtaining a valid HIPAA authorization from the patients.
The company explained that the information was used to share patient success stories as a way of encouraging and motivating other patients. Although the company required its employees to obtain written consents from the patients who participated in the success story program, it was discovered that one or more of the employees failed to obtain consents before posting the patients’ stories on the public forum. Approximately 150 patients were affected by this HIPAA violation.
As part of the settlement with OCR, the nursing home company also agreed to implement a corrective action plan that includes two years of monitoring by OCR, notifying all affected patients, reviewing its HIPAA policies and procedures, and retraining employees on HIPAA compliance and, in particular, as it relates to marketing activities.
This settlement serves as a reminder to all covered entities and business associates that all marketing campaigns that involve the use or disclosure of protected health information (PHI) need to be assessed for HIPAA compliance. As a general matter, written authorizations should be obtained from patients before using or disclosing their PHI.
