Did Anyone Even Ask If It Was OK? – Ep 531 

Ah, success stories—where marketing meets warm fuzzies… and sometimes federal investigations. This week, we’re dissecting how one healthcare group turned a few heartfelt patient testimonials into a compliance catastrophe. From missing consent forms to deleting everything in a panic, it’s a cautionary tale of what happens when your privacy policies are more like “guidelines” than rules. Spoiler: OCR reads your website too.

In this episode:

Did Anyone Even Ask If It Was OK? – Ep 531

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

Cadia Healthcare just found out that when you hit “post” without a signed HIPAA authorization, that “success story” can turn into a very expensive cautionary tale.

Did Anyone Even Ask If It Was OK?

The latest HIPAA resolution agreement from OCR is with Cadia Healthcare Facilities, which is a rehabilitation, skilled nursing, and long-term care services provider with 5 locations located in Delaware. The resolution was signed in April 2025 but officially announced by OCR in Sept.

Cadia Resolution Agreement HHS OCR

What Happened

• OCR initiated an investigation on September 20, 2021, after receiving a complaint that Cadia Healthcare had posted a patient’s photo, name, and medical details on its website as part of a “success story.”
• The post included details about treatment and recovery, which qualified as protected health information (PHI).
• The investigation confirmed that a Cadia employee posted this information without obtaining a valid, written HIPAA authorization.
• Further review found that by February 2022, Cadia had impermissibly disclosed PHI for 150 individuals through similar “success stories” on its website and social media.
• Cadia removed the posts after OCR contact and ended the success story program in March 2022, but did not provide breach notifications to all affected individuals.
  • Notice of Success Story Incident
  • Pursuant to our policies and procedures, Cadia employees were required to obtain a written consent form from any patient participating in the success story program prior to posting a story. However, on February 22, 2022, we learned that one or more of these success stories may have been posted without a valid consent form on file for the patient highlighted in the story. We promptly launched an investigation, removed all success stories from our social media pages, and on March 2, 2022, eliminated the success story program in its entirety.
  • As part of our investigation, we reviewed our records to identify any patients without a valid consent form on file. Because we deleted all success stories in 2022, we were unable to definitively determine all individuals who participated in the success story program. Accordingly, out of an abundance of caution, we are notifying individuals who may have participated and for whom we could not locate a valid consent form.
  • We want to assure you that we have taken this matter very seriously, and we apologize for any inconvenience or concern this may have caused. We have since enhanced our privacy policies and procedures, as well as increased awareness of these policies and procedures through additional employee training, to help prevent something like this from happening again.
• OCR determined Cadia violated the HIPAA Privacy and Breach Notification Rules, and also failed to implement appropriate administrative, technical, and physical safeguards to protect PHI (phrasing OCR used in the press release – even though that language is more typical of Security Rule cases).

That’s not just a marketing mistake – that’s a systemic failure.

Settlement Details

• Resolution Amount: $182,000
• Corrective Action Plan (CAP): 2 years of OCR monitoring and reporting

OCR Director Paula M. Stannard stated:

“The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure. Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”

Why did this happen?

We can still wonder what really happened behind the scenes here. The real questions we have are:

• Was there a privacy officer who knew better and got ignored?
• Or was there no one properly trained to know this was a problem in the first place?

If a properly trained privacy officer had real authority, these posts never would’ve made it out in the public domain. But too often, that role is just a name on paper – no power, no seat at the table, no training beyond “you’re in charge of HIPAA now, right?” (As we say they were just “volun-told”.)

Of course, they could have also been flying completely unprotected with no one really doing that job at all.

One of those situations had to have occurred – we have no idea which one, though. No matter which one it ultimately falls on leadership. Maybe that’s why OCR always makes sure the CAP reporting requirements put leadership directly accountable. All CAPs require this but we often don’t point out the requirements. Here are the ones in this case:

Implementation Report – Due within 120 Days

After OCR approves Cadia’s new HIPAA policies and procedures, Cadia has 120 days to send in an Implementation Report.

The complete report requires signed attestations from leadership and detailed documentation showing that the required steps have been completed.

The report must include:

1. Policy Implementation Attestation
   A company officer must sign a statement confirming that the new HIPAA policies have been implemented and distributed to all appropriate workforce members.
2. Training Materials and Description
   Cadia must submit copies of all training materials, a description of the training topics, the duration of sessions, and the schedule of when training sessions were held.
3. Training Completion Attestation
   An officer must attest that all workforce members have completed the initial training required by the CAP and have signed training certifications.
4. Website and Marketing Review Attestation
   Leadership must confirm that they reviewed all websites, affiliated web domains, social media accounts, and marketing or promotional materials – including photos and videos – and verified that no protected health information (PHI) has been disclosed impermissibly.
5. Location Compliance Attestation
   An officer must provide a list of all Cadia locations, including mailing addresses, business names, and phone numbers, and certify that each location is in compliance with the CAP obligations.
6. Final Officer Attestation
   A senior officer must sign a statement confirming that they have reviewed the Implementation Report, made a reasonable inquiry, and believe the information provided is accurate and truthful.

This means someone in leadership must personally sign off on every step confirming they have personally reviewed the requirements and the work was done properly.

Annual Report

Each year they must also file reports within 60 days of the end of the reporting period (based on when the clock started on the CAP).

Each Annual Report must include:

1. Training Schedule and Materials
   A schedule, topic outline, and copies of all training materials used during the reporting period.
2. Training Certification Attestation
   A signed statement from an officer confirming that Cadia has maintained written certifications proving that all required personnel completed the training.
3. Summary of Reportable Events
   A summary of any reportable events identified during the year, including descriptions of corrective and preventive actions taken.
4. Leadership Report Attestation
   “An attestation signed by an officer of Cadia attesting that he or she has reviewed the Annual Report, has made a reasonable inquiry regarding its content and believes that, upon such inquiry, the information is accurate and truthful.”

The Privacy Rule isn’t something you can “wing.” There are a lot of “it depends” moments – context matters, details matter, and it’s not a checklist you can delegate to whoever’s available.

Whether Cadia had a privacy officer who was ignored or one who wasn’t properly trained, OCR’s message is the same:

Leadership is accountable.

They can’t just hand off the problem anymore – they have to be part of the solution, and they have to prove it in writing.

In the end, it’s not about whether you should or must get patient authorization—it’s about how fast things can go sideways when you don’t. Cadia’s tale is a masterclass in “what not to do” with social media and success stories, and a stark reminder that HIPAA doesn’t take kindly to oopsies. Consider this your official warning: if your marketing plan includes PHI, your privacy officer better be more than just someone who missed a meeting.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

Special thanks to our sponsors Security First IT and Kardon.