Health Co.'s 'Success Story' Misstep Holds HIPAA Lessons

In an analysis for Law360, Woods Rogers Principals Liz Heddleston and Leah Stiegler evaluate a recent enforcement action involving a healthcare facility that underscores how easily well-intentioned marketing efforts can interfere with HIPAA obligations. In September, the U.S. Department of Health and Human Services Office for Civil Rights announced its settlement with Cadia Healthcare Facilities for potential violations of HIPAA after the organization disclosed protected health information of patients on its website as part of a ’success story’ without obtaining a valid, written HIPAA authorization.  

"As healthcare organizations lean more heavily on patient testimonials, success stories, and visual content to tell their stories online, the Cadia settlement offers a timely reminder: Digital visibility does not override federal privacy obligations,” Liz and Leah write.

Cadia settled with the OCR, and the enforcement action highlights that healthcare organizations must understand their HIPAA obligations, particularly given the growing popularity of digital marketing strategies. 

"Names, photos, treatment descriptions, progress details, or even dates related to care can qualify as protected health information if tied to health information,” Liz and Leah advise. "A patient testimonial including a name or image isn't anonymous unless it complies with HIPAA's strict deidentification standards."

"Thus, what might feel like a harmless success post — especially if a patient appears happy or consenting — is, in fact, a disclosure of protected health information that requires a compliant HIPAA authorization."

Read Liz and Leah’s guidance and analysis of the settlement on Law360's website or in the copy here (PDF).