Exercise Caution in Posting Patient Success Stories

Exercise Caution in Posting Patient Success Stories - Healthcare Law Update - November 2025 - Brach Eichler
BACK TO INSIGHTS     Articles

11/1/2025

The U.S. Department of Health & Human Services recently announced the settlement by the Office for Civil Rights (OCR) of allegations of HIPAA violations against Cadia Healthcare Facilities relating to posting a patient’s name, photograph and information about the patient’s conditions, treatment, and recovery in the form of a “success story” on Cadia Healthcare Facilities’ website. OCR concluded the posting was made without obtaining a valid, HIPAA-compliant authorization from the patient and, in addition, that Cadia Healthcare Facilities disclosed the protected health information (PHI) of 150 patients to its websites through its “success story” program without patient authorization. OCR determined that Cadia Healthcare Facilities:

• Impermissibly disclosed PHI,
• Failed to have appropriate administrative, technical and physical safeguards in place to protect the privacy of PHI, and
• Failed to provide breach notification to the affected individuals.

Under the terms of a resolution agreement entered into between Cadia Healthcare Facilities and OCR, the provider agreed to pay a civil penalty of $182,000 and to implement a corrective action plan that will be monitored by the OCR for two years.

The resolution demonstrates that a single incident may result in multiple findings of non-compliance and burdensome penalties. Healthcare providers must be mindful of the use of patient information on websites, social media, and other publications, including “success stories” and testimonials. Providers must obtain HIPAA-compliant authorizations from each patient before doing so. Such authorizations must be clearly written and be specific about the PHI to be disclosed and the specific uses of such PHI. Simply obtaining oral consent or using a general consent form that does not contain all elements required under HIPAA is not enough.

Click Here to read the entire November 2025 Healthcare Law Update now!

If you need assistance with your HIPAA compliance program, an OCR investigation, or a data breach incident, please contact:
Lani M. Dornfeld, CHPC | 973.403.3136 | ldornfeld@bracheichler.com

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld

Related Industry:   Healthcare