The HHS’ Office for Civil Rights reached a $182,000 settlement with five Delaware healthcare companies to take care of alleged HIPAA Privacy and HIPAA Breach Notification Rules violations. The settlement is about the publishing of the protected health information (PHI) of patients on social media without first getting HIPAA-compliant consent to use PHI for something not specifically allowed by the HIPAA Privacy Law, then not notifying the patients concerning the impermissible use and disclosure.
Cadia Healthcare provides skilled nursing, rehabilitation, and long-term care services at five facilities in Delaware. The five facilities are collectively known as the Cadia Healthcare Facilities (Cadia)
- Cadia Rehabilitation Capital in Dover
- Cadia Rehabilitation Broadmeadow in Middletown
- Cadia Rehabilitation Silverside in Wilmington
- Cadia Rehabilitation Renaissance in Millsboro
- Cadia Rehabilitation Pike Creek
Each Cadia facility is a HIPAA-regulated entity that must comply with the HIPAA Guidelines. OCR investigated Cadia after a complaint was filed on September 20, 2021, regarding a claimed impermissible disclosure of PHI on the internet. The complainant stated that Cadia had posted their photo, name, and data about their illness, treatment, and recovery online without getting consent to disclose the data for that purpose.
OCR’s investigation confirmed the claims and found that a Cadia staff member had published the patient’s PHI on Cadia’s social media account to feature the patient’s story without a signed authorization from the patient. HIPAA does not allow the posting of PHI online on web pages or social media sites except if a HIPAA-compliant consent has been acquired from a patient in advance.
OCR informed Cadia concerning the allegations and the results of the investigation. Cadia deleted the post and informed the patient concerned. OCR likewise identified other patients who were included in a sequence of success stories. Since February 22, 2022, Cadia already published 150 patients’ success stories that contain their PHI without acquiring valid HIPAA consent. As per OCR, Cadia stopped the success story project in March 2022, however, it did not send notifications to the impacted people, as demanded by the HIPAA Breach Notification Law.
In April 2025, OCR signed an agreement with Cadia to settle the alleged HIPAA violations, which involved two Privacy Rules and one Breach Notification Rule:
- The impermissible use or disclosure of PHI – 45 C.F.R. § 164.502(a)
- The inability to apply proper administrative, technical, and physical safety measures to secure the privacy of PHI and appropriately protect PHI from any deliberate or unintended use or disclosure – 45 C.F.R. § 164.530(c)
- The inability to send prompt breach notifications – 45 C.F.R. § 164.404(a)
Besides paying the financial penalty, Cadia must follow a corrective action plan (CAP), which will be monitored for 2 years. Based on the corrective action plan, Cadia must evaluate and modify its guidelines and procedures as needed to be HIPAA compliant. It must share the guidelines and procedures with the employees and provide HIPAA training. Cadia must send breach notifications regarding the impermissible disclosures of PHI related to the success story project.
Cadia has already issued the notifications, including the displayed notice on its websites, about the privacy violations. Cadia implemented guidelines and procedures necessitating patients to give an authorization before using their details in its success story project. Because Cadia deleted all published success stories in 2022, not all individuals involved in the success story project were identified. Consequently, Cadia notified all persons who might have taken part without a valid consent form.
This is OCR’s 20th HIPAA penalty issued to resolve HIPAA Rules violations in 2025. To date, OCR has received over $8.2 million in civil monetary penalties and settlements.