Nursing Homes Fined $182K For Posting Patient Stories Without Consent
-
A group of five Delaware nursing homes got hit with a $182,000 fine for violating HIPAA.
-
Cadia Healthcare facilities pulled information from patients' medical records to share 'success' stories, but the patients did not consent.
-
The story is a good reminder to all nurses to keep all patient information—even 'good' stories—confidential.
A group of five Delaware nursing homes was hit with a hefty $182,000 penalty for violating HIPAA, a stark reminder of how serious the consequences of breaking patient confidentiality can be.
Like many healthcare organizations, the nursing homes owned by Cadia Healthcare often posted feel-good stories on their sites and social media pages. For instance, the organization explained that they "previously used success stories “as a means to encourage, motivate, and instill hope in” patients.
Join our newsletter for the latest nursing news and insights, and you could win a $50 gift card to Chipotle, Total Wine, or a coffee shop of your choice.
But when it was found that patient stories were posted online without explicit consent forms signed, the healthcare group landed in HIPAA hot water.
The Group Was Investigated by the Department of Health and Human Services
The investigation revealed that Cadia facilities disclosed protected information about 150 patients across its various websites, a revelation that led to the $182,000 fine.
It's not clear who reported the nursing homes, but an investigation was launched after it was discovered that the nursing homes included names, photos, diagnoses, and therapy details that identified residents without their consent. The violations took place between 2022 and 2024.
The marketing team that made the posts pulled health information directly from medical records to make their posts. For instance, rehabilitation milestones that the residents themselves may not have had access to were publicly shared and viewed by thousands of people.
Cadia Facilities did not receive criminal charges, but does have to pay the fine, along with a few more steps: institute new mandatory HIPAA training for all staff (including social media-specific guidelines), revise its policies on promotional material, go through annual audits, and hire a privacy officer to oversee compliance.
HIPAA Reminders to Keep in Mind
While the guilty party in this story was a healthcare organization owning nursing homes and not an individual nurse, the story can still serve as a reminder for nurses to always follow HIPAA regulations to prevent any knowledge about patients from being shared.
Here are a few tips to keep in mind about respecting HIPAA:
- Never share any patient details or images online or in public forums unless you have proper authorization—no matter how positive the story.
- Even if the patient is not directly named, any details that could identify someone (like photos, room numbers, or medical information) are protected under HIPAA.
- In addition to following HIPAA regulations, also be sure to follow your own facility's social media and privacy policies.
As a reminder, HIPAA violations can include something as simple as acknowledging a patient was treated at your facility or even identifying factors, such as if you take a picture with a patient's recognizable hat or coat in the background. This case serves as a word of caution for posting online about patients.
🤔Nurses, share your thoughts in the discussion forum below.
If you have a nursing news story that deserves to be heard, we want to amplify it to our massive community of millions of nurses! Get your story in front of Nurse.org Editors now - click here to fill out our quick submission form today!
