In September 2025, the U.S. Department of Health and Human Services (HHS), via its Office for Civil Rights (OCR), announced a settlement with Cadia Healthcare Facilities for violations of the HIPAA Privacy and Breach Notification Rules. The case underscores how even seemingly benign marketing efforts — such as patient “success stories” — can run squarely into privacy law if handled carelessly.
What Happened at Cadia
Cadia, a group of rehabilitation, skilled nursing, and long-term care providers in Delaware, operated a “success story” marketing program. Under that program, they published patient names, photographs, and medical details (treatment, condition, recovery) on their public-facing websites without obtaining valid, written HIPAA authorizations. (HHS.gov)
OCR’s investigation revealed:
- 150 patients had their protected health information (PHI) disclosed via such marketing materials without authorization.
- Cadia lacked sufficient administrative, physical, and technical safeguards to prevent or limit unauthorized disclosures.
- They failed to issue breach notifications to the affected individuals.
To resolve the matter, Cadia agreed to:
- Pay $182,000 to OCR.
- Undergo a corrective action plan over two years, under OCR monitoring.
- Revise and maintain HIPAA-compliant policies and procedures, especially around marketing and disclosures.
- Train all workforce members (including marketing staff) on HIPAA obligations.
- Notify all individuals whose PHI was impermissibly disclosed that a breach occurred.
OCR’s public statement emphasized a core point: using the internet or social media as a promotional tool is permissible — but only if the entity ensures that the HIPAA Privacy Rule actually allows the disclosure (often via a valid, written authorization).
This settlement is a vivid reminder that even well-intentioned marketing can lead to regulatory exposure when it involves patient data.
Key Takeaways: What This Case Teaches Us
- No implied consent for marketing disclosures. Even if a patient is enthusiastic about their recovery, it is not enough to verbally agree or simply “opt in” via email; HIPAA requires a valid, written authorization that meets specific regulatory content and signature requirements.
- The devil is in the details of safeguards. Publishing patient stories publicly calls for robust administrative, technical, and physical controls (e.g. vetting reviews, access controls, redaction processes, oversight). Lapses in these areas were a central finding in Cadia’s violation.
- Marketing teams need HIPAA reach. It’s not enough to tell clinical staff about HIPAA — marketing and communications departments must be deeply familiar with privacy rules, so they understand the difference between permissible patient outreach and prohibited disclosures.
- Breach notification is nonnegotiable. Once a PHI disclosure occurs, the clock starts on required notifications (to individuals, HHS, in some cases media). Missing that obligation is itself a violation.
- OCR wants corrective action and oversight. Settlements often include multi-year monitoring, audits, and strict compliance milestones. Noncompliance in the CAP can lead to escalated enforcement.
Pro Tips for Preventing HIPAA Violations in Marketing and Beyond
Below is a practical “playbook” for healthcare, allied, or wellness organizations that want to promote success stories, testimonials, or patient narratives — without crossing the HIPAA lines.
1. Always obtain a valid written HIPAA authorization
What to Do: Use a comprehensive form with all required elements (description of PHI to be disclosed, who’s disclosing, to whom, purpose, expiration, revocation rights, signature, date).
Why It Matters: Without it, publishing any PHI is usually an impermissible disclosure.
2. Limit PHI shared to the minimum necessary
What to Do: Even in a testimony, avoid unnecessarily revealing clinical detail, diagnosis codes, or other sensitive data beyond what is needed to tell the story.
Why It Matters: Reduces risk exposure if additional data slip through.
3. Redact or anonymize where possible
What to Do: Remove direct identifiers (e.g. names, photos) unless absolutely needed and authorized. Consider pseudonyms or aggregated narratives when patient identity is not essential.
Why It Matters: Helps mitigate impact if something is inadvertently disclosed.
4. Involve your privacy/compliance team early
What to Do: Before any marketing campaign, have legal or compliance review the draft content, website, and process flow.
Why It Matters: Prevents last-minute surprises or missteps.
5. Train marketing, communications & social media staff
What to Do: Ensure they understand what constitutes PHI, permissible disclosures, and the importance of obtaining and tracking authorizations.
Why It Matters: Cadia’s settlement cited failure to train marketing personnel.
6. Implement role-based access and approval workflows
What to Do: Only authorized staff should edit or post patient-related content, with layered review (privacy office, legal, marketing).
Why It Matters: Reduces risk of unauthorized content being published.
7. Maintain robust policies and procedural safeguards
What to Do: Up-to-date written policies on marketing, social media, use of testimonials, including auditing, version control, and incident response.
Why It Matters: OCR often demands policy overhaul in settlements (as with Cadia).
8. Monitor, audit, and document every step
What to Do: Maintain logs of approvals, changes, copies of authorizations, and audit trails of content changes.
Why It Matters: If a complaint or investigation arises, documentation is your defense.
9. Have a ready breach response plan
What to Do: In the event of a disclosure beyond what was authorized, act quickly: assess, contain, notify affected individuals and OCR as required, evaluate cause, and remediate.
Why It Matters: Late or missing breach notification was a violation in the Cadia case.
10. Re-evaluate periodic consents
What to Do: For ongoing relationships, confirm the validity of prior authorizations and seek fresh ones if repurposing content (e.g. for new campaigns).
Why It Matters: A prior authorization may not suffice for a new context or medium.
Final Thought
The Cadia settlement is a warning bell for every health or care provider that marketing can’t be an afterthought when patient data is involved. Public-facing success stories may feel like positive branding — and they can be — but they require the same diligence, policies, and risk mindset as medical record handling or data systems.
