By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA
A Health Care Provider Defense and Compliance Firm

A recent enforcement action out of Delaware should be a wake-up call for every health care provider that uses patient testimonials, recovery stories, case examples, or marketing materials that even hint at someone’s health status. Five Cadia Healthcare nursing homes agreed to pay $182,000 after the Office for Civil Rights concluded that they published patient success stories online without obtaining valid HIPAA authorizations. OCR’s investigation uncovered disclosures involving 150 patients across multiple websites. The fine was not for bad outcomes, privacy breaches by hackers, or sloppy cybersecurity. It was for marketing.

Providers want to show the public that people get better, that their services work, and that families can trust them. But the moment a provider publishes a patient’s name, photo, diagnosis, condition, or recovery information, the organization triggers one of the most unforgiving areas of HIPAA compliance: marketing disclosures that require a very specific, stand-alone written authorization. This is where many organizations, not just nursing homes, are vulnerable. Behavioral health programs, addiction treatment centers, hospitals, private practices, and home health agencies routinely highlight patient journeys without realizing that a general consent for treatment does not satisfy HIPAA’s marketing authorization requirement.

OCR’s message is clear. If you want to publish any content that identifies a patient or allows their identity to be reasonably inferred, you need a valid HIPAA authorization that specifically permits that disclosure for marketing. “Valid” means it includes all required elements, is signed and dated, is not bundled into other forms, is not a condition of treatment, and clearly describes the intended use.

This incident should prompt every provider to take a hard look at how marketing, admissions, clinical staff, and administrative teams handle testimonials and patient-facing content. Many programs assume that verbal consent is enough. It isn’t. Others assume that de-identifying a story is safe. It often isn’t. If a patient can be recognized by context, photos, or unique circumstances, HIPAA considers that PHI. And in the era of digital marketing, social media campaigns, and website content, it’s easy for an organization to inadvertently expose PHI in ways it never anticipated.

If you haven’t reviewed your testimonial and marketing workflow in a while, now is the time. Designate an internal owner for HIPAA-compliant marketing. Audit your website and social media for any content that might contain identifying information. Confirm that all posted stories have corresponding HIPAA marketing authorizations and that your forms contain every required element. Train staff on when a standalone authorization is required and when a story must be scrubbed, rewritten, or withheld entirely. And don’t forget about vendors. Website designers, marketing agencies, and public-relations firms must understand your HIPAA obligations too.

If you have any questions or comments about the subject of this blog, please contact Parrella Health Law at 857.328.0382 or Chris directly at cparrella@parrellahealthlaw.com.