HHS Settles With Delaware Rehab Center Over HIPAA Claims
A Delaware health care company violated HIPAA rules by publicly sharing patient data without consent, the Health and Human Services Office for Civil Rights announced in a settlement Tuesday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Cadia Healthcare Facilities, which provides rehabilitation services, shared a patient's name, photo and information about medical conditions, treatments and recovery in a “success story” series, OCR said in the announcement. The patient filed a complaint in 2021.
Cadia agreed to pay $182,000 and implement a corrective action plan that OCR will monitor for two years, the agency said.
OCR said that beyond the complaint its 2021 investigation determined that Cadia “disclosed the PHI of a total of 150 patients to its websites through its “success story” program without first obtaining valid, written HIPAA authorizations.”
The company didn’t comment.