Your 'Success Story' Program Just Cost This Rehab Facility $182,000: The Cadia Healthcare HIPAA Settlement

Healthcare marketing teams often operate with a blind spot. They understand advertising regulations, FTC disclosure requirements, and brand guidelines. What they frequently do not understand is that the moment a patient's name, photograph, or medical details appear in a success story, testimonial, or case study — even a flattering one — HIPAA applies.

The Cadia Healthcare Facilities settlement makes that blind spot expensive.

What happened

Cadia Healthcare Facilities are rehabilitation, skilled nursing, and long-term care services providers operating five facilities in Delaware. Between 2021 and 2025, Cadia operated a "success story" marketing program — a common healthcare marketing tactic where providers share patient recovery journeys to demonstrate the quality of their care.

The program worked like this: staff would identify patients with positive outcomes, document their stories, and post them to Cadia's public-facing website and social media accounts. The posts included patient names, photographs, and details about the patients' medical conditions, treatments, and recoveries.

What Cadia did not do was obtain valid, written HIPAA authorizations from those patients before posting their information.

OCR initiated an investigation after receiving a complaint in September 2021 alleging that Cadia had impermissibly disclosed a patient's PHI online. The investigation confirmed that Cadia published the patient's PHI without a valid, written HIPAA authorization and had similarly disclosed the PHI of approximately 150 patients through other "success story" posts.

The two violations OCR found

OCR determined that Cadia committed two distinct HIPAA violations, which is a pattern worth understanding because both are common failures in healthcare marketing contexts.

Violation 1: Impermissible disclosure of PHI

The HIPAA Privacy Rule requires a valid, written authorization before a covered entity can use or disclose PHI for marketing purposes. OCR Director Paula M. Stannard stated: "The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure. Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual's PHI in a website testimonial or through a social media campaign."

A patient's consent to treatment does not authorize use of their information in marketing. A verbal agreement to be featured in a success story does not meet HIPAA's written authorization requirement. The authorization must specifically describe what PHI will be used, the purpose of the disclosure, who will receive it, and include an expiration date or event. Without all of these elements, the authorization is not valid under HIPAA.

Violation 2: Failure to provide breach notification

Cadia shut down the success story program in March 2022, but failed to issue notifications to the affected individuals, as required by the HIPAA Breach Notification Rule.

This is a critical lesson. When a covered entity discovers it has impermissibly disclosed PHI — even in the context of a well-intentioned marketing program — the disclosure may constitute a breach triggering notification obligations. Shutting down the program that caused the violation does not satisfy those obligations. Every patient whose PHI was impermissibly disclosed must be notified.

The settlement terms

OCR determined that Cadia Healthcare Facilities impermissibly disclosed PHI, failed to have appropriate administrative, technical, and physical safeguards in place to protect the privacy of PHI, and failed to provide breach notification to the affected individuals. Under the terms of the resolution agreement, Cadia Healthcare Facilities agreed to implement a corrective action plan that will be monitored by OCR for two years and paid $182,000 to OCR.

The corrective action plan requires Cadia to:

Review and update HIPAA Privacy Rule policies and procedures — including specific policies governing marketing activities, social media use, and the collection of patient authorizations before any PHI is used in public-facing content.

Provide workforce training to all staff, including marketing staff — this provision is significant. Most HIPAA training programs focus on clinical and administrative staff who directly handle patient records. The Cadia settlement explicitly names marketing staff as a required training audience, reflecting OCR's recognition that marketing activities are a growing source of PHI exposure.

Notify all affected individuals — every patient whose PHI was posted without authorization must be individually notified of the breach, regardless of how long ago the disclosure occurred or whether the content has since been removed.

Why this case matters beyond rehabilitation facilities

The Cadia settlement is frequently discussed as a rehab and skilled nursing facility case, which is accurate but incomplete. The underlying violation — using patient PHI in marketing materials without a valid written authorization — is a risk that exists across virtually every type of healthcare organization.

Medical practices that feature patient testimonials on their websites. Hospitals that post patient recovery stories on Instagram. Behavioral health providers that share treatment success narratives in newsletters. Dental practices that post before-and-after photos with patient names. All of these activities involve PHI, all of them require HIPAA-compliant written authorizations, and all of them could generate an OCR complaint.

The fact that the content is positive and the patients may have initially agreed to participate verbally does not satisfy HIPAA's requirements. The regulation requires a specific written document obtained before the disclosure. The burden is on the covered entity to have that documentation in place before any PHI appears in any public-facing medium.

What healthcare marketing teams must do now

The Cadia settlement is a clear signal to every healthcare organization's marketing function. Here is the immediate checklist:

Audit all existing public-facing content. Review your website, social media accounts, newsletters, brochures, and any other public materials for content that includes patient names, photographs, or medical details. For each item, confirm that a valid HIPAA authorization is on file.

Remove content without valid authorization immediately. If you cannot locate a signed, HIPAA-compliant authorization for content that includes patient PHI, remove it from all platforms now. The longer it remains publicly accessible, the longer the disclosure is ongoing.

Treat identified exposures as potential breaches. For each patient whose PHI was disclosed without a valid authorization, conduct a breach risk assessment under 45 CFR §164.402. If the assessment indicates breach notification is required, provide that notification to affected individuals.

Create a HIPAA authorization workflow for marketing. Before any patient story, testimonial, photo, or medical detail is used in any marketing context, a valid written authorization must be collected, reviewed by someone with HIPAA training, and filed. This workflow must apply to digital content, print materials, social media, and any other medium.

Train your marketing team. HIPAA training for marketing staff is no longer optional — the Cadia corrective action plan makes clear that OCR expects it. That training should cover what constitutes PHI, what a valid HIPAA authorization requires, what content cannot be published without authorization, and what to do when past content is discovered to lack proper authorization.