Wilmington, DE — A chain of five Delaware skilled nursing facilities will pay $182,000 to settle federal allegations that it shared residents’ protected health information on its website and social media without proper authorization, according to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
Federal officials said the posts — framed as “success stories” highlighting individual recoveries — included names, photos, diagnoses, and therapy details that identified residents without valid written consent. The disclosures, which appeared between 2022 and 2024 across the facilities’ website and Facebook and Instagram pages, drew multiple complaints and triggered an OCR investigation in late 2023.
What OCR Found
Investigators determined the facilities’ marketing team pulled details from health records to produce promotional content intended to boost online visibility and admissions. In several instances, posts featuring residents’ rehabilitation milestones reached thousands of users before being removed, OCR said.
While the case did not result in criminal charges, OCR found repeated, impermissible disclosures under the HIPAA Privacy Rule. The agency noted the violations were not malicious but reflected systemic gaps in privacy safeguards — particularly around digital marketing, where compliance can be easily overlooked.
Corrective Action Plan
Alongside the monetary settlement, the chain agreed to a two-year corrective action plan. It requires:
- Mandatory HIPAA training for all staff, with specific guidance on social media and marketing
- Revised policies prohibiting the use of protected health information in any promotional materials without explicit written authorization
- Annual audits of digital content and marketing workflows
- Appointment of a privacy officer to oversee compliance and report incidents to OCR within required timeframes
The facilities removed resident-specific posts and said they are updating procedures to prevent future violations. The operator did not admit wrongdoing as part of the settlement, a common feature of OCR resolutions that aim to avoid protracted litigation.
Why It Matters for SNFs
The case underscores a growing tension for skilled nursing providers: promoting services online while protecting patient privacy. Industry surveys indicate that roughly 70% of facilities now use social media for outreach. At the same time, OCR has stepped up enforcement around technology-enabled privacy lapses, citing a sharp rise in complaints linked to digital practices.
Regulators and compliance experts say the message is clear: even well-intentioned “success stories” require a valid HIPAA authorization if they include identifiable details. De-identifying posts — or shifting to general program descriptions without personal data — reduces risk, but facilities must be consistent and disciplined about approvals and review processes.
Broader Enforcement Trend
The Delaware settlement follows a series of recent actions targeting privacy violations tied to social media and marketing. OCR officials have warned that such cases will remain a priority amid expanding digital outreach across healthcare.
For operators, the costs extend beyond fines. Compliance work — training, audits, and content reviews — requires time and investment, and some facilities may scale back resident-focused posts entirely. Still, advocates say clear policies and routine checks can allow facilities to maintain an online presence without risking residents’ confidentiality.
OCR will monitor the Delaware chain’s corrective plan through 2027. In the meantime, attorneys and compliance consultants are urging providers to review their social media practices, refresh HIPAA training, and ensure authorizations are both valid and properly documented before any resident story goes public.
