Vital Sounds 2026, Quarter 1
Vital Sounds 2026, Quarter 1
Consent Before Content: Protecting Patient Privacy When Sharing Success Stories
February 5, 2026
Consent Before Content: Protecting Patient Privacy When Sharing Success Stories
February 5, 2026
By Yolanda Sims, JD, MHA
Loss Prevention and Risk Management Advisor
Storytelling is a powerful medium, especially when delivered in a format that resonates with many, such as a remarkable patient success story. In healthcare, these stories are often shared to celebrate progress and spread good news.
Before sharing any patient story, it's essential to ensure the patient has granted your organization clear, written consent to share their information. Consent is a safeguard that keeps outreach efforts responsible and aligned with HIPAA. Recently, a large rehabilitation and skilled nursing facility in Delaware learned this lesson the hard way.
A Real-World Reminder: The Cadia Enforcement Case
In September 2025, the U.S. Department of Health and Human Services (HHS), Office of Civil Rights (OCR), announced an enforcement action involving Cadia Healthcare. The action followed Cadia’s publication of patient “success stories” on its website that included names, photos, diagnoses, and treatment details without valid HIPAA authorizations.
OCR ultimately identified more than 150 patients whose protected health information had been disclosed improperly. As part of the resolution, Cadia agreed to a $182,000 settlement, a two-year corrective action plan, mandatory staff retraining, and updated policies.
In announcing the enforcement, OCR Director Paula M. Stannard emphasized, “The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure.” OCR has made clear that enforcement in this area will remain a priority as digital marketing and online outreach continue to expand across healthcare.
Although the intent behind the stories may have been positive, the lack of proper authorization ultimately resulted in costly HIPAA violations.
Protect Patient Privacy and Stay in Compliance
It's the Right Thing to Do
Beyond compliance, consent is simply the right thing to do. Patients deserve control over how their impactful experiences are shared. It’s also important for organizations to recognize that they benefit from stories that are accurate, dignified, and aligned with the patient’s wishes. When consent is handled well, storytelling becomes a partnership instead of a potential risk.
Practical Steps to Stay in Compliance
Now is the time to review workflow or deficiency gaps as opportunities to strengthen simple, preventable safeguards. To stay compliant and avoid similar pitfalls, organizations can lean on a few easy-to-implement practices:
- Use a standardized HIPAA-compliant authorization form for all stories
- Give patients the chance to review and edit their story
- For annual education, incorporate short, scenario-based privacy training specifically tailored to marketing and patient success stories
- Require a review and approval workflow before publishing any patient-related content
- Conduct periodic spot checks of websites and social media channels to ensure no unauthorized PHI has been posted
Conclusion
A strong consent process starts with a willingness to learn and refine how patient information is handled. It’s worth asking internally: What is your current process, and could it be revised to better protect patient privacy? Tighten your protocols and make consent non-negotiable so your organization never learns this lesson the hard way.
Reference
Lauren S. “Delaware Nursing Home Chain Fined $182K for Sharing Residents’ Stories on Social Media Without Consent.” Skilled Care Journal, 2025, https://skilledcarejournal.com/delaware-nursing-home-chain-fined-182k-for-sharing-residents-stories-on-social-media-without-consent/