A recent case illustrates why staying alert matters: a chain of five nursing homes in Delaware agreed to pay $182,000 in penalties after publicizing patient “success stories” on its website and social media – without proper authorization or safeguards. That violation offers a useful lesson: even “positive” disclosures of health information can trigger HIPAA (Health Insurance Portability and Accountability Act) trouble.
Below is a breakdown of key things consumers should understand about HIPAA, plus practical steps you can take to protect your health information.
HIPAA Basics – What It Covers (and What It Doesn’t)
- HIPAA applies to “covered entities” and their “business associates.” These include health care providers, health plans, and health care clearinghouses – and other organizations they contract with that handle protected health information (PHI).
- “Protected Health Information” (PHI) includes identifiers (name, address, birthdate, SSN, etc.) combined with health-related data – diagnoses, treatment, lab results, admission/discharge data, etc.
- HIPAA has two core dimensions: the Privacy Rule (governing how PHI may be used or disclosed) and the Security Rule (governing safeguards over electronic PHI).
- Importantly, HIPAA does not cover all health-adjacent data. For example, health or fitness apps not associated with a covered entity may not fall under HIPAA, though other privacy laws may apply.
What the Delaware Nursing Home Case Teaches Us
In the recent enforcement action, the nursing homes published patients’ stories on websites/social media platforms – effectively “advertising” health success stories. Because those disclosures involved PHI and were published, in some cases, without valid authorization or proper de-identification, it constituted a HIPAA violation.
The key takeaway is that even when disclosures are done with ostensibly good intent (e.g. showcasing recovery or quality of care), they must comply with HIPAA’s strict rules around patient consent, authorization, and safeguards.
This case also underscores that federal regulators are watching PHI disclosures in digital spaces like websites and social media, and noncompliance can incur significant penalties.
What Consumers Should Be Aware Of
Here are some practical things to keep in mind:
You Have Rights Under HIPAA
- You can request access to your medical records.
- You can ask for corrections to those records.
- You can request an accounting of disclosures (who has seen or received your PHI).
- You can restrict certain uses or disclosures (though a provider doesn’t always have to agree).
Always Review Authorization Requests Carefully
Providers or marketers might ask you to sign an “authorization to use your story/data.” Make sure you understand exactly what information is being shared, with whom, for what purpose, and for how long.
Look Out for Oversharing Online
Before posting about your health or treatment (or consenting to someone else doing so), ask whether any identifiers are being revealed. Even indirect information (dates, facility names, treatment details) can triangulate your identity.
Ask About De-Identification
Sometimes, providers can share “de-identified data” instead of identifiable PHI. Under HIPAA rules, that means removing or masking certain identifiers so the data can’t be traced back to you.
Keep Track of Your Providers and Third Parties
If your doctor, clinic, or hospital works with vendors (billing companies, analytics, marketing firms, web developers), ask whether they are “business associates” that have signed proper HIPAA agreements guaranteeing protection of your PHI.
Report Violations or Concerns
If you believe a provider disclosed your PHI improperly (e.g., on social media, a website, or through marketing), you can file a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
What Consumers Can Do to Protect Themselves
Here’s a checklist of protective steps:
Limit What You Share
Even innocuous-seeming details (dates, partial names, facility locations) can contribute to re-identification. Share only what’s necessary.
Ask Questions
When a provider or marketer wants to publicize a “patient story,” ask:
“Which parts of my record are you using? Will you remove my name/identifiers? Who will see it? Can I approve the final version before publishing?”
Review and Retract Authorizations
If you once signed a broad consent or release and later change your mind, request in writing that the provider stop further disclosures (if possible).
Get Everything in Writing
If a provider claims they’ll “protect your privacy,” get that in a contract or authorization form that describes exactly how disclosures will be handled.
Monitor Your Medical Records and Disclosures
Use your right to request an accounting of disclosures to see who has accessed or received your data.
Stay Educated
HIPAA rules and enforcement priorities evolve. Watch for notices from your providers or from HHS OCR about changes or breaches.
Use Secure Communication Methods
When possible, request encrypted email or portals for communication of PHI; avoid unprotected emails, social media direct messages, or public forums.
Final Thought
HIPAA is not just about preventing negative disclosures (like leaks or hacking) – it also regulates how positive or promotional disclosures of health information are handled. The recent $182,000 nursing home settlement reminds us that even well-intended publicity must still comply with patients’ privacy rights and require explicit, informed consent.
As a consumer, the more you understand your rights, question how and where your information is used, and monitor your own data, the better you can safeguard your health privacy.
Let’s Have a Conversation:
Have you been asked by doctors or clinics for consent to share your patient story? Did you pay attention to any documents you signed? How aware are you of your rights under HIPAA?