Medical professional thinking about HIPAA

When HIPAA Compliance is an Afterthought

in ,

A recent investigation and settlement from the HHS Office for Civil Rights (“OCR”) underscores the critical importance of having a truly effective HIPAA Compliance Program—one that is not merely superficial but deeply embedded in an organization’s operations and culture. Is HIPAA Compliance an afterthought?

The organization under fire is a sizable health care provider that specializes in rehab, skilled nursing, and long-term care services and promotes its state-of-the-art technologies and collaborative approach to treatment. The investigation is the result of a patient complaint filed with the OCR alleging the organization posted their name, their picture and other PHI as detailed as their diagnosis, treatment, and recovery to their public website without obtaining the patient’s authorization. These posts were part of a not uncommon broader marketing strategy aimed at showcasing treatment success stories.

OCR’s investigation confirmed the allegations. The HIPAA Privacy Rules have been clear for 25 years that disclosure of a patient’s PHI, and particularly for marketing purposes, can only be made with the patient’s specific written permission, i.e., a valid Authorization.

Upon confirmation of the prohibited post, the organization removed it. Good. What is troubling is that further investigation revealed another 150 previous posts containing similar unauthorized disclosures. Even more concerning was the organization’s failure to recognize that these incidents constituted 150 reportable breaches under HIPAA’s Breach Notification Rule, which mandates timely notification to affected individuals.

This case illustrates what happens when compliance is an afterthought, and the consequences of compliance being a checkbox exercise rather than a strategic imperative. Although the organization claimed to have policies, procedures, and employee training in place, these measures were either inadequate or not properly enforced. The lack of meaningful engagement with compliance principles led to systemic failures.

Leadership Accountability and Strategic Oversight

Effective compliance requires active oversight from senior leadership and the Privacy Officer. Internal controls must be robust and consistently applied across all levels of the organization. The scale and duration of these breaches suggest that multiple leaders were aware—or should have been aware—of the violations, yet failed to act.

Consequences of Non-Compliance

The fallout from this case is significant:

  • Federal investigation requiring substantial time and resources
  • Monetary settlement of nearly $200,000
  • Reputational harm, including national media coverage
  • Two years of OCR monitoring under a rigorous Corrective Action Plan (CAP), which includes:
    • Revising and redistributing HIPAA policies and procedures to all employees
    • Implementing a comprehensive employee re-education program requiring signed attestations
    • Compiling and submitting extensive documentation to OCR
    • Promptly issuing the mandatory breach notifications, and substitute notices, under OCR supervision
    • Monitoring and reporting all violations of HIPAA policies and procedures, along with detailed descriptions and mitigation efforts, directly to the OCR
    • Preparing a laborious Implementation Report, and an Annual Report, with executive attestations confirming all CAP requirements have been met
    • Meeting each of the requirements of the CAP under very tight deadlines continually monitored by the OCR

These requirements demand significant organizational resources—resources that could have been better utilized for patient care or strategic growth.

A Strategic Response

HIPAA compliance is not optional, nor should it be reactive. It requires proactive planning, continuous education, and vigilant internal enforcement. If your organization has not taken a proactive approach to HIPAA compliance – of if you’re unsure whether your current program is truly effective – we are here to support you in your efforts. Contact us at www.wildconsultinginc.net  The cost of inaction is too high.

📄 Read the full OCR press release
https://www.hhs.gov/press-room/ocr-settles-hipaa-with-cadia-healthcare-facilities.html