When a Post Becomes a Problem: Avoiding HIPAA Pitfalls in Skilled Nursing Facilities

The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced a settlement with a skilled nursing facility (SNF) organization after finding that it posted patient “success stories” online without valid HIPAA authorizations.

• What happened: The SNF disclosed the names, photos, and health information of 150 patients in marketing materials.

• The outcome: A patient complaint led to an OCR investigation, which resulted in a $182,000 settlement and entering into a Resolution Agreement with a corrective action plan requiring policy updates, staff training, and ongoing oversight.

Expectation vs Regulation

For skilled nursing facilities, this case highlights a unique tension: they are both healthcare providers and residential communities.

Families look to their facilities not only for medical care, but also for reassurance that their loved ones are thriving in daily life. Sharing photos of bingo nights, therapy milestones, or holiday celebrations can be an important way to foster community and maintain connections. At the same time, HIPAA draws a hard line around when and how protected health information (PHI) can be used.

The Importance of Authorizations

The settlement underscores the importance of distinguishing the applicable context for HIPAA authorizations. We understand that many facilities ask residents to sign blanket HIPAA authorizations at admission covering disclosures for community engagement, such as Facebook and other social media platforms. However, general authorizations like this may not always be sufficient, particularly when a facility wants to publish a “success story” or marketing feature on its website or in promotional materials.

OCR’s announcement does not disclose whether the SNF had obtained admission authorizations that OCR later found defective, or whether no authorization was obtained at all. What we do know, however, is that OCR determined the disclosures were impermissible, suggesting that providers should not assume a general admission authorization is sufficient for marketing use.

Compliance Priorities

Residents and families understandably want to celebrate milestones and share experiences, and social media provides post-acute and long-term care providers the ability to broadly reach those constituencies. The key is structuring authorizations and policies that respect both the provider’s identity as a residential community with their obligations as a covered entity under HIPAA.

Facilities can reduce risk by:

• Reviewing admission packets and separating routine disclosures from marketing permissions.
• Using standalone authorizations for success stories, websites, and promotional content.
• Training staff across departments on the limits of HIPAA authorizations.
• Implementing review procedures before posting or publishing resident information.

Conclusion

Even well-intentioned posts can result in costly enforcement if compliance safeguards are overlooked. This case is a reminder that HIPAA applies just as much to success stories as to clinical records.

At ROLF, we work with skilled nursing and post-acute providers to develop HIPAA-compliant authorization forms, policies, and strategies that allow facilities to share resident life while protecting privacy. If your facility is reviewing its marketing or community engagement practices, our team can help you align them with regulatory standards.

For assistance with HIPAA-compliance, please reach out to Jacqueline Anderson.