Social media is one of the most powerful tools available to healthcare organizations today, but it’s also one of the riskiest. A recent HIPAA settlement involving Cadia Healthcare is a vivid reminder of what can go wrong when patient information is shared online without proper authorization.
Even well-intentioned content can lead to violations. But beneath every social media breach lies something deeper: a breakdown in a healthcare organization’s Security Risk Analysis (SRA).
In this post, we’ll explore how online posting intersects with HIPAA compliance—and why conducting a thorough, ongoing Security Risk Analysis is your best defense.
Earlier this year, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced a $182,000 settlement with Cadia Healthcare Facilities.
The reason? Cadia had posted patient “success stories” on its website and affiliated social media pages, sharing names, photos, diagnoses, and treatment outcomes—all without proper written HIPAA authorizations.
OCR determined that the posts represented impermissible disclosures of protected health information (PHI), impacting around 150 individuals.
Beyond the fine, Cadia was required to implement a two-year corrective action plan that included updated policies, marketing oversight, and HIPAA training for all employees involved in public communications.
The case wasn’t about malicious intent. It was about a gap—a lack of oversight and internal controls that allowed a privacy failure to go unnoticed. That gap, at its core, was a missing piece of a proper Security Risk Analysis.
When most people think about a Security Risk Analysis, they picture firewalls, encryption, and access controls. Those are crucial—but HIPAA’s Security Rule requires something broader:
“An accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information.”
— 45 CFR §164.308(a)(1)(ii)(A)
That means your SRA isn’t just an IT exercise—it’s a holistic assessment of where risk lives in your organization.
If your marketing, communications, or public relations teams have access to patient information or create content related to patient care, they’re part of your HIPAA environment. Their tools, workflows, and decision-making processes should be included in your Security Risk Analysis.
When you connect those dots, it becomes clear: the same discipline that protects your servers and EHRs should also govern your social media.
An effective SRA does more than meet a regulation—it prevents reputational and financial damage. It helps your organization:
Identify risks before they become violations.
A structured SRA asks: Who controls your public content? What review processes exist before posting? Are staff trained on PHI boundaries?
Assess vulnerabilities in real workflows.
Beyond network security, it’s about understanding where people or processes could inadvertently expose PHI—like in a testimonial or “behind-the-scenes” photo.
Document compliance efforts.
If a breach occurs, OCR will ask to see your most recent Security Risk Analysis. A well-documented, updated assessment demonstrates good faith and can reduce penalties.
Assign accountability.
The SRA process identifies owners for remediation tasks. Every risk—technical or procedural—should have someone responsible for addressing it.
In short, a robust Security Risk Analysis transforms compliance from a reaction to a strategy.
While the SRA is the backbone, proactive policies and training keep your team protected day-to-day. Here are practical steps every healthcare organization should take:
Obtain written HIPAA authorizations before sharing any patient stories, photos, or identifiable information. Verbal consent is not enough.
Review every piece of content—photos, videos, captions, even hashtags—for unintended PHI before publishing.
Establish a two-person review rule for all public-facing posts related to patient care or clinical settings.
Train all staff, not just marketing, on the risks of sharing patient information online.
Document and audit all authorizations and related posts regularly.
Respond quickly if an inappropriate post is discovered. Remove it immediately, document the incident, and include it in your next SRA update.
The Cadia case underscores several important lessons:
Every department is part of your compliance program. If marketing or communications isn’t included in your SRA, that’s a blind spot.
Intent doesn’t erase liability. Even “positive” posts can constitute HIPAA violations without proper authorization.
Training must extend beyond clinical teams. Every employee who handles or discusses patient information—online or offline—needs HIPAA training.
Breach notification obligations still apply. Once unauthorized PHI is posted, even briefly, it may trigger formal notification requirements under the Breach Notification Rule.
The Security Risk Analysis isn’t just an annual task—it’s the engine of your HIPAA compliance program.
It helps you anticipate risk, strengthen your policies, and ensure that every corner of your organization—from IT to marketing—understands its role in protecting patient privacy.
In 2025, that means looking beyond the data center and into every channel where PHI could appear—including social media.
Because protecting patient information doesn’t just happen behind firewalls—it happens every time someone presses “post.”
Medcurity helps healthcare organizations simplify HIPAA compliance through guided Security Risk Analyses, workforce training, and policy management tools. Our platform turns compliance from a burden into a clear, actionable process—helping you protect both your patients and your peace of mind.
