Famous HIPAA Violation Cases

Famous HIPAA violation cases.

Abstract

The OCR enforcement record on marketing-surface HIPAA violations is public and patterned. Identifiable testimonials published without per-testimonial authorization under 45 CFR 164.508. Before-and-after imagery published without imagery-specific consent. Incentivized review-solicitation that confirms the treatment relationship. The penalties and Corrective Action Plans that follow are documented at the HHS enforcement page and the HHS Breach Portal.

Book a diagnostic →

Enforcement surfaces addressed

45 CFR 164.508 Marketing authorization 45 CFR 164.514 De-identification standard OCR enforcement Resolution agreements HITECH Act Civil Money Penalty tiers

Where the enforcement record lives

Resolution Agreements at HHS. Civil Money Penalties at HHS. Breach log at the Wall of Shame.

OCR publishes Resolution Agreements and Civil Money Penalties at the HHS enforcement page¹ . The HHS Breach Portal (commonly called the Wall of Shame) retains the public log of breaches affecting 500 or more individuals² . Both surfaces are searchable and citable; the OCR enforcement record is not a black box. Practices researching their exposure can read the prior agreements against their own marketing surface.

The cases that repeat in the marketing context cluster around three patterns. First, identifiable testimonials published on service pages without per-testimonial authorization under 45 CFR 164.508. The catch-all intake-form release language does not satisfy the 'specific and meaningful description' standard the regulation requires⁴ . The intake release is convenient as the existing instrument; the OCR's enforcement record reads the conflation as a violation regardless.

Second, before-and-after imagery published without imagery-specific consent. Facial features are explicitly listed in the 18 Safe Harbor identifiers under 45 CFR 164.514⁵ . A facial photo of a patient is PHI per the regulation. Distinctive marks, unique anatomy, and identifiable clothing surface as identifying information even when the face is cropped. Plastic surgery and dermatology galleries are over-represented in the enforcement record because the workflow has historically relied on generic photo releases that do not satisfy the imagery-specific authorization standard.

Third, Google Reviews responses that confirm the treatment relationship. Responding to a patient review by referencing the patient's specific treatment ('We're glad your knee replacement went well') discloses PHI because the response confirms the treatment relationship. The standard non-regulated-business practice of personalized review response crosses HIPAA when the responding entity is a covered entity. The pattern is high-frequency and low-individual-volume; the aggregate exposure across the corpus of public responses adds up.

Civil Money Penalty mechanics

HITECH tiers. Per-violation caps. Corrective Action Plans.

The HITECH Act establishes Civil Money Penalty tiers based on the covered entity's culpability³ . The tiers run from $100 per violation (unknowing) up to $50,000 per violation (willful neglect, uncorrected), with annual caps the HHS Secretary adjusts for inflation. The marketing-surface aggregate exposure depends on the per-patient count of violating disclosures: a testimonial gallery with 50 identifiable testimonials published without authorization can be read as 50 separate violations. The same arithmetic applies to imagery galleries and to per-patient Google Reviews response.

Resolution Agreements typically settle below the maximum statutory exposure but include Corrective Action Plans that bind the practice's marketing surface for multi-year periods (commonly two to three years, occasionally longer). The Corrective Action Plan requires the practice to develop and implement HIPAA-compliant policies and procedures, train workforce members on the marketing-communication surface, monitor the ongoing surface, and report to OCR on the implementation. The aggregate operational cost of a multi-year Corrective Action Plan frequently exceeds the cash penalty.

Why the marketing surface keeps producing enforcement actions

The marketing surface uses the easiest existing consent instrument. The regulation requires a different one.

The structural reason the marketing-surface pattern repeats: practices use the intake-form release that the practice administrator already maintains as the consent record for marketing disclosures, because asking the patient to sign a second form during the appointment is operationally awkward. The intake release is the easiest existing instrument; the regulation requires a different one⁶ . The architectural pattern that does not repeat the violation: a separate testimonial-specific authorization form executed at the time the practice solicits the testimonial, with the form describing the testimonial content, the publication surfaces, and the duration of use specifically. The two forms operate on different uses of patient information; one is intake, the other is marketing.

The same pattern holds for imagery and for Google Reviews. The imagery-specific authorization scopes to which photos, what surfaces they appear on, the duration of use, the patient's right to revoke. The Google Reviews workflow responds to feedback without confirming or denying the treatment relationship; the standard non-regulated-business response template is not portable into the regulated context.

This hub anchors the HIPAA cluster across the medical SEO practice at Praxis. The spokes detail the per-surface workflows: testimonial authorization, imagery consent, case-study consent, the marketing-versus-treatment-communication distinction. The Tier 2 HIPAA-compliant medical marketing service ships the workflow itself.

References

01.U.S. Department of Health and Human Services, Office for Civil Rights. OCR Resolution Agreements and Civil Money Penalties. HHS OCR. 2024. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/
02.U.S. Department of Health and Human Services, Office for Civil Rights. HHS Breach Portal (Wall of Shame). HHS OCR. 2024. https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
03.United States Congress. Health Information Technology for Economic and Clinical Health Act, Civil Money Penalty Structure. 42 U.S.C. § 1320d-5. 2009. https://www.govinfo.gov/content/pkg/USCODE-2018-title42/pdf/USCODE-2018-title42-chap7-subchapXI-partA-sec1320d-5.pdf
04.U.S. Department of Health and Human Services, Office for Civil Rights. 45 CFR §164.508. Uses and disclosures for which an authorization is required. Code of Federal Regulations, HIPAA Privacy Rule. 2024. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508
05.U.S. Department of Health and Human Services, Office for Civil Rights. 45 CFR §164.514. De-identification of protected health information. Code of Federal Regulations, HIPAA Privacy Rule. 2024. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.514
06.U.S. Department of Health and Human Services, Office for Civil Rights. 45 CFR §164.501. Definitions (marketing). Code of Federal Regulations, HIPAA Privacy Rule. 2024. https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.501

Common questions

Questions practice administrators ask about the OCR enforcement record. Before mapping their own marketing surface against it.

01.

What does the OCR enforcement record actually look like in the marketing context?

The U.S. Department of Health and Human Services Office for Civil Rights publishes Resolution Agreements and Civil Money Penalties at the agency's enforcement page. The HHS Breach Portal (the 'Wall of Shame') retains the public log of breaches affecting 500 or more individuals. The marketing-surface patterns that repeat: identifiable testimonials published without per-testimonial authorization under 45 CFR 164.508, before-and-after imagery published without imagery-specific consent, and incentivized review-solicitation that confirms the treatment relationship.

02.

How much do penalties run for a marketing-surface violation?

The HITECH Act establishes Civil Money Penalty tiers based on the covered entity's culpability. The tiers run from $100 per violation (unknowing) up to $50,000 per violation (willful neglect, uncorrected), with annual caps that the HHS Secretary adjusts for inflation. The aggregate exposure on a marketing-surface violation depends on the per-patient count: a testimonial gallery with 50 identifiable testimonials published without authorization can be read as 50 separate violations. Resolution Agreements typically settle below the maximum statutory exposure but include Corrective Action Plans that bind the practice's marketing surface for years.

03.

What's the most common marketing-surface pattern OCR encounters?

Generic intake-form releases used as the consent record for identifiable testimonials. The intake-form release language ('I authorize the practice to use my information for marketing purposes') does not satisfy the 'specific and meaningful description' standard required by 45 CFR 164.508(c). The authorization has to name the specific testimonial content, the publication surfaces, and the duration of use. The pattern repeats because the intake-form release is the easiest existing instrument to point at when the marketing question comes up; the OCR's enforcement record reads the conflation as a violation regardless.

04.

Are before-and-after photos treated differently from text testimonials?

The authorization requirement applies to both, but the de-identification standard under 45 CFR 164.514 reads differently on imagery. Facial features are explicitly listed in the 18 Safe Harbor identifiers. A facial photo is PHI per the regulation. Distinctive marks (tattoos, scars, birthmarks), unique anatomical features, and identifiable jewelry or clothing surface as identifying information. Practical de-identification of patient imagery is harder than text de-identification because the identifiable features are visual and harder to remove cleanly. The architectural pattern: imagery-specific authorization scoped separately from text-testimonial authorization.

05.

Does the OCR look at SEO-specific surfaces or just direct mail and email?

OCR enforcement reads against the use of PHI for marketing communications regardless of channel. Service-page testimonials, before-and-after-imagery galleries, blog-post case studies, social-media patient features, and Google Reviews responses all sit inside the marketing-communication surface. The channel does not change the authorization requirement. The Resolution Agreement record includes cases where the violating surface was a service page, where the violating surface was a Facebook page, and where the violating surface was a Google Reviews response that confirmed the treatment relationship.

06.

What's the Corrective Action Plan downstream of a Resolution Agreement?

Resolution Agreements typically include a Corrective Action Plan that binds the practice's marketing surface for multi-year periods (commonly 2-3 years, occasionally longer). The CAP requires the practice to develop and implement HIPAA-compliant policies and procedures, train workforce members, monitor the marketing-communication surface, and report to OCR on the implementation. The aggregate operational cost of a multi-year CAP frequently exceeds the cash penalty. The practical implication: the cheapest path is the upfront consent workflow, not the post-violation Corrective Action Plan.

Stop watching your competitors rank

If your marketing surface relies on the intake-form release as the consent record, the enforcement record names the downstream.

The diagnostic audits the testimonial corpus, the imagery gallery, the case-study content, and the Google Reviews response history against the 164.508 authorization standard. The audit comes back inside two weeks with the per-surface workflow scoped and the documented gaps named.

Book a diagnostic → Email us