HIPAA Meets Social Media Marketing with Liz Heddleston and Leah Stiegler

Concepts: Healthcare Law; Data Privacy

A positive patient story. A successful outcome. A well-intentioned post. What could go wrong? In today’s healthcare marketing landscape, more than many organizations realize—and regulators are starting to take notice.

In this episode, I get to speak with Liz Heddleston and Leah Stiegler of Woods Rogers about a healthcare compliance issue that many organizations may be underestimating: the HIPAA risks created by modern marketing practices.

Healthcare providers increasingly rely on social media, patient testimonials, online success stories, influencers, user-generated content, and even AI-assisted marketing tools to build visibility and connect with patients. But as recent enforcement activity demonstrates, these efforts can create significant HIPAA exposure when protected health information is disclosed without proper authorization.

Our conversation uses the recent OCR enforcement action involving Cadia Healthcare Facilities as a starting point. OCR alleged that patient names, photographs, and treatment information were publicly shared through online success stories without valid written HIPAA authorizations. The resulting settlement serves as a reminder that positive intent, patient enthusiasm, and informal consent do not eliminate HIPAA obligations.

Liz and Leah help unpack what went wrong in the Cadia matter and explain why healthcare organizations should be paying close attention. We discuss:

Common misconceptions about de-identification
The growing risks associated with social media and AI-generated content
The compliance challenges created by marketing vendors, agencies, and influencers
Where OCR enforcement may be headed next

One of the key themes throughout the discussion is that HIPAA compliance is no longer just an IT or cybersecurity issue. As healthcare organizations expand their digital presence, privacy compliance must become part of the content creation and marketing process itself.

Whether you’re a healthcare executive, compliance officer, in-house counsel, privacy professional, marketer, or outside advisor, this conversation offers practical guidance on navigating the intersection of healthcare privacy, digital marketing, and regulatory risk.

Jump in to hear Liz and Leah’s insights on HIPAA compliance, healthcare marketing, and the emerging risks organizations should be addressing before an enforcement action brings them into focus.

As always, if you have comments or wish to participate in one our projects please drop me a note at Editor@LitigationConferences.com.

Tom Hagy
Litigation Enthusiast and
Host of the Emerging Litigation Podcast
Home Page
LinkedIn

Liz HeddlestonPrincipal, Woods Rogers

Liz has devoted her legal career to health law and understands the distinct legal challenges facing healthcare organizations and businesses operating in the healthcare space. She has a broad-based health law practice with a significant focus on health information privacy and security.

Combining industry experience with a solutions-oriented approach, Liz provides practical guidance on a spectrum of regulatory, corporate, and operational matters impacting healthcare clients.

Leah StieglerPrincipal, Woods Rogers

Leah can walk employers through any workplace situation. From complex personnel matters, to implementing client-specific performance management practices, Leah advises employers to navigate these issues to keep them out of court.

Her counseling covers the entire employment spectrum: recruitment, onboarding, workplace culture, pay equity audits, RIFs, terminations and severance packages.

Want to appear on the Emerging Litigation Podcast?

Send us your idea!

It might even make this man smile. “But I am smiling here.”

No. No he’s not.