Can posting about patients on social media get you into trouble?

By Daniel F. Shay, Esq., March 1, 2018

From the humble beginnings of now-nearly-forgotten sites such as Friendster and MySpace, long before the age of SnapChat and Instagram, social media has now become a fixture of everyday life, with approximately 77% of adults in the United States using a social media site in 2016. Physicians, too, have sought to capitalize on the power of social media to enhance their ability to connect with patients, seeking both clinical and economic benefits from such interactions. Enterprising physicians, including dermatologists, have also sought to bolster their own online profiles by utilizing the power of social media and new media platforms such as YouTube. Physicians also use social media to discuss the practice of medicine with one another. These interactions, however, all come with associated risks under both HIPAA and medical malpractice analyses. This article discusses the risks involved, and offers practical guidance for dermatology practices struggling with how to square the potential benefits of social media with the risks it can impose.

HIPAA concerns

More than 20 years since it was passed into law, most physicians have a reasonable grasp on how HIPAA operates within the four walls of their office. They understand that janitorial staff do not need a business associate agreement. They’re familiar with how to issue a notice of privacy practices. They are comfortable with the notion that merely calling a patient by name from the waiting room does not constitute an improper disclosure under HIPAA. Within the social media context, however, they may not recognize the range of risks they face. Social media offers new avenues by which protected health information (PHI) may be shared (properly or improperly), and a multitude of new fact patterns to consider when drafting HIPAA compliance plans.

First, it is essential to remember that all posts on social media are unsecured PHI by their very nature; social media posts lack the encryption necessary to qualify as secured PHI. Therefore, any improper disclosure of PHI on a social media platform must be analyzed under both the Breach Notification and Privacy Rules. Second, a failure to address social media in a physician practice’s policies and procedures may implicate the Security Rule, which applies to electronic PHI (ePHI) — including both secured and unsecured ePHI — and requires that physician practices establish policies and procedures to address both breaches and issues relating to data control.

Physician practices should develop policies and procedures to avoid improper disclosures of ePHI on social media. Such improper disclosures are most likely to be unintentional. For example, we represented a physician clinic where a front desk staff member posted a picture of an apple given to her by one of the clinic’s patients, alongside a comment about how much she loved her job and the people she met through it. Unfortunately, the apple in the photo sat atop a daily charge sheet, which included patient names, medical record numbers, and dates of birth. Fortunately in this case, this information was mostly obscured by the apple itself, and no single element was completely visible; only partial information could be seen, and not enough to individually identify any single patient. Still, the incident illustrates how normal usage of social media can prove much riskier within a physician practice.

Other disclosures may be intentional, hard to believe though that may be. For example, a physician working in a Chicago hospital emergency room was fired for posting photos of an intoxicated patient on his social media account. This example obviously represents an extreme case; most physicians and office staff could reasonably be expected to know better. However, they might still intentionally post information to social media accounts without realizing that the information itself is PHI.

For example, taking a “selfie” photo with a patient and posting it to a social media account would be an improper disclosure of PHI. This type of behavior on social media is entirely normal in most instances, but it is improper within the HIPAA context. Likewise, some enterprising physicians may seek to promote themselves by demonstrating, for example, the efficacy of the treatments or products they offer, such as through YouTube videos, which they might also post to social media accounts. These videos may depict patients clearly, may include patient names, patient testimonials, etc. There are two key questions in such circumstances: (1) is the patient information enough to individually identify the patient, and (2) if so, has the patient signed a HIPAA authorization to permit the disclosure? Thus, an image or video just of a patient’s rash and its response to a topical cream or other treatment is likely not a disclosure of PHI, as long as there are no other identifying marks or information shown. However, pictures of a tattoo removal where the tattoo itself is unique, or results of reconstructive or cosmetic surgery that show a patient’s face may well be disclosures of PHI.

This touches on a commonly held misconception among physicians: verbal consent, or even informal written consent to post the information is insufficient to satisfy HIPAA; instead, the physician must obtain an authorization from the patient. Under HIPAA, authorizations must contain certain required elements, such as a clear description of the information that will be used and how it will be used, an expiration date (if applicable — or “none” if inapplicable) for the authorization, the individual’s signature and date of signature, and statements that the individual’s continued treatment is not conditioned on their signing of the authorization. Thus, without an effective authorization, a video of a patient where the patient can be clearly identified will be an improper disclosure of PHI. Similarly, as silly as it may sound, a patient’s inquiry on a social media page regarding their condition (e.g., “Do you have the results of that biopsy?”) does not implicitly grant permission under HIPAA for the physician to respond substantively. Instead, such an inquiry should be responded to either by stating that the practice never discloses patient information where it could be viewed by the public (such as on social media) and directing the patient to call the office, or by suggesting the patient contact their regular doctor through a patient portal, if applicable.

Malpractice concerns

In addition to the HIPAA concerns raised by the use of social media, interaction with patients through social media platforms can raise malpractice risks. Although many physicians are appropriately wary of using social media to interact with patients in any clinical sense, the risk remains. However, there are different malpractice risks, depending on whether the individuals who interact with the physician on social media are current patients, or people with whom they do not have a physician-patient relationship.

In cases where no current physician-patient relationship exists, the goal of the physician should be to avoid establishing one based solely on the social media interaction. Unfortunately, given the relative youth of the social media environment, case law governing when and how physician-patient relationships are established on social media remains sparse. However, analogies can be drawn from other “minimal contacts” cases. For example, attending physicians responsible for providing oversight of residents have been found liable for the actions of residents, in spite of having never laid eyes on or otherwise interacted with the patient. Physician-patient relationships have been established even when there was no direct interaction with the patient, and no physical contact, such as in the case of a physician providing ship-to-shore medical services to a ship’s purser on a fishing trawler located in the Bering Strait, attempting to treat a patient’s diabetic ketoacidosis. Similarly, a physician who provided a telephone consultation to an emergency room physician assistant treating a patient with an eye injury was enough to establish a physician-patient relationship. It is not difficult to imagine how similar analyses would apply to interactions with individuals through social media.

With established patients, the goal would be to avoid harming the patient. This creates a highly fact-specific inquiry, regarding the precise nature of the interaction and whether the physician’s response met the standard of care. Still, it is difficult to see how social media platforms would be appropriate for providing clinical advice even to established patients.

Social media has also become a platform by which clinicians interact with each other, both to provide moral solidarity, and to offer specific clinical guidance or information when discussing cases. This, too, can create potential malpractice liability. A well-meaning post on a social media website, where one clinician seeks to offer friendly advice to another, could be seen as a consultation that establishes a physician-patient relationship, depending on the circumstances and whether the patient is harmed. See more on this under “Social media groups.”

Practical advice

Physician practices must establish clear, firm policies regarding the use of social media, both during and after company hours. It is likely impossible to create a complete ban on social media usage during company time, however. Even if the practice can block social media websites from the desktops they use, the prevalence of smartphones makes it much harder to completely stop all staff access to social media sites.

An additional wrinkle regarding what companies may prohibit with respect to employee activity on social media arises from the rules of the National Labor Relations Board (NLRB). Briefly, employees are permitted to engage in “concerted activities” to provide mutual aid or protection to each other. With respect to social media, the NLRB has interpreted this language to mean that social media policies must be narrowly tailored so that they do not also prohibit “concerted activities.” In practical terms, this means that a non-disparagement rule, whereby the employee is not allowed to speak ill of the company on social media, is likely to be found to be too broad, since it would prohibit “virtual picketing” in the form of an employee protesting work conditions. On the other hand, policies that prohibit disclosure of PHI except under certain limited circumstances would be entirely permissible.

Physician practices are likely to face generational hurdles as well, with younger employees and clinicians joining practices, as well as younger patients seeking treatment. While older people who did not grow up with social media as a fact of life may remain reticent to even establish an account, let alone broadcast details of their lives, younger generations view social media as simply a part of their daily lives. They may not think twice about posting this or that random thought, picture, complaint, piece of advice, or entertaining anecdote. The goal of practice policies and training efforts, therefore, must be to train staff to stop and think before posting.

In the HIPAA context, this means having an understanding of how information flows through social media networks, and how quickly it can be disseminated. It also means training clinicians and staff alike to recognize what constitutes PHI in the social media context. It is not enough to simply say “names, dates, unique medical conditions, etc.” A more effective approach may be to use “fake” PHI in context, and demonstrate how quickly information can spread, such as by showing what happens when a post containing PHI is published on a public Twitter account, or a Facebook profile with limited privacy controls. Similarly a “find the PHI” exercise could prove educational, as the practice again posts “fake” PHI somewhere in a social media post, and clinicians and staff members must identify the improper disclosure. When policies and procedures have been established, they must also be enforced; improper disclosures of PHI must be dealt with according to practice policies.

In the malpractice context, the easiest way to avoid social media risks is simply to refuse to engage in any clinical activity online. For example, if a patient posts a picture to the practice’s social media page showing a skin condition and asking for advice, the appropriate response is simply to suggest that the patient call the office to set an appointment, rather than to respond substantively. This is particularly true with individuals who are not yet patients; again, the goal is to avoid establishing a physician-patient relationship online. For more serious inquiries, (e.g., “Am I having a heart attack?” or some other emergent condition), it is likely best to recommend going to the emergency room, rather than responding with a specific diagnosis. This would seem like obvious advice to most, and yet there is at least one account of a physician who was asked on Twitter whether certain symptoms were signs of a heart attack, who responded “If movement, deep breath, swallowing makes pain worse or better, it is NOT a heart attack.” One certainly hopes the physician was correct...

For individuals who are already patients, again, the goal is to avoid causing harm. Toward this end, it is probably still safest to recommend calling the office or setting up an appointment, rather than engaging on social media. Alternatively, the patient could be directed to the practice’s patient portal (if it has one). It is also likely safe from a malpractice perspective to offer general information (e.g., JAMA articles, a link to a WebMD entry, etc.) if a patient inquires about a given condition, although any such response should be made in a way that satisfies HIPAA (e.g., not in any way that is publicly visible and unsecured).

Social media groups

One particular aspect of social media has drawn both recent attention and some degree of criticism. Industry-oriented groups have become more popular in recent years, such as groups consisting of physicians within different specialties, or physicians of a common background. These groups can be helpful in discussing one’s life as a physician among other colleagues sharing similar experiences. However, physicians are collegial by nature, and some members of these groups also discuss clinical activities with their peers. Such discussions can carry risk both from a HIPAA perspective and a medical malpractice perspective, depending on the specific content of the discussions. The practical advice addressed above can and should be applied to communications posted in such groups.

From a HIPAA perspective, clinicians need to be careful not to disclose PHI. As noted above, PHI is individually identifying information about the patient. This goes beyond the more obvious information like names and birthdates, and should also extend to visual information like unique birthmarks or other physically identifying features. The specific privacy controls of the social media group must also be considered in the event of an improper disclosure.

For example, Facebook permits such groups to be public, private, or “secret.” Public groups allow non-members to search for the group itself, and view the content posted on such groups. Private groups are able to be found through searches on Facebook, but restrict the content of posts to group members only. “Secret” groups cannot be found by searching — individuals are instead invited to join by existing members or group administrators, and likewise restrict content to members. Knowing how visible such information is can help assess how far information may have spread if PHI is improperly disclosed. It may also be necessary to craft an effective HIPAA authorization. Consider the difference between an authorization to post to a secret group containing only 50 members, versus an authorization permitting disclosure to a public group.

From a medical malpractice perspective, communication on such groups could form the basis for a medical malpractice action. This, however, is a highly fact-specific inquiry, and would likely depend on jurisdiction-specific case law that interprets how “curbside” consults are treated under the jurisdiction’s precedents. While it is likely safe to offer general information about similar cases a physician may have treated, it is likely unwise to offer conclusive diagnoses or specific advice for treatment, so as to avoid potential liability. Ultimately, the physician directly treating the patient will bear liability, but such “crowdsourced” advice opens up the potential for additional liability for the “crowd.” Unfortunately, even if a court ultimately determines that members of such a group who offered general advice do not bear liability, the issue of (for example) whether the group member had a physician-patient relationship with the injured plaintiff may still have to be litigated, if the plaintiff claims that they were injured as a result of the member’s advice to their doctor. Lastly, any advice offered by group members will likely remain preserved in written form, acting as potential evidence in such a malpractice claim, the same as an email exchange between physicians could. The safer approach, therefore, is likely to avoid clinical discussions in such group settings.

Conclusions

As social media usage among patients and practitioners alike continues to increase, physicians are likely to face more and more interaction with patients over social media. Similarly, physicians may be tempted to establish a social media presence to reach a wider market. The reality is also that more patients and more clinicians and staff members are going to be people who have grown up with social media as part of their lives, and for whom its use is second nature. Physicians must confront this reality head-on and develop policies and procedures to navigate the integration of social media into their professional lives — a task with which experienced legal counsel can help.

Additional DermWorld Resources