Go to AAD Home
Donate For Public and Patients Store Search
Go to AAD Home
Main menu
Membership
Meetings & Education
Practice management
Clinical & quality
Publications & apps
Career development
Advocacy
Back
Account
Pay dues
Member ID
Join the AAD
Member benefits
Find a member
AAD governance
Support AAD
Community Programs
AAD Help Center
2026 Annual Meeting
2026 Innovation Academy
Academy meetings archive
Professional education
Claim CME & view transcript
Upcoming events
Residents & medical students
Patient education materials
DataDerm
Coding Resource Center
MIPS & fee schedule
Teledermatology
EHR & health tech
Insurance & drugs
Compliance & practice scope
Managing your practice
Contact PM staff
Clinical guidelines
Quality measures
DataDerm
Quality & patient safety
Clinical Community
Clinical care resources
Position statements
JAAD
JAAD International
JAAD Case Reports
Dermatology World
DermWorld Insights & Inquiries
Derm Coding Consult
DermWorld Meeting News
Impact Report
Other publications
Academy Apps
Career launch
Job board
Burnout & wellness
Diversity
Awards, grants, and scholarships
Leadership Institute
Volunteer opportunities
Ethics & professionalism
Take action
Advocacy priorities
State advocacy resources
Legislative Conference
Position statements
Promote the specialty
Key Contacts
Patient advocate resources
SkinPAC
Advocacy Update
Welcome!
Advertisement
Advertisement

What are the legal risks associated with social media and online review sites?

Daniel F. Shay

Legally Speaking

Daniel F. Shay, Esq. is a health care attorney at Alice G. Gosfield and Associates, P.C.

By Daniel F. Shay, Esq, November 1, 2019

Social media usage continues to grow. For example, as of June 2019, Facebook boasts 1.59 billion active users per day. Physicians and physician practices are likewise establishing their own presences on social media, to interact with patients and provide a marketing platform to the physician or practice. Similarly, many patients use online review sites to comment about their physicians, sometimes prompting physicians to respond to them. These interactions, however, come with risks.

HIPAA concerns

Social media is a fact of modern life. Even if a physician practice does not itself maintain a social media presence, it still must recognize that its patients and employees are likely using social media. In either case — whether a practice does or doesn’t use social media — the practice must address issues relating to HIPAA. Under the HIPAA Security Rule, “covered entities” (including physicians and physician practices) must establish policies and procedures that address the use of electronic protected health information (ePHI). This includes any ePHI transmitted over social media.

Practices should develop social media policies for their employees that, among other things, prohibit sharing ePHI online. They should also train employees to know what constitutes ePHI in a social media context, such as patient names, birth dates, and images. Even well-meaning staff may inadvertently reveal ePHI, without adequate training. For example, an employee of one of our clients posted a photograph of an apple, given to the employee and grown by the patient, which was positioned on top of a daily charge sheet. The PHI on the sheet was sufficiently obscured by the apple, but the incident highlights the need to train staff to think before posting.

If a practice maintains its own social media account, posts should only be made by authorized individuals following established guidelines. One key point to remember is that patient requests for PHI on a social media site are not valid authorizations to disclose the PHI in response. Under the HIPAA Privacy Rule, a valid authorization is a legal document, signed by the patient, that must include specific language; a Facebook or Twitter post does not qualify. In response to patient inquiries, practices should state that they never disclose PHI over unsecure networks and should advise the patient to call the practice or (when appropriate) communicate via patient portal.

Review sites

In recent years, physician review sites have similarly grown in popularity. From the physician perspective, this presents a double-edged sword. Positive reviews can help encourage potential patients to visit the physician, but negative reviews may deter them. Likewise, while patients may be perfectly capable of determining whether they received good customer service from front desk staff, they may not be the best judges of whether they received appropriate treatment, which can be frustrating if treatment is the focus of the negative review.

A physician may want to challenge such a patient’s assessment, dispute facts, or explain the appropriateness of the care the patient received. If the physician believes the patient received substandard care or service, the physician may want to apologize, believing that doing so will mollify the patient and demonstrate a commitment to quality service. However, neither response is appropriate or advisable.

Just as with patient inquiries about their health status in a social media setting, substantive responses to patient complaints on review sites could violate HIPAA and represent a disclosure of PHI (depending on the content of the response and on the content of the patient’s own review). Moreover, a patient review does not waive the need for a HIPAA authorization, nor does the review act as a de facto authorization itself. There are also good business reasons not to respond substantively. Responses that refute a patient’s complaints may seem hostile. Apologetic responses could be used in potential malpractice litigation.

Instead, consider adopting policies that standardize responses, and which generally include statements that (A) the practice does not reveal confidential information about patients online (or even confirm if the poster is a patient), and (B) offer the reviewer a means by which they may contact the practice to address their concerns (such as a phone number for a complaint line). This ensures that the practice appears responsive to criticism but does not expose the practice to additional liability by disclosing PHI or admitting wrongdoing in a public forum.

In some limited instances — such as those involving an obviously false review complaining about services the practice does not ever provide — it may be reasonable to respond. However, even with false reviews, physicians should be careful with their responses. For example, if a patient posting under their own name claims to have received services that the practice provides, but on a day when the office was closed, it is still better not to respond substantively. The patient may simply be confused, and a response might still reveal PHI.

Other times, the review may be so critical that the physician contemplates legal action. Defamation lawsuits by physicians against patients have proven difficult and often unsuccessful. Suits against the review sites themselves rarely succeed, because the site has no independent obligation to determine the accuracy of the review. Suits against reviewers may be difficult because it is hard to identify the person behind what may be a mere user ID, and also because some states have laws that penalize filing frivolous or unsuccessful lawsuits against people who negatively review a business. Instead, it is wiser to use the review site’s own internal processes to have false or defamatory reviews removed.

Conclusion

Social media and online review sites pose potential legal risks for physicians, especially regarding HIPAA disclosures. Effective policies and procedures, coupled with staff training, can help alleviate these concerns. Physician practices can also suggest to patients that they post positive reviews if they are happy with the care they received, to offset the impact of negative reviews rather than attempt to combat such negative reviews directly. Experienced health care legal counsel can assist in all these efforts.

Additional DermWorld Resources

Sidebar

Top 10 key points
Likes, Reviews, and You: Social Media Marketing for Your Practice

In this issue

From the Editor
So, what's a Kodachrome?

What's hot
This month's news from across the specialty

Clinical Applications
When is pyoderma gangrenosum not pyoderma gangrenosum?

Feature
Not the usual suspects

Cracking the Code
Intermediate and complex repairs 2020: Part 2

Feature
The evolution of education

Answers in Practice
Digging into data: Using DataDerm™ to report for MIPS

Balance in Practice
The magic of dermatology

Feature
Legal vs. ethical dilemmas in dermatology

From the President
The power of state advocacy

Asked and Answered
What is the Academy doing to reduce its environmental footprint at AAD meetings?

Facts at your fingertips
Dermatology antibiotic prescription trends

Classifieds
Classifieds
Advertisement

The American Academy of Dermatology is a non-profit professional organization and does not endorse companies or products. Advertising helps support our mission.

Opportunities

Advertising | Sponsorship

Advertisement
Advertisement
Advertisement