Avoiding Social Media Blunders With Proactive Risk Management Policies
Laura M. Cascella, MA, CPHRM
Undoubtedly, social media’s ease, flexibility, and convenience offer various opportunities to enhance the dissemination of health information and communication between patients and healthcare providers. Like any type of technology, though, social media can create safety and risk management concerns if it is not used responsibly. Further, because social media changes rapidly, standards and best practices are not always well-defined.
Consider the following three case examples that illustrate how communicating with patients, or about patients, on social media can be problematic.
Case 1: Patient Has Second Thoughts After Authorizing Posting of Facebook Photo
Dr. A, a board-certified plastic surgeon, performed a successful breast augmentation on a patient in her mid-thirties. About 5 months after the procedure, the patient sent an email message to Dr. A’s practice saying that she was extremely pleased with the results of the augmentation. In the message, she attached a picture of herself that highlighted the results of the surgery.
In response, Dr. A’s marketing manager asked the patient for permission to post the picture on Facebook. The patient consented via email to the posting, and asked the marketing manager to tag her in the post. About 2 hours after the picture was posted, the patient contacted Dr. A’s office and asked that they remove her picture from Facebook because people were posting critical comments about it.
Dr. A’s staff removed the picture immediately, but the patient was so upset that she contacted an attorney. The attorney sent a demand letter shortly thereafter; allegations included violation of the patient's privacy rights, negligence, breach of fiduciary duty, breach of contract, and infliction of emotional distress.
Although defense experts felt that the patient’s case was weak, they were concerned about the patient’s consent to post the photo. The authorization that the patient sent to Dr. A’s office via email did not include all of the HIPAA-required elements. To avoid the patient filing a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights, Dr. A agreed to settle the case.
Case 2: Online Dispute Becomes Problematic for General Dentist
Dr. M, a general dentist, treated a male patient in his fifties for various dental issues. Although the treatments were successful, the patient was unhappy with Dr. M’s office staff and the amount for which he was billed. The patient joined an online forum and began posting negative comments about Dr. M’s billing policies, office staff, and efficacy of care.
The patient’s comments in the online forum included extensive details about his dental conditions, dental and medical history, and diagnoses. He also provided comprehensive summaries of his dental care prior to treatment with Dr. M.
Eventually, the patient’s negative comments came to Dr. M’s attention, and he became very upset about the postings. The doctor responded to the posts by refuting certain points that the patient had made. Dr. M did not disclose any new information about the patient; he merely used the facts that the patient had already disclosed. Regardless, the patient filed a lawsuit against Dr. M alleging, among other things, invasion of privacy. The case went to mediation; with Dr. M’s consent, a settlement was reached.
Case 3: Physician’s Tweets Prove Costly
A state medical board received a complaint that an internal medicine physician in a small town had posted information on X/Twitter about specific patients without their knowledge or consent. The postings occurred over a 12-month period.
The medical board initiated an investigation into whether the physician’s actions constituted (a) a breach of doctor–patient confidentiality, (b) a violation of laws connected with practice, and/or (c) unprofessional conduct.
The physician did not dispute that he tweeted about his patients; however, he argued that the tweets did not include any personally identifiable information. Some of the tweets included comments about the physician’s interactions with patients, pictures of X-rays, and cropped images of notes from undefined individuals.
Nonetheless, the medical board initiated a formal investigation into the matter, and the physician was required to submit a further response. Eventually, the medical board dismissed the matter because it was not able to prove that a violation occurred. However, the physician had significant expenses related to legal fees.
Addressing Social Media Risks
To avoid precarious situations — like those described in the case examples — healthcare providers should understand the risks associated with social media and proactively develop policies and guidance to reduce liability exposure.
Including staff members in developing or updating social media policies can support compliance, reinforce the importance of appropriate social media conduct, and increase the likelihood of identifying potential policy shortcomings.
Important areas to consider when developing your healthcare practice’s social media policies include:
- The practice’s goals and target audience for social media communication
- Social media in the context of federal and state privacy and security regulations
- Acceptable and unacceptable uses of social media, with explicit examples
- Disciplinary actions for social media policy violations
- Authorization and accountability for developing and posting social media content on behalf of the practice
- The review and approval process for social media content
- Standard disclaimer and disclosure language
- The patient consent process (e.g., for any marketing or advertising efforts on social media that will include patient information, such as pictures or testimonials)
- Technical limitations and terms and conditions of any social media sites that the practice plans to use
- Terms of use for visitors on the practice’s social media sites
- The process for reporting inappropriate use of social media
- The process for responding to online reviews or comments (whether positive or negative)
When developing these policies, keep in mind that social media is dynamic and constantly changing. To address this, create policies that are flexible and adaptable to new or changing social media technologies. Doing so will help avoid the need for constant updating.1 Additionally, consider scheduling a routine review of your social media policies (e.g., yearly) to identify any outdated or missing information.
Learn More
For more information about issues associated with social media, see MedPro’s Risk Resources: Social Media in Healthcare and Risk Tips: Managing Negative Online Reviews.
Endnotes
1 ECRI. (2021, January 12). Social media: Organizational risks. Health System Risk Management. Retrieved from www.ecri.org
MedPro 
