Patient Privacy and the Use of Social Media in Medical Practices

How Much Can Physicians and Medical Offices Tweet, Post, Like, and Share?

  It’s no secret: marketing, advertising, and patient relations in the digital age require many Texas physicians and medical practices to maintain a social media presence.  However, due to the array of complex patient-confidentiality rules and regulations which govern communication in the medical industry, Texas practitioners must be conscious of the potential risks associated with social media.

Under both Texas and federal privacy laws, physicians and medical practices are required to have policies in place to ensure the integrity and confidentiality of their patients’ protected health information (PHI) and protected patient information (PPI).  Because communications made via social media forums, including Facebook, Twitter, and Instagram, are usually unencrypted, those communications can lead to the unintended disclosure of protected information and the necessity of remedial action, or worse– regulatory or disciplinary reprimand.

The more obvious breaches of confidentiality have not presented too much of a novel concern, as most physicians and office employees are well-aware that the unauthorized posting of “John Doe just got a check-up – flu free and ready for school!” on social media is inappropriate.   However, many of the communications that can land medical practices in trouble are more subtle in nature.   For example, communication between two practice employees or colleagues via private social media messenger could potentially constitute an unsecured disclosure of protected health information, depending upon the content of the conversation, and the involvement of the respective parties in the patient’s care.    Similarly, an employee group photo from an office luncheon, posted on the medical practice social media page seems innocuous, but if that photo includes an inadvertent view of a patient sign-in sheet, or a computer monitor with discernible patient information, a potential breach could ruin the party.

Additionally, insofar as some of the HIPAA reporting, disclosure, and notice requirements are dependent upon the size of the breach at issue, factors such as how many “re-tweets,” “likes,” “posts,” or comments a particular publication received can be crucially important, and easily monitored by critical parties.

Ultimately, then, Texas physicians and medical offices should create, employ, and enforce a specific policy which addresses the permissible scope of social media use, and provides for accountability among both medical and administrative personnel.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s