• United States




Physicians and social media – where there’s no second opinion

Dec 14, 20154 mins
Collaboration SoftwareFacebookHIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was meant in part to help maintain the privacy and security of medical records that contain Protected Health Information (PHI). HIPAA grew out of the understanding being that when large amounts of PHI move into electronic formats, the risks of large-scale data breaches increase significantly.

An issue with HIPAA is that it was so broadly written, and often narrowly interpreted. With that, its implementation has led to many cases of unintended consequences.

One example is the ubiquitous patient status board. These boards have long played an important role in coordinating and communicating about patient care in hospitals. In busy wards, the status board often serves as the central access point for operational and patient-related information. Status boards have transitioned from dry-erase whiteboards to real-time electronic boards. Irrespective of the type of board, HIPAA mandates that the information on the board, which long included the patients’ names and other medical data, can no longer include that in the public view.

[ ALSO ON CSO: Why healthcare providers need to take HIPAA risk assessments seriously ]

The narrow, yet definitively accepted HIPAA interpretation means that the regulation does not delineate between a 50GB PHI database, and a localized white-board with 15 names on it.

Strictly speaking, status boards can contain PHI in the limited situation where only those involved with the listed patients’ PHI have a need to see it for Treatment, Payment and Health Care Operations (TPO). So, during an active meeting, putting names on a white board is OK, or if the room is restricted to only those who provide TPO activities for the listed patients. Otherwise, patient PHI should not be on white boards.

The HIPAA privacy and security requirements prohibit displaying patients’ names in public via these status boards. Patients though can sign a waiver allowing their names to be displayed on the status board. But for most institutions, HIPAA has made use of status boards much harder.

Another issue is when it comes to mental health and substance-abuses issues; HIPAA has placed significant constraints on healthcare providers. Medical staff often cannot proactively reach out to family members because HIPAA patient privacy rules prevents them from telling family members about mental health issues and addiction issues if the patient is a legal adult, without their express consent.

It should be noted though that the HIPAA final rule in section 45 C.F.R. § 164.502, allows healthcare providers to disclose protected health information for treatment purposes without patient consent in some limited cases.

HIPAA also stymies a physician’s ability to reply to negative online reviews and social media interactions. Sites such as,, and countless others exist where patients (and trolls) can post a review of a physician. Yelp has reviews for restaurants, and also reviews for doctors in all major cities.

A similar situation arises with teachers, as the Family Educational Rights and Privacy Act (FERPA) also limits how teachers can reply to teacher rating sites.

While restaurants often reply to negative reviews, physicians who attempt a direct reply to a patient’s social media posting may be in violation of HIPAA.

The cruel reality is that a patient can post just about anything they want about a physician. But that same physician may be violating HIPAA if they reply to their patient via social media.

It is also important to note that just because a patient blogs about their condition or tweets about their medical status; in no way does that mean they are waiving their HIPAA rights.

[ ALSO ON CSO: Cyberattacks will compromise 1-in-3 healthcare records next year ]

As to the quality of these reviews, Niam Yaraghi, a fellow at The Brookings Institution, writes that patients are often neither qualified nor capable of evaluating the quality of the medical services that they receive. How can a patient, with no medical expertise, know that the treatment option that they received was the best available one? How can a patient’s family whose relative died know that physician had provided their loved one with the best possible medical care? If patients are not qualified to make medical decisions and rely on physicians’ medical expertise to make such decisions, then how can they evaluate the quality of such decisions and know that their doctor’s decision was the best possible one?

In the next blog post, I’ll conclude with some action items, in addition to sage advice from Rebecca Herold.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.