• United States




How physicians can do no harm using social media

Dec 17, 20156 mins

doctor tablet
Credit: Thinkstock

In the first part of this two-part series, I discussed the notion of physicians using social media and the HIPAA ramifications.

In this article, I’ll offer some practical advice on how physicians and others in healthcare can use social media without running afoul of their HIPAA compliance office.

Rebecca Herold is a privacy expert with significant HIPAA experience. Taking somewhat of a different approach from Niam Yaraghi of The Brookings Institution, she notes that certainly a patient knows if a physician is being attentive, is open to answering questions, and provides enough information about their illness/injury/etc. Those are all quality topics; so patients can and are qualified to discuss the quality of care with regard to patient/physician relationship. Where they would not be qualified is for topics requiring medical knowledge; e.g., a patient who believes vaccinations cause autism, and so says a physician is bad because the physician recommends vaccinations.

[ ALSO ON CSO: The security laws, regulations and guidelines directory ]

It is inevitable that even the best doctor will still receive a number of negative patient reviews. From a HIPAA perspective, here are a few things for the physicians to consider to save themselves the heartache and significant legal costs involved with a HIPAA violation:

  • Familiarize yourself with AMA opinion 5.027 – Use of Health-Related Online Sites, where the American Medical Association lists five considerations for a physician’s use of social media; and opinion 9.124 – Professionalism in the Use of Social Media, which lists six considerations when maintaining a presence online.
  • Make sure that all of your social media interactions pass the Starbucks test. Meaning, if you would not talk about the matter with a colleague in a busy Starbucks, then it is inappropriate to discuss it on social media.
  • Do not post photos of your patients; just don’t.
  • Do not interact with your patients online, even in the most general terms. If you have one, use your secure practice portal for communication. If you do not have such a portal, keep all communications out of the public sphere.
  • Even if the patient is an Internet troll, that does not relieve you of your HIPAA requirements. Do not confirm the person is a patient, and do not include any details about their health and/or health records.
  • Take the conversation offline – ask them to call the office directly.
  • Areas where you can reply, and it is often debatable if you should, center on non-PHI issues such as office setting, wait times and the like. If the patient says your office has a lousy selection of magazine or the chairs are uncomfortable; you can reply.
  • Reply to specifics with generalities – if a patient criticizes the advice you gave, you cannot make a direct reply. But you can reply with what how you deal with things in a general manner.

Herold has her own advice to physicians including:

  • Establish documented social media use policies and procedures within their practice.
  • Make sure all personnel, not just the physicians, know and follow the social media policies and procedures. Many HIPAA violations have occurred within social media from nurses and staff posting photos of patients, making comments about patients, and responding to patients in social media sites.
  • Always remember that just because some of a patient’s PHI (e.g., name, photo, phone number, etc.) is publicly available online, it does not mean that those specific PHI items no longer need to have the HIPAA safeguards applied. The context of a medical provider as it relates to those items is much different than the context of those items when they are posted online. All PHI items must be safeguarded consistently, throughout the entire lifecycle of PHI, according to HIPAA requirements.
  • Establish a procedure for the physicians, nurses and staff to let patients know that they will not communicate with them online about their treatment, payment, or specific healthcare operations; they should be told how to do so via phone, in person, or some other secure way.
  • Recommend establish the requirement for physicians and nurses to not friend or link with patients. Such relationships often lead to discussing the patient’s TPO, which then leads to HIPAA violations and/or breaches.
  • Establish a policy that nurses, doctors and staff cannot respond personally to any negative social media comments. Establish a procedure they can follow to report such negative comments to their legal and PR areas, and then those areas will determine how to appropriately respond without violating HIPAA, or not respond at all.
  • If the provider i.e. hospital or clinic has a social media site, that is fine and becoming an expected activity for all types of organizations. However, someone within the provider needs to be given the responsibility for managing the site, keeping inappropriate information (such as that which could violate HIPAA) off the site, and directing any questions involving TPO to an appropriate alternate method of communication, that is not through the social media site.
  • When doctors and nurses post health advice online, including on social media sites, they should not include any detailed examples about specific patients, and should never use any patient names. Posts should be for such things as general recommendations for improving health, how to identify common diseases and injuries, etc.

Just say no to social media?

Maybe you should not be on social media in the first place. That’s the advice of family practice physician Dike Drummond MD. He writes that healthcare social media is a waste of time for most doctors. Drummond feels that some of the reasons it is a bad idea for the average practicing doctor is that there’s no ROI and that healthcare social media is inherently dangerous.

[ ALSO ON CSO: Social media can quickly take down your business if not monitored ]

Concurring with that opinion is a prominent plastic surgeon I know. From his perspective, HIPAA is highly confusing when it comes to patient reviews. Physicians like him are so scared of possible HIPAA violation repercussions that they choose not to respond to these reviews. This is particularly troublesome when there is a patient with an unsupported grievance or when a competitor or ex-employee decides to spread falsehoods about the physician. This surgeon thinks that in this case, HIPAA gives patients too much power in which they can and have threatened with bad online reviews, even when it meant all they were expected to do was pay their bill.

On the other side of the coin is John Halamka, MD, CIO of Beth Israel Deaconess Medical Center in Boston, who feels that if healthcare can accelerate the use of social networking ideas in addition to other things, healthcare will see real improvements in patient outcomes.


As a physician, the use of social media is strictly optional. Should you engage in it, follow the security doctors’ orders, and be careful, very careful.


Ben Rothke, CISSP, CISM, CISA is a senior information security specialist at Tapad and has over 16 years of industry experience in information systems security and privacy.

His areas of expertise are in risk management and mitigation, security and privacy regulatory issues, design and implementation of systems security, encryption, cryptography and security policy development.

Ben is the author of Computer Security - 20 Things Every Employee Should Know (McGraw-Hill). He writes security and privacy book reviews for Slashdot and Security Management and is a former columnist for Information Security, Unix Review and Solutions Integrator magazines.

He is a frequent speaker at industry conferences, such as RSA and MISTI, holds numerous industry certifications and is a member of ASIS, Society of Payment Security Professionals and InfraGard.

He holds the following certifications: CISM, CISA, CGEIT, CRISC, CISM, CISSP, SMSP, PCI QSA.

The opinions expressed in this blog are those of Ben Rothke and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.