Does Anyone Care About Physicians' Privacy?

Andrew N. Wilner, MD; Ronald W. Pies, MD


June 10, 2019

Physicians are constantly, and rightfully, admonished to protect the privacy and confidentiality of their patients. These rights are enshrined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which is strictly overseen by the US Government Office of Civil Rights (OCR), to the cost of more than $28 million in fines and settlements last year alone.[1] Considerably less legal recourse is available to physicians, with limited laws on the books to protect their privacy, such as those in New Hampshire prohibiting pharmacies from selling information about their prescribing patterns.[2] Yet, clearly, physician privacy goes far beyond this one issue, including the unauthorized use of their images and the many invasive questions they face when applying for medical licensure and other privileges.

Neurologist Andrew N. Wilner, MD, and psychiatrist/medical ethicist Ronald W. Pies, MD, discuss these issues in the following dialogue.

Pies: You recently had a rather upsetting experience involving an unauthorized photo that was taken of you. Can you give us the quick history?

Wilner: Yes, it was a surprise and pretty upsetting. I had examined a patient for altered mental status, along with one of my residents. After I had left the room, my resident mentioned that the patient's sister had snapped a picture of us with her cell phone. The sister told him she was going to post it on Instagram. Since my focus had been on the patient, I had been completely unaware of this interchange.

We were in a hurry to our next emergency, so I wasn't able to give this incident much thought until later. Upon reflection, I had a number of concerns. First, it wasn't clear that the patient had given her sister permission to document her illness. Further, because of the patient's confusion, it wasn't clear that she had the presence of mind to give "informed consent" for the photo, even if she wanted to do so. It seemed to me an invasion of the patient's privacy. Maybe she didn't want the whole world to know she was in the hospital.

In addition, I felt that my personal privacy, and the privacy of our medical interaction, had been violated. It also seemed perverse that—with all the effort physicians and other hospital employees exert to respect HIPAA regulations—a family member can expose a patient's medical condition so blithely to potentially millions of people on social media.

Pies: Were you concerned that the sister might post something negative about you, along with the picture?

Wilner: I don't know how the sister planned to caption the Instagram photo. It might be flattering, or not. I'm more concerned with the quality of care that I deliver than the number of stars I might get on social media sites.

Nonetheless, I don't think it was appropriate to post a photo without the informed consent of the patient—which was problematic in this case—and without the permission of the treating physician, and perhaps hospital administration. I'm not sure if there is an official policy regarding family members posting private patient-physician interactions on social media. I'm going to have to look into that.

Let's say you are treating a patient who you later discover is secretly posting photos and/or derogatory information about you on social media. What damage does that do to the patient-physician alliance?

Pies: I can see why this episode was upsetting. I'm a medical ethicist, and not a lawyer, so I can't comment on the legal issues involved in that specific scenario. However, as a general principle, it's not illegal, or considered an invasion of privacy, to photograph someone in a public place, or at an event where the public is invited, without the person's permission. But if someone takes a photograph of you without your permission, and does so in a setting in which you had a reasonable expectation of privacy, that can be illegal and is considered an invasion of privacy.[3]

I would argue that a private hospital room, or even a cubicle in the emergency room, is a "private space" and that you had a reasonable expectation of privacy when you saw this patient.

Wilner: Yes, I agree. A patient, or a patient's relative, taking an unauthorized photo of a physician at work seems to me a violation of physician privacy. I do not consider a patient's exam room a "public place" where my picture could be taken without permission.

From my perspective, I was at work, not at a photo shoot. Maybe my white coat was stained that day, my hair was a mess, or maybe I hadn't shaved because I had been up all night taking care of patients. All these features could be inappropriately interpreted as carelessness or lack of concern, if displayed in a photo. I don't think that I should have to worry that my image might be surreptitiously captured at any moment while at work and posted for all the world to see. For that matter, even on a good day I might not want my photo taken!

Pies: As you suggest, there is also the further issue of what becomes of the photo of the physician. Is it posted on social media? Does it depict the physician in a bad light, by, say, adding some derogatory or defamatory comments? These are clearly legal issues, and there is a lot of legal opinion on the matter of online defamation.[4] But these issues also have ethical implications for both patients and physicians.

For example, let's say you are treating a patient who you later discover is secretly posting photos and/or derogatory information about you on social media. What damage does that do to the patient-physician alliance? And how should the physician respond in such situations? Some of these issues were explored in a recent Medscape article.

As a psychiatrist—and this really applies to all physicians—there is always a question of how much personal information I can appropriately disclose to patients, in service of showing empathy and strengthening the physician-patient alliance. But that applies to voluntarily revealed information, such as the physician saying, "Like you, I went through a rough period when I was diagnosed with cancer." It doesn't apply to information revealed without the physician's consent.

Wilner: I absolutely agree. I sometimes reveal personal medical information if I believe that it will help a particular patient, but I don't do it routinely. I certainly don't post my medical history online so that patients can check to see if we have had similar experiences!

I'd like to add another area where physician privacy is routinely disrespected. This occurs in the realm of licensing and credentialing, where all sorts of personal information must be revealed. While I agree that states and hospitals must perform due diligence in order to protect the public, requests for personal information can go too far. Hyperbolic concerns for patients' safety often transform the application process into an interrogation.

For example, most states require fingerprints and a criminal background check before a medical license will be granted. Information may be demanded regarding criminal charges, even regarding cases that were dismissed or expunged. Hospitals may require a "voluntary" drug test. Physical and mental health disorders must be disclosed.

In addition, while all of this information is supposed to be kept private, the number of agencies and departments given access is extensive. What's worse is that physicians have absolutely no recourse. If they refuse to answer personal questions, their applications can simply be rejected as "incomplete." I've written about the disconnect between patient and physician privacy on my blog and addressed it and other practice issues in my latest book, The Locum Life: A Physician's Guide to Locum Tenens.[5]


In a 2010 post on The Health Care Blog, Margalit Gur-Arie surveyed how electronic health records could potentially be used to derive and eventually make rampant the monetization of physician data, such as their prescribing patterns or frequency of performing certain procedures.

"Fortunately, patient privacy is central to all new standards and policies being created by the government," she wrote. "By contrast, physician privacy is not even an afterthought. While physicians have always been morally and legally obligated to protect their patients' privacy, perhaps the time has come to also consider the doctor's privacy in this brave new digital world."[6]

Nearly a decade since that insightful post, the risks to physicians' privacy have only increased in ways both predictable and impossible to foresee. Yet the underlying argument holds true.

We believe that unless physicians privacy rights are protected, particularly in hospital settings, the fabric of medical practice may be irreparably torn. Just like patients, physicians have a right to privacy too!

Follow Medscape on Facebook, Twitter, Instagram, and YouTube


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.