Malpractice Case: Why You Need Social Media Policies to Protect Your Practice

Kimberly Danebrock, JD, RN, CPPS


September 07, 2020

1. Put the right people in place.

It's important to know who is managing your social media efforts and whether a social media policy currently exists. A large practice may have a social media director, but sometimes the job is given to someone from corporate communications or marketing.

Given the importance of social media, do you have the right team in place? Are they sufficiently experienced and responsible to handle the job? Are they stretched too thin to be effective? Training may be in order to clarify current guidelines and best practices.

2. Benchmark your social media policy against others.

If your practice already has a social media policy, it's a good idea to compare it against others in the industry and determine whether the existing policy is up-to-date. Many firms publish their social media policies openly online, so a good first step is to have someone perform an online search of social media policies for healthcare companies.

3. What should a good social media policy do?

  • Define what social media is and how people should use it

  • Explain the rules surrounding patient privacy

  • Educate staff about the consequences of breaching patient privacy

  • Emphasize maintaining a professional reputation; on social media you represent not only yourself but also the practice (and to some extent the entire medical community)

  • Explain the importance of professional boundaries.

If your current policy has directives like "be ethical and professional," understand that this creates a big gray area. Do other policies that you've seen do a better job of clarifying? Do they offer specific examples of behaviors that can lead to trouble? Remember that a major reason to have a policy is to ensure patient confidentiality. Provide clear and multiple examples of what to do and what not to do, so that sensitive information is not inadvertently disclosed.

4. Choose the right tone when creating or revising your social media policy.

Some social media policies are dense legal documents: long, detailed, and very complex. Others are brief and strive to provide easy-to-remember guidelines. Which tone you choose depends on the culture of your organization; it's important that the language and sensibility reflect the organization.

No matter what the tone is, remember that your policy will be effective only if your staff can understand and remember it. Keep it as simple and to the point as your culture will allow, and strive to be memorable. For example:

  • It's easy to remember "No photos or videos inside our practice, ever."

  • It's hard to remember "Employees who carry smartphones or other devices which contain cameras or other recording equipment must exercise proper judgment about whether a photograph or video might inadvertently lead to a breach of patient confidentiality."

5. Instruct staff on the consequences of noncompliance with the social media policy.

Don't assume that your staff is aware of all of the regulations about patient privacy and the consequences of a privacy breach. Staff should be educated on the cost of potential fines, civil suits, and medical board investigations. The social media policy should also include what action will be taken against employees who violate the policy, including termination. If you've already instructed them on this, your social media policy is an opportunity to reinforce the message.

The Health Insurance Portability and Accountability Act (HIPAA) has a list of 18 identifiers that are classified as Protected Health Information, including "Any other unique identifying number, characteristic, or code." A photo of a knife or gunshot wound could easily constitute a breach. Even an image of an x-ray, with the patient's name blocked out, might be a violation. In 2011, an emergency room physician posted on Facebook a few notable cases she had seen in the ER, carefully avoiding using patient names or ages. Yet, "unauthorized third parties" were able to determine one patient's identity from the post. She lost her hospital privileges, and the Rhode Island medical board found her guilty of unprofessional conduct and fined her $500.

6. Beware: Every picture tells a story.

Most people know that you should never post a patient's name, date of birth, or Social Security number online, but few realize how much information can be contained in what seems to be an innocent photograph.

Imagine a birthday party in a hospital emergency room. A colleague snaps a photo of the birthday girl posing with her friends around the cake. It's posted on Facebook and Instagram. Sounds harmless, doesn't it? But wait — there's a long list of patient names written in big letters on the wall behind them, captured in high resolution. Oops. That's a problem.

Should you ban taking photos at work? Probably.

7. Keep personal and professional social media separate.

Social media breeds a certain informality that's not appropriate for healthcare. If you have a personal Facebook page, it's best not to "friend" any patients.

Insist that professional and personal profiles remain separate. Avoid blurring the lines and maintain smart boundaries: Work is work and friends are friends.

8. Celebrate and teach your natural "internal champions."

Every healthcare organization has staff members who are naturally great at promoting what their large practice does on social media. It pays to get to know them. It's important to work with and train employees on how to share content so that people see what your practice has to offer.

Nothing beats authenticity in social media. When you find internal champions who are genuinely excited about what the medical practice is doing, help them do it in the best and safest way possible. The networking and brand-awareness benefits for your practice can be priceless.

9. In a large practice, cultural norms matter.

A reality of running a large practice is that you can't monitor 500 employees the same way you can in a small practice of five employees. But you can teach cultural norms about social media so that your staff has a common goal of protecting patient privacy. For example, imagine an enthusiastic new employee who is about to take a photo of a patient and her new baby on his smartphone. A more experienced employee who has been trained would be able to intervene and point out the dangers.

10. Guard against too much screen time.

In some healthcare organizations, the interview process includes questions about the prospective hire's social media practices.

The reason is simple: Constant distractions affect productivity and patient safety. And because online activities are time-stamped, that information can be used in a lawsuit. If a physician has a bad outcome or caused harm, having been online excessively during surgery could present problems in the practice's and physician's defense.

Your social media policy should guard against excessive use by everyone on staff.

Understand the risks, but don't be afraid to dive in.

A strong social media policy for your large practice can help you guard against potential risks while maximizing your opportunity to promote your practice and patient health. With good management in place, you can move ahead with confidence.

This case comes from a column published by the Cooperative of American Physicians, Inc. The article was originally titled "10 Ways to Effectively Implement a Social Media Policy at Your Large Group Practice – And How it Can Save Your Practice Money."


Comments on Medscape are moderated and should be professional in tone and on topic. You must declare any conflicts of interest related to your comments and responses. Please see our Commenting Guide for further information. We reserve the right to remove posts at our sole discretion.