Social Media in Healthcare: A Slippery Slope
MedPro Group Patient Safety & Risk Solutions
In the past two decades, social media has become ubiquitous in the United States and abroad. The widespread proliferation of electronic messaging, social networking, media sharing, discussion forums, blogging, and more has connected people in new and engaging ways that traditional forms of communication have not. The ability to quickly communicate and share information has shaped how people interact as well as their expectations related to those interactions.
Research shows that nearly 72 percent of U.S. adults use social media sites — such as YouTube, Facebook, Twitter, Instagram, Snapchat, LinkedIn, and Pinterest — and the average person accesses seven different social media platforms per month.1 Because social media use is more prevalent with younger age groups, it is realistic to assume that its popularity and role in many types of communication will continue to grow.
In the past, healthcare was relatively slow to implement social media as marketing and communication tools, primarily because of concerns about violating patient privacy. However, as consumer demand has risen, and organizations attempt to find new ways to connect with patients, social media has become more of a mainstay for healthcare organizations of all types and sizes. Yet, with social media benefits come risks; leveraging social media for professional purposes can be a slippery slope, and its use in healthcare presents various challenges.
This article discusses opportunities and common risks associated with using social media for healthcare communication and delivery, and it also offers strategies that healthcare providers and their staff members can implement to reduce risks.
What Are the Potential Benefits of Social Media?
The use of social media can bring significant communication and educational benefits to both healthcare providers and consumers. Many healthcare providers use social media to connect with professional groups and peers, research medical information, and stay up to date with new information and research that might affect patient care and daily practice. Further, providers use social media to post educational content and other information for patients, to market and advertise services, and to enhance visibility and reputation.
For consumers, social media can assist with searching for new healthcare providers, keeping up with healthcare issues and concerns, finding support groups, researching alternative medications and side effects, tracking information from health apps, and more. Data from the Pew Research Center show that more than one-third of U.S. adults have used the internet to try to figure out a medical issue, and other research shows that social media tools influence the choice of a specific hospital, medical facility, or doctor for 4 in 10 people.2
What Are the Risks of, and Strategies for, Using Social Media?
Undoubtedly, social media offers various functions that may potentially enhance the dissemination of healthcare information and communication among healthcare providers and between providers and patients. But what about the risks? Like any type of technology, social media can create safety and liability issues if it is not used responsibly. Additionally, because social media changes rapidly, standards and best practices are not always well-defined.
To address these challenges, healthcare leaders, providers, and staff members should be aware of the potential risks associated with digital interactions, develop detailed social media policies, and implement risk strategies to safeguard their patients and practices.
Maintain Privacy and Security
In healthcare, one of the most significant concerns related to social media is the need to maintain strict confidentiality and safeguard patients’ protected health information (PHI). This obligation is addressed in federal law and governed by the U.S. Department of Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Many states also have laws related to privacy and security of patients’ PHI — and these laws might be more stringent than federal laws.
Because the boundaries between appropriate versus inappropriate and personal versus professional use of social media can easily blur, managing privacy risks can be challenging. For example, numerous instances have occurred in which healthcare workers have posted pictures of, or details about, their patients on their professional or personal social media pages without patients’ consent. Regardless of whether these actions were intentional or inadvertent, they violated confidentiality and the patients’ privacy rights.3 ECRI explains that social media can elevate privacy concerns because it “distributes information instantaneously to a wide audience; also, unlike in-person conversations, use of social media creates a permanent electronic record that is likely discoverable in litigation.”4
Various risk management strategies can help healthcare practices address privacy concerns related to social media. For example:
- Ensure providers and staff members are aware of what types of information and personal identifiers are considered PHI under HIPAA.
- Do no post or publish any content on social media sites that contains identifying information (including photographs and testimonials) without the patient’s permission and written consent. The consent should explicitly state how the information will be used.
- Consider prohibiting the photographic use of cellphones and other portable electronic devices (PEDs) as part of organizational policy.
- Have someone who is familiar with HIPAA and state privacy regulations review social media content to ensure information does not violate patient confidentiality.
- Train providers and staff members on HIPAA and state privacy laws, and educate them about the consequences of violating these regulations.
- Ask providers and staff members to sign confidentiality agreements, and maintain a signed copy of the agreement in each employee’s personnel file.
- Be aware that responding to a patient post or review on a social media site might violate privacy laws.
- Understand the technical limitations and terms and conditions of any social media sites that you plan to use. For example, information sent via messaging functions is likely not encrypted, and the site might maintain the right to access any personal information.
Taking steps to address privacy concerns by developing social media policies and implementing strategic safeguards can help protect patients and reduce liability exposure.
Establish Appropriate Boundaries
Social media can create a new dynamic in provider–patient relationships, and it also can generate ethical and legal challenges. Dr. Humayun Chaudhry, the Federation of State Medical Boards’ President and CEO, has warned that “Anything physicians post on sites can be forwarded, taken out of context, and accessed and retrieved in perpetuity. That’s a fact that many physicians don’t always think about when they engage in social media.”5
Because social media is used for both personal and professional purposes, the boundaries between the two can sometimes become difficult to distinguish. However, healthcare providers generally should assume that their staff members and patients are likely using some form of social media, and anyone could potentially see social media posts that the provider or a staff member creates as well as what anyone else writes about the healthcare practice on social media sites.
Because of these concerns about personal and professional boundaries, healthcare professionals are advised to keep their personal and professional social media activities separate and to “comport themselves professionally in both.”6 For example, healthcare providers should not “friend” patients on Facebook or mix social relationships with their professional relationships. Instead, they should apply the same ethical principles that govern their traditional patient encounters to their online interactions with patients, including privacy and confidentiality standards.
Further, providers should be aware of the implications of offering online information that might be construed as personal healthcare advice. Doing so could inadvertently trigger a duty to care, and it also may pose patient safety concerns. Because of this, electronic media should include standard disclaimers and disclosure language that explain the nature of the communication (e.g., for informational purposes only) and caution users against interpreting the content as healthcare advice.
Develop Social Media Policies
Developing and implementing social media policies and guidelines are essential steps for managing risks associated with social technology. Include staff members in the initial planning and drafting of policies, and ask them to help identify and assess potential issues.
Key areas to consider when developing organizational social media policies include:
- The practice’s goals and target audience for social media communication
- Acceptable and unacceptable use of social media, with explicit examples
- Who is authorized to develop and post social media content on behalf of the practice
- The review and approval process for social media content
- Standard disclaimer and disclosure language
- The patient consent process for using their words, images, stories, etc., on social media
- The process for reporting inappropriate use of social media
When developing these policies, keep in mind that social media is dynamic and constantly changing. To address this, create policies that are flexible and adaptable to new or changing social media technologies. Doing so will help avoid the need for constant updating.7
In addition to having policies for social networking websites (e.g., Facebook, Twitter, and Instagram), healthcare practices also should have written guidelines for the use of email and other types of electronic messaging, such as texting and portal communications.
The American Medical Association’s (AMA’s) Code of Medical Ethics outlines key strategies for managing electronic communication risks, which include:
- Upholding professional standards of confidentiality
- Maintaining privacy, security, and integrity of patient information
- Notifying patients about the limits of electronic communication
- Obtaining patients’ consent for using electronic communication prior to sending privileged information
- Presenting medical information in a manner that meets professional standards
- Being aware of laws that determine when a physician–patient relationship has been established
For more detailed information, see AMA’s Code of Medical Ethics Opinion 2.3.1 — Electronic Communication With Patients.8 Similar to the AMA, dental guidance also recommends that patients should be notified about, and accept the risks of, communicating electronically before such communication is used.9
When developing an electronic communication consent form, consider including the following information:
- Types of services and information that are suitable for electronic interactions (e.g., nonemergent questions/concerns, prescription refills, appointment requests, etc.)
- Criteria for establishing a provider–patient relationship
- Notice of whether the electronic communications originating from the practice are encrypted
- A statement notifying patients to contact emergency medical services if they are experiencing an urgent problem
- The general turnaround time for responding to electronic communications
- The right of the healthcare provider to refuse to make conclusions or decisions regarding treatment based on information obtained electronically
The electronic communication consent form should also include (a) a statement that the patient has read and accepted the policy, and (b) a place for the patient’s signature. The healthcare practice should maintain the signed release in the patient’s record.
Control Quality and Monitor Your Online Presence
Part of maintaining a professional presence online is monitoring the quality of information posted or sent on behalf of your practice. Information should be accurate, current, objective, and nonambiguous. Policies that establish who is responsible for developing content and how content is reviewed and approved will assist with quality control efforts.
Depending on the type of social media being used and/or the control settings, site users might be able to post content or comments to the practice’s social media pages. Understanding the types of media the practice is using and how users can potentially interface with it are important aspects of quality control.
Organizational social media policies should include a mechanism for monitoring online presence and managing negative, offensive, or inaccurate information. To ensure consistency with organizational policy, healthcare leaders or administrators might want to consider assigning one person to review external comments, posts, and responses and handle them accordingly. Keep in mind that comments and responses from staff members must comply with privacy standards.
Educate Healthcare Providers and Staff Members
Educating providers and staff members about how much and what types of personal and professional social media usage and tools are acceptable in the workplace is an essential risk management strategy.
A report from the Pew Research Center showed that the majority of workers use the internet and social media on the job for various personal and work-related activities.10 In healthcare settings, a significant challenge is instilling common sense and discretion regarding personal and professional use of these technologies. Organizational policy should define appropriate use of the internet and PEDs (such as cellphones and tablets). For example, the policy might require that employees turn off their personal phones during office hours and retrieve and respond to their messages during breaks.
Education about the practice’s social media policies as well as discussions about the potential risks and liability issues associated with social media, should be included as part of orientation training and ongoing staff education. Providers and staff members also should be aware of the disciplinary actions for violating the practice’s social media policy.
Social media can serve many useful purposes in healthcare by facilitating communication, enhancing information sharing, and promoting services. However, with these opportunities come challenges. Maintaining privacy and confidentiality, establishing appropriate boundaries, developing written policies, monitoring online activities, and educating providers and staff members should remain in the forefront of healthcare practices’ risk management strategies for social media. Further, as these technologies continue to evolve, healthcare practices will need to adapt to ensure a safe and respectful environment for patients, staff, and providers.
- Pew Research Center. (2021, April 7). Social media fact sheet. Retrieved from www.pewinternet.org/factsheet/social-media/; Barnhart, B. (2022, March 22). 41 of the most important social media marketing statistics for 2022. Sprout Social. Retrieved from https://sproutsocial.com/insights/social-media-statistics/
- Fox, S., & Duggan, M. (2013, January 15). Health online 2013. Pew Research Center. Retrieved from www.pewinternet.org/2013/01/15/health-online-2013/; Brimmer, K. (2012, June 13). PwC report shows importance of social media to healthcare. Healthcare Finance. Retrieved from www.healthcarefinancenews.com/news/pwcreport-shows-importance-social-media-healthcare
- ECRI. (2021, January 12). Social media: Organizational risks. Health System Risk Management. Retrieved from www.ecri.org; Parsi, K., & Elster, N. (2015, November). Why can’t we be friends? A case-based analysis of ethical issues with social media in health care. AMA Journal of Ethics, 17(11), 1009-1018. doi:10.1001/journalofethics.2015.17.11.peer1-1511
- ECRI. (2021, January 12). Social media: Staff-related risks. Health System Risk Management. Retrieved from www.ecri.org
- Clark, C. (2013, April 12). ACP, FSMB issue stern guidance on social media. Retrieved from www.healthleadersmedia.com/strategy/acp-fsmb-issue-stern-guidance-social-media
- Farnan, J. M., Sulmasy, L. S., Worster, B. K., Chaudhry, H. J., Rhyne, J. A., & Arora, V. M. (2013). Online medical professionalism: Patient and public relationships: Policy statement from the American College of Physicians and the Federation of State Medical Boards. Annals of Internal Medicine, 158(8), 620–627.
- ECRI, Social media: Organizational risks.
- American Medical Association. Code of medical ethics opinion 2.3.1: Electronic communication with patients. Retrieved from www.ama-assn.org/delivering-care/ethics/electronic-communication-patients
- Kouzoukian, J. G., & Anvar, B. (2019). Protecting electronic communications: Don’t let convenience trump compliance in your interactions with patients. Inside Dentistry, 12(15). Retrieved from www.aegisdentalnetwork.com/id/2019/12/protecting-electronic-communications; New Jersey Dental Association. (2014). Emailing patient information: A resource for dental practices. Retrieved from www.njda.org/docs/librariesprovider35/default-document-library/emailing-patient-records.pdf
- Lampe, C., & Ellison, N. B. (2016, June 22). Social media and the workplace. Pew Research Center. Retrieved from www.pewinternet.org/2016/06/22/social-media-and-the-workplace
This document does not constitute legal or medical advice and should not be construed as rules or establishing a standard of care. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors if you have any questions related to your legal or medical obligations or rights, state or federal laws, contract interpretation, or other legal questions.
MedPro Group is the marketing name used to refer to the insurance operations of The Medical Protective Company, Princeton Insurance Company, PLICO, Inc. and MedPro RRG Risk Retention Group. All insurance products are underwritten and administered by these and other Berkshire Hathaway affiliates, including National Fire & Marine Insurance Company. Product availability is based upon business and/or regulatory approval and may differ among companies.