Social media is an increasingly common resource for people to learn about medical care and their health conditions. Patients can find healthcare professionals actively posting on Twitter, Facebook, Instagram, TikTok, and other social media platforms, offering their expertise, debating policies and practices, promoting patient care and education, and raising awareness of new health-related developments. With this wealth of resources readily accessible to patients, it is not surprising that a study has revealed that one in five Americans turn to TikTok before calling their own doctor.1 To ensure that information being shared via social media is doing the general public and the practitioner good, however, attention should be paid to a few regulatory and industry recommendations, which if not followed, can lead to costly legal problems.
Pay Attention to HIPAA Pitfalls
It should go without saying that healthcare professionals must comply with privacy and security requirements of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”),2 as modified by the Health Information Technology for Economic and Clinical Health Act,3 if they are using and disclosing protected health information on their social media platforms.
Unfortunately, many providers are unaware of how broadly the term “protected health information” can be construed. Under HIPAA, protected health information encompasses any individually identifiable health information, which relates to a particular patient.4 Consequently, in addition to details of a patient’s past, present or future treatment, all names, photos, and other tidbits about a patient (including things like tattoos) should be kept off a practitioner’s social media unless they have first obtained a valid authorization from the patient. Among other things, such authorization must meaningfully describe the information the provider intends to use and disclose and their reasoning for doing so.5 That said, healthcare professionals on social media should also know that HIPAA does not restrict the use or disclosure of “de-identified” health information, which “neither identifies nor provides a reasonable basis to identify an individual.”6 To de-identify information, the healthcare provider can either receive a formal determination by a statistician or, more commonly, remove all specifics related to the individual, including their family history, household members, employer information, and any other recognizable depictions.7
As a dental practice in Texas found out not too long ago, express patient authorization is a standard that cannot be ignored, no matter the situation.8 In responding to a patient’s negative Yelp review, the dental practice disclosed the patient’s last name and details of the patient’s health condition.9 The Office of Civil Rights (“OCR”) of the Department of Health and Human Services (the federal agency which oversees HIPAA) issued the dental practice a fine of $10,000 for the unconsented disclosure of the patient’s protected health information.10 Similarly, in June 2023, the OCR fined a New Jersey healthcare provider $30,000 for impermissibly disclosing patient information, including the patient’s mental health diagnosis and subsequent treatment, while responding to the patient’s negative online review.11 And, in neighboring Rhode Island, the Department of Health Board of Medical Licensure and Discipline (the “Board”) fined a physician $500 and required attendance at a confidentiality course for revealing personal identifiable information about her patients on Facebook.12 According to the Board, the physician described the patients’ injuries with such depth, that the patients could be identified by unauthorized third parties.13
These civil fines, though serious in nature, do not come close to the maximum permissible amounts. There are four tiers to the sanctions available under HIPAA, each of which ratchets up with increasing levels of culpability (Table 1).
Table 1.
2022 penalty chart for HIPAA violations under 45 C.F.R. 102
| Penalty Tier | Level of Culpability | Minimum Penalty Per Violation | Maximum Penalty Per Violation | Annual Penalty Limit |
|---|---|---|---|---|
| Tier 1 | Lack of Knowledge | $127 | $31,987 | $31,987 |
| Tier 2 | Reasonable Cause | $1,280 | $63,973 | $127,974 |
| Tier 3 | Willful Neglect | $12,794 | $63,973 | $319,865 |
| Tier 4 | Willful Neglect (not corrected within 30 days) | $63,973 | $63,973 | $1,919,173 |
Additionally, criminal penalties can come into play if a person knowingly obtains and discloses protected health information in violation of HIPAA’s requirements.14
These examples underscore the importance of understanding where HIPAA protected health information begins and ends and the perils of failing to obtain appropriate authorization. To combat HIPAA risks associated with their use of social media, it is critical that healthcare providers implement policies, which discourage all types of specific patient references and spell out procedures for obtaining valid authorizations. In addition, training on what is and is not permitted under HIPAA should be rolled out across the entire practice—even to those personnel who are not typically interacting with patients and their information.
Counter the Spread of Medical Misinformation
One of the benefits and banes of social media is that it offers the rapid dissemination and consumption of information. But the on-demand nature of social media also gives rise to concerns of accuracy, credibility, and reliability—concerns which are often neglected before information is published but can lead to significant liability exposure when they are called out afterwards.
The COVID-19 pandemic magnified the problem of medical misinformation on social media. One study found that nearly eight in ten adults heard of or consumed medical misinformation related to the pandemic.15 One chiropractor notably found himself faced with a federal lawsuit resulting from his failure to verify the accuracy of the content he promoted on social media. During the pandemic, the chiropractor marketed vitamin D and zinc products, claiming they were more effective at treating COVID than vaccines.16 Shortly thereafter, the Federal Trade Commission sued the chiropractor for violating the COVID Consumer Protection Act of 2021.17 Finding that the chiropractor engaged in deceptive advertising, a federal judge ordered him to pay an $80,000 fine and permanently restrained him from promoting his products as ones that prevented, treated, or reduced the severity of COVID.18
An important takeaway from this enforcement action is that medical misinformation has the power to negatively impact the general public, the reputations of individual practitioners and the larger healthcare community. As such, providers must be diligent in ensuring that all their healthcare-related social media posts contain scientifically accurate content.
Avoid Potential Conflicts of Interest
Many social media users have built lucrative online careers. For healthcare professionals, social media stardom and paid marketing campaigns carry risks and must be thoroughly considered and vetted.
As a current case in point, a licensed nurse practitioner specializing in dermatology gained notoriety as a social media influencer by posting skincare and beauty content.19 Achieving popularity, the nurse practitioner began offering virtual consultations and announced a “Skincare Expert Course,” which provided lessons to healthcare providers and skincare enthusiasts about acne, healthcare routines, and dermatology principles used to treat patients.20 The nurse practitioner’s employer terminated her employment, finding that she breached her employment contract by competing with the employer’s business and overall “hurting the field [of dermatology] more broadly by sidestepping having to refer to a dermatologist altogether.”21
As this situation shows, when using social media, healthcare professionals must consider not only their ethical and regulatory compliance obligations, but also the duties owed to their employers and the profession at large.
Develop and Maintain Social Media Policies
As a nursing facility in Winston-Salem recently learned the hard way, social media policies provide an effective tool to address unprofessional online conduct. The nursing facility employed a nurse who regularly posted about her job on TikTok,22 amassing a following of more than 38,000 active viewers.23 In one video, the nurse is seen holding a pill bottle, with an overlay caption stating, “me making sure all my patients sleep all night cause they kept me up last night.”24 Other videos included purported jokes of lying about vital signs and unplugging a patient’s ventilator to charge her phone.25 The nurse claimed that her TikTok videos were merely “just dark humor.”26 While none of the videos identified patients or disclosed any patient health information, the nursing facility nonetheless terminated the nurse’s employment for violating the company’s code of conduct and harming society’s perception of the nursing profession.
To sidestep these lapses in behavior, healthcare employers should develop and maintain up-to-date polices that acknowledge the importance of social media, but also contain clear statements regarding the entity’s culture and expectations for professionalism. Such policies should also specify the types of information that can and cannot be shared on social media and identify those who are authorized to post on behalf of an employer—making clear that employee posts reflect the personal opinions of the employee and not the employer. Finally, any social media policy should comply with the National Labor Relations Act,27 which gives employees the right to join together to improve their working conditions. This “right to join” includes activities occurring in cyberspace, such as on Facebook, Twitter, Instagram, or even TikTok.28 In this way, regardless of whether they are represented by a union, employees have the legal right to engage in discussion with each other about their pay, benefits, and working conditions with coworkers on social media and any policy must not have a chilling effect on such protected activities.
Once drafted, the employer should provide the social media policy to all employees, obtain employees’ express acknowledgement and agreement to comply, and ensure employee understanding through robust and regular trainings.
Conclusion
Deployed wisely, social media can greatly benefit access to and delivery of healthcare by creating connections, offering on-demand information, and promoting innovation. To achieve these aims, however, physicians and their employers must manage the risks social media poses by establishing policies and training programs, which assure patient confidentiality and safety and foster professional online presences that enhance the reputations of individuals and the industry alike.
Footnotes
Julianne Story, JD (left), Labor and Employment Partner; Peter Enko, JD (center), Healthcare Regulatory & Compliance Counseling Partner; and Michaeli Hennessy, JD (right), Labor and Employment Associate, from the Kansas City office of Husch Blackwell, LLP, wrote this article. Husch Blackwell represents a full spectrum of healthcare providers and other businesses in developing compliance strategies, preliminary enforcement measures, employment concerns, and litigation matters. The information contained in this article should not be construed as legal advice or a legal opinion on any specific facts or circumstancese. The contents are intended for general information purposes only, and readers are encouraged to consult their attorney concerning specific situation and specific legal questionse.
References
- 1.The Shifting Role of Influence and Authority in the Rx Drug & Health Supplement Market charityrx. Sept 21, 2022. https://www.charityrx.com/blog/the-shifting-role-of-influence-and-authority-in-the-rx-drug-health-supplement-market/
- 2.42 U.S.C.A. § 101-512
- 3.42 U.S.C.A Ch. 6a, Subch. XV.
- 4.45 CFR § 160.103
- 5.45 CFR § 164.508
- 6.45 CFR §§ 164.502(d), 164.514(a) and (b). See also, Summary of the HIPAA Privacy Rule. US. Dept. of Health and Human Services; Oct 19, 2022. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
- 7.Id
- 8.Alder Steve. Dental Practice Fined $10,000 for PHI Disclosures on Yelp. The HIPAA Journal. 2019 Oct 3; [Google Scholar]
- 9.Id
- 10.Id
- 11.Alder Steve. $30,000 Penalty for Disclosing PHI Online in Response to Negative Reviews, the HIPAA journal. 2023 June 6; [Google Scholar]
- 12.Merrill Molly. “Coffee Shop Test” May Have Prevented RI Doc’s Facebook Debacle. Healthcare IT News. 2011 April 21; [Google Scholar]
- 13.Id
- 14.Summary of the HIPAA Privacy Rule, supra note 6.
- 15.Barron Madeline. How to Spot and Combat Health Misinformation. American Society for Microbiology; Sept 9, 2022. [Google Scholar]
- 16.Obradoviç Monica. St. Louis Chiropractor Fined $80K for Spreading Covid Misinformation. RiverFront Times. 2023 Aug 3; [Google Scholar]
- 17.United States of America v Quickwork, LLC and Eric Anthony Neptune No. 4:21-cv-00437 (E.D. Mo. May 5, 2021).
- 18.Id
- 19.Levine Alexandra. Doctors and Nurses Are Becoming Internet Stars. Some Are Losing Their Jobs Over It. Forbes; Dec 21, 2022. [Google Scholar]
- 20.Id
- 21.Id
- 22.Hatchett Ford. Triad Nurse Says She Was Suspended Over TikTok Videos. WXII. 2021 June 28;see also Kozma Leila. A Triad Nurse Came Under Fire for Posting TikToks about Workplace Misconduct. Distractify. 2021 June 30;
- 23.Id
- 24.Id
- 25.Id
- 26.D’Ambrosio Amanda. Nurse Suspended Over TikTok Videos about Patients. MedPage Today. 2021 July 7; [Google Scholar]
- 27.29 U.S.C. §§ 151.166 Suppl. 2.
- 28.What’s the Law: Social Media. National Labor Relations Board; https://www.nlrb.gov/about-nlrb/rights-we-protect/the-law/employees/social-media-0 . [Google Scholar]