Social Media Risks at Your Medical Practice: 5 Key Issues

October 12, 2013

Attorneys Barbara Zabawa and Melissa Giftus warn improper social media use can lead to possible HIPAA violations, increased malpractice liability, and more.

Today’s "share" culture puts medical practices in legal danger, said Barbara Zabawa and Melissa Giftus, attorneys with Whyte Hirschboeck Dudek in Madison, Wisc., during a presentation at the  Medical Group Management Association Annual Conference.

They outlined five key issues to watch for:

1. Damage to reputation and compliance with Federal Trade Commission (FTC) guidelines for advertising. If you are seeking - or just getting - reviews from patients, be aware that they might not all be glowing. You can even get false reviews, Giftus pointed out.

If you actively solicit patient testimonials for use online there is more to watch out for. FTC guidelines require you to be able to substantiate advertising claims (as in, if a patient says they got better under your care, you better be able to pull a medical record to prove it). Advertisers also are prohibited from using only extraordinary results; you should show a spectrum. If you pay patients for their efforts or offer small gifts or rewards, be sure to include a disclaimer making the monetary exchange clear. Finally, don’t disparage competitors; it only makes them likely to report you to the FTC, Giftus pointed out.

2. HIPAA violations. With more devices and more sharing, your HIPAA policies need to keep up. Of course, protected patient health information (PHI) should be encrypted on laptops. Zabawa shared a story about one stolen laptop that cost a practice a $100,000 settlement.

But also train staff on HIPAA as it relates to posts on Facebook, Twitter, and even e-mail. While the actions of an employee might not be the fault of a practice, it is better to avoid any question, have policies, and educate - "take reasonable measures" in the words of Giftus. Consider this example: Two paramedics in training took pictures of a shark attack victim and sent them to friends via e-mail. While the patient’s face and name didn’t get passed around, there are only so many shark attacks in any given day, and the newspaper reports made it clear who got bit. Anything that makes the patient identifiable is PHI.

3. Loss of patient data. Giftus focused on two issues: protecting data on the cloud and explaining the rules on mobile devices. Many software vendors -from billing to EHR providers - now store data on the "cloud" rather than on a server in an office. Cloud-based services can easily be even more secure and complaint than a box sitting un-backed up and unprotected behind reception. Just make sure the contract with your vendor makes it clear what happens to the data if you change to another company or it goes out of business. "It has to be spelled out," Giftus urged.

Further, if physicians are accessing your EHR on iPads at home and not just on their secure work computers, make sure those devices, too, have HIPAA-compliant protections.

4. Employee ground rules. Plenty of businesses have policies regarding employee use of social media in relation to the workplace. That’s fine. But look carefully to make sure nothing in your rules violate the National Labor Relations Act (NLRA). The Act prohibits employers from restraining or coercing employees in the exercise of the Section 7 rights; those are rights like the ability to organize or take other actions related to compensation, work conditions, or other workplace complaints.

How can this come in to play? Consider the case Giftus presented: General Motors. Its policy stated:

• "Think carefully about friending co-workers on Facebook," and

• "Communication with co-workers that would be inappropriate at work are also inappropriate online," she summarized.

A court deemed these "over-broad." It’s just not clear if Section 7 rights are included in what is considered inappropriate or if suggesting employees not "friend" each other constitutes an effort to stop them from organizing around work issues.

5. Malpractice liability. Patients who ask friends for medical advice are more likely to consider your advice bad. Giftus also warned that patients are using mobile devices to record visits, creating additional discoverable evidence. State rules determine whether patients can make recordings without telling you, she clarified, but the record is discoverable either way.

The digital social world is here. The only question is whether your practice is prepared for it.