“I have a rare dermatologic disorder. In medical school, I read a case report about treatment for my disorder. I was surprised to read my history and shocked to see my childhood face staring back at me in the figures section. The case report was written when I was a child and my parents had signed a consent form that stated my case and images could be used for ‘educational purposes.’ My parents were not notified that my images and case were published. While surprised and shocked to read my history and see images of myself in a medical journal, I trusted my privacy was protected because the journal would only be read by medical professionals. Fast-forward to today, I do not know how comfortable I would feel if my images were shared on social media, with the potential to reach viewers outside of the medical community. If I were a parent, I would feel even more uncomfortable with reading my child’s case on social media, let alone viewing an image of my child.”
Social media has become ingrained in our society, including many facets of our professional life. According to a 2019 report from the Pew Research Center, 73% of Americans use social media.1 The PricewaterhouseCoopers Health Institute found 90% of physicians use social media personally, and 65% use it professionally.2
As the Pediatric Hospital Medicine Conference Social Media Cochairs (2015-2019), we managed official profiles on Twitter, Facebook, and Instagram. We also crafted and executed the conference’s social media strategy. During that time, we witnessed a substantial increase in the presence of physicians on social media with little available guidance on best practices. Here, we discuss patient privacy challenges with social media as well as solutions to address them.
PATIENT PRIVACY CHALLENGES ON SOCIAL MEDIA
In 2011, Greyson et al surveyed executive directors of all medical and osteopathic boards in the United States for online professionalism violations.3 Online violations of patient confidentiality were reported by over 55% of the 48 boards that responded. Of those, 10% reported more than three violations of patient confidentiality, and no actions were initially taken in 25% of violations. While these violations were not specific to social media, they highlight online patient confidentiality breaches are occurring, even if they are not being disciplined.
Several organizations, including the American Medical Association (AMA), the American Academy of Pediatrics (AAP), and the American College of Physicians (ACP) have developed social media guidelines.4-6 However, these guidelines are not always followed. Fanti Silva and Colleoni studied surgeons and surgical trainees at a university hospital and found that social media guidelines were unknown to 100% of medical students, 85% of residents, and 78% of attendings.7 They also found that 53% of medical students, 86% of residents, and 32% of attendings were sharing patient information on social media despite hospitals’ privacy policies.
Social media provides forums for physicians to discuss cases and share experiences in hopes of educating others. These posts may include images or videos. Unfortunately, sharing specific clinical information or improperly deidentifying images may lead to the unintentional identification of patients.8 Some information may not be protected by the US Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, and may lead to patient identification when shared.9 Despite disguising or omitting demographics, encounter information, or unique characteristics of the presentation, some physicians—not the posting physician—believe patients may still be able to identify their cases.8
Physicians who try to be mindful of patient privacy concerns face challenges with social media platforms themselves. For example, Facebook allows users to create Closed Groups (CGs) in which the group’s “administrators” can grant “admission” to users wishing to join the conversation (eg, Physician Moms Group). These groups are left to govern themselves and comply only with Facebook’s safety standards. The Society of Gastrointestinal and Endoscopic Surgeons used Facebook’s CGs to create a forum for education, consultation, and collaboration for society members. Group administrators grant admittance only after group members have agreed to HIPAA compliance. Group members may then share deidentified images and videos when discussing cases.10 However, Facebook’s Terms of Service states the company has “a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to host, use, distribute, modify, run, copy, publicly perform or display, translate, and create derivative works” of the content based on the privacy settings of the individual posting the content.11 Therefore, these CGs may create a false sense of security because many members may assume the content of the CGs are private. Twitter’s Terms of Service are similar to Facebook’s, but state that users should have “obtained, all rights, licenses, consents, permissions, power and/or authority necessary to grant the rights . . . for any Content that is posted.”12 If a patient’s deidentified story is posted on Twitter, the posting physician may be violating Twitter’s Terms of Service by not obtaining the patient’s consent/permission or explicitly stating so in their tweet.
In light of the challenges faced when posting medical cases on social media, we propose several solutions that the medical community should adopt to mitigate and limit any potential breaches to patient privacy. These are summarized in the Table.
Many medical students and residents are active on social media. However, not all are formally educated on appropriate engagement online and social media etiquette. A recent article from the Association of American Medical Colleges (AAMC) highlights how this “curriculum” is missing from many medical schools and residency programs.13 There are plenty of resources outlining how to maintain professionalism on social media in a general sense, but maintaining patient privacy usually is not concretely explored. Consequently, many programs are left to individually provide this education without firm guidance on best practices. We propose that governing organizations for medical education such as the AAMC and Accreditation Council for Graduate Medical Education have formal requirements, guidelines, and example curriculum on educating trainees on best practices for social media activity.
Health Organization Consent Forms
Healthcare organizations have a responsibility to protect patient privacy. We propose that healthcare organizations should develop independent social media consent forms that address sharing of images, videos, and cases. This separate social media consent form would allow patients/guardians to discuss whether they want their information shared. Some organizations have taken this step and developed consent forms for sharing deidentified posts on HIPAA-compliant CGs.10 However, it is still far from standard of practice for a healthcare organization to develop a separate consent form addressing the educational uses of sharing cases on social media. The Federation of State Medical Board’s (FSMB) Social Media and Electronic Communications policy endorses obtaining “express written consent” from patients.14 The policy states that “the physician must adequately explain the risks . . . for consent to be fully informed.” The FSMB policy also reminds readers that any social media post is permanent, even after it has been deleted.
Many professional organizations have acknowledged the growing role of social media in the professional lives of medical providers and have adopted policy statements and guidelines to address social media use. However, these guidelines are quite variable. All professional organizations should take the time to clarify and discuss the nuances of patient privacy on social media in their guidelines. For example, the American College of Obstetrics and Gynecology statement warns members that “any public communication about work-related clinical events may violate . . . privacy” and posting of deidentified general events “may be traced, through public vital statistics data, to a specific patient or hospital” directly violating HIPAA.15 In comparison, the AAP and ACP’s social media guidelines and toolkits fall short when discussing how to maintain patient privacy specifically. Within these toolkits and guidelines, there is no explicit guidance or discussion about maintaining patient privacy with the use of case examples or best practices.5,6 As physicians on social media, we should be aware of these variable policy statements and guidelines from our professional organizations. Even further, as active members of our professional organizations, we should call on them to update their guidelines to increase details regarding the nuances of patient privacy.
When a case is posted on social media, it should be the posting physician’s responsibility to clearly state in the initial post that consent was obtained. To simplify the process, we propose the use of the hashtag, #ConsentObtained, to easily identify that assurances were made to protect the patient. Moreover, we encourage our physician colleagues to remind others to explicitly state if consent was obtained if it is not mentioned. The AMA’s code of ethics states that if physicians read posts that they feel are unprofessional, then those physicians “have a responsibility to bring that content to the attention of the individual, so that he or she can remove it and/or take other appropriate actions.”4 Therefore, we encourage all readers of social media posts to ensure that posts include #ConsentObtained or otherwise clearly state that patient permission was obtained. If the hashtag or verbiage is not seen, then it is the reader’s responsibility to contact the posting physician. The AMA’s code of ethics also recommends physicians to “report the matter to appropriate authorities” if the individual posting “does not take appropriate actions.”4 While we realize that verification of consent being obtained may be virtually impossible online, we hope that, as physicians, we hold patient privacy to the highest regard and would never use this hashtag inappropriately. Lastly, it’s important to remember that removing/deleting a post may delete it from the platform, but that post and its contents are not deleted from the internet and may be accessed through another site.
Social media has allowed the healthcare community to develop a voice for individuals and communities; it has allowed for collaboration, open discussion, and education. However, it also asks us to reevaluate the professional ethics and rules we have abided for decades with regard to keeping patient health information safe. We must be proactive to develop solutions regarding patient privacy as our social media presence continues to grow.
The authors have no conflicts of interest to report.