In this week’s episode, Dr. MedLaw explores strategies physicians can employ to prevent liability from social media use.

Hi, this is Dr. MedLaw. For those of us who haven’t met yet, I’m a radiologist and a medical malpractice attorney.

We’re going to be doing the second part of our miniseries on social media today. In the last one, we looked at whether your posts on a physician chat site are discoverable. Now we’re going to look at how you can avoid liability arising from social media use generally.

Let’s start with the bright line rule that social media has absolutely no place in patient treatment. The Federation of State Medical Boards minced no words when it said that contact with patients about medical care “should never occur on personal social media networking or social media websites.” Any electronic networking with your patients about clinical matters should be solely limited to a patient portal system that you set up to permit specified forms of non-emergency clinical contact and which has defined protocols for your prompt follow-up on messages. All patients should be informed that this is the only acceptable form of e-communication with your office, and your website should also have a very clear banner warning that a Contact Us link is for general information and non-medical questions only.

If you have patients who are friends of yours, with whom you engage in personal social media contact, you must tell them that contact about their medical care must still be conducted through the standard system that applies to all patients. They can’t talk to you about their new rash on a site like Facebook.

All that having been said, let’s be realistic. You know that patients are going to ignore your warnings because that’s what people do. The standard to not be negligent is to act in accordance with reasonable foreseeability. So if your website has any way to leave messages, just make sure that your staff checks it at least at the same time that they check for phone messages from overnight, so that an e-message—that shouldn’t have been left—isn’t missed, because it may contain some very critical information that could someday be the basis of a lawsuit. You want to be timely.

The next issue is dealing with your staff to make sure that they don’t breach patient confidentiality in their own postings. This is the point that cannot be overemphasized because of the risk. That risk is through direct liability, if you fail to create adequate protections for patient confidentiality, and through vicarious liability, just because you are the employer.

You must—and that “must” is in 14-foot-high, purple lettering with neon signs, MUST—have a formal, written (and that means being in any practice bylaws and in any employee handbook) social media policy for the office.

Now, since this is a particularly essential aspect of avoiding liability, let’s look at it in more detail. First, make the policy brief, not more than two pages, and make it readable. First and foremost, you want it to be clear so that it can be followed unambiguously.

Then if the employee still violates it, you have to defend against a HIPAA complaint or a lawsuit under state law, or if you fire that employee and then are sued for wrongful termination, you want to be able to show that the rules were stated in understandable language. You should incorporate the relevant HIPAA and state medical confidentiality regulations by reference. Incorporation by reference just means by saying that they apply, but keep your own statement such that no one can doubt the meaning of it.

You should also define what you mean by social media. A useful definition is that it is any app, website, or other online means of communication that is used by groups of people to share information and to develop social and professional contacts. Now, that obviously would include Facebook, X, Instagram, TikTok, and Reddit, but would your employees know that it also includes LinkedIn, Pinterest, and YouTube? Give the definition, give examples, and then say that if the employee is in doubt as to whether a given site is covered, to check with you.

Then be specific that the rules apply to official communications and to personal social media postings. That second point is vital. Whether you have a 20-something medical assistant who grew up expecting to tweet every thought she has or a physician associate who vents on a doctor’s site, your staff must be absolutely clear that the wall of patient confidentiality is uniform. There is no daylight between the office and their online behavior on this issue.

You must also be clear that “all” actually means “all.” Most employees will understand that using protected health information maliciously, to do something like swipe at a romantic rival, is impermissible. But will they also appreciate that posting how happy they are that a struggling fertility patient is now pregnant is also a breach? Make sure to define both aspects. Also, make it clear that no photos are to be posted even if the poster thinks that they have de-identified them.

Then, state that friending of patients is barred. Make it unequivocal. Friending is virtually a guarantee that there will be no boundaries as a conversation progresses, and you just cannot take the risk, even if the patient is the one who initiates the friend request.

The point that should run through the policy is that it is absolute as to patient privacy. The reality is that when a practitioner thinks that they have stayed within the lines, a HIPAA medical board investigator or a jury may not agree. Most of us would assume that just not including the patient’s name, medical records number, sex, and age would be enough of a shield. But in a case where an ER doctor was sanctioned for posting on her Facebook page about an interesting case, knowing that the patient was treated by that doctor, at that hospital, on that date, for that condition was deemed sufficient to be able to identify the patient.

If you or a staffer thinks that a patient specific posting has clinical or even inspirational value, the rules should be to get the patient’s permission, even if they will be de-identified by your standards. You also have to address the risk to your practice in social media postings about non-patients. If a staffer presents as being an agent of your practice, you’ll be sued as well as they will be if they are negligent in what they say. You, therefore, need to be clear that if a staffer opines on social media about someone’s condition or if they’re going to blog on a medical topic, then they cannot list their practice association with you and must specifically state that their expressions are solely their own. They must also not identify their position with you or use your practice name in a personal posting. For example, if your practice is Main Street Anesthesiology, then your CRNA cannot be “MainStreetGasGuy1” online.

This is an essential issue because if they personally post a horrible comment on social media, it is on them. But if they do so while being identifiable as your staff, it affects your reputation. Sure, you can then terminate them under a contract clause against holding the practice up to disrepute. But hey, the stink will still have attached to you. Therefore, you want to be proactive on this and make sure that there can be no perceived overlap by the public between your practice and a staff member’s personal comments.

You can also restrict the revelation of the practice’s business information, like a pending acquisition, merger, vendor agreements, marketing plans, and certainly employee files. And you should state that posting such on social media will make the employee who does so liable to the practice for any losses the practice suffers as a result.

Finally, state what the penalties are for not complying with the policy and mirror this in the employment contract. Staffers shouldn’t be in doubt as to consequences or as to how essential you view the matter.

Before we leave this issue, we have to note a limitation that comes from labor law on what you can have as social media policies. Article 7 of the National Labor Relations Act says that an employee may express themselves, including on social media, about the conditions of their work as part of concerted action about those conditions. This applies in non-union as well as union settings. The set-off though is that the National Labor Relations Board, which is the agency that enforces the law, does permit employers to formulate rules based on an expectation that employees “will comport themselves with general notions of civility and decorum within the workplace,” and has applied that in cases that regarded employee behavior on social media.

In other words, you can’t stifle dissent about work that happens to be expressed on social media, but you can restrict comments that are just nasty and disruptive, and certainly ones that implicate patient privacy. You want to vet your social media policy with an attorney who’s knowledgeable in medical practice and labor law, and ideally with an HR professional as well.

Lastly, and again, imagine that I am infinitely underlining this, you must carry adequate cyber liability coverage. That will also attach to such matters as your office’s EHR system and your HIPAA compliance, but you want to expressly extend it to your website or Facebook page. It is not applicable, however, to your personal conduct on personal sites, which I think you’d expect.

If your insurance company does not offer this coverage or only does so at a low level (50 to 100 thousand dollars is a low level; doing a case costs a lot more than that very fast), then look into surplus lines coverage to obtain it. In a modern medical practice, you cannot be without it.

Thanks for the chance to talk about this important topic.

Thanks for listening. Stay tuned for next week’s episode. To hear more, follow PeerPOV: The Pulse on Medicine on Apple Podcasts, Spotify, or Amazon Music.

This transcript has been edited for readability.