Are there guidelines for physicians regarding their use of social media?

The Federation of State Medical Boards has issued Model Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice,4 which contains the “industry standards” for cyber security, online behavior, and patient privacy. I advise all of my clients and the medical practices I work with to familiarize themselves with these guidelines.

What are the parameters of an employee’s use of social media?

There are 2 aspects of using social media as an employee of a medical practice. One is during work hours and the other is on one’s own time. A practice’s social media policies can’t be too restrictive, but on the other hand, social media posts must respect patients and do no harm to the practice.


Continue Reading

Obviously, there are concerns about distractibility and whether an employee’s attention is diverted by posting on Facebook or some other forum during work hours. This concern is across the board in all industries, not only medical.

But there are additional concerns that specifically apply to medical practices.

For example, it is legal to criticize one’s superior in a personal Facebook post. I know one case in which someone contacted her friend, a dental assistant, on a personal Facebook page to find out if her employer does dental implants. “Oh, he tries,” the dental assistant responded. While that may not be illegal, it’s definitely disrespectful. I’m sure the dentist did not want that type of comment out there.

On the other hand, there are aspects of work that would be completely inappropriate to post, even on a personal Facebook page.

What types of posts would be inappropriate for medical practice employees to post on their own social media sites?

Any practice-related matter concerning a patient would be a violation of HIPAA and inappropriate to post, even without mentioning the patient’s name. For example, there was a case with a nurse at a hospital who was in the ER when a police officer was shot and brought in, together with the alleged shooter, both being treated for gunshot wounds. The officer ended up dying from his injuries. The nurse went home and posted, “I had to take care of a cop killer today. Hope he burns in hell.” This was considered by her employer to be a violation of privacy and she was fired. I could see how some people would not see this as a breach of privacy because no names were used, but the facility had a firm policy in place that any post about a patient situation was grounds for dismissal.

What is the role of “policy” in these issues?

The role of “policy” is very important. There was a case of a female patient at a medical center who was given a diagnosis of an STD. Her ex-boyfriend worked at the facility, copied her records, and posted them with a derogatory heading about her. He was fired because the facility was able to determine that he had accessed the record in an unauthorized way, as he was not involved in her care. The patient sued the facility, but the facility was shielded from liability because they had a specific policy in place prohibiting employees not involved with a given patient’s care to access that patient’s records. There were also mechanisms in place to detect when that happened, and the facility took immediate action to dismiss the employee. It was ruled that although the employee had violated HIPAA, the facility was not held responsible.