Risk Management Tools & Resources


Avoiding Social Media Blunders With Proactive Risk Management Policies

Laura M. Cascella, MA, CPHRM


Without doubt, social media’s ease, flexibility, and convenience offer various opportunities to enhance the dissemination of health information and communication between patients and healthcare providers. Like any type of technology, though, social media can create safety and risk issues if it is not used responsibly. Further, because social media changes rapidly, standards and best practices are not always well-defined.

Consider the following three case examples that illustrate how communicating with patients, or about patients, on social media can be problematic.

Case 1: Patient Has Second Thoughts After Authorizing Posting of Facebook Photo

Dr. A, a board-certified plastic surgeon, performed a successful breast augmentation on a patient in her mid-thirties. About 5 months after the procedure, the patient sent an email message to Dr. A’s practice expressing that she was extremely pleased with the results of the augmentation. In the message, she attached a picture of herself that highlighted the results of the surgery.

In response, Dr. A’s marketing manager asked the patient for permission to post the picture on Facebook. The patient consented via email to the posting, and asked the marketing manager to tag her on the image. About 2 hours after the picture was posted, the patient contacted Dr. A’s office and asked that they remove her picture from Facebook because people were posting critical comments about it.

Dr. A’s staff removed the picture immediately, but the patient was so upset that she contacted an attorney. The attorney sent a demand letter shortly thereafter; allegations included violation of the patient's privacy rights, negligence, breach of fiduciary duty, breach of contract, and infliction of emotional distress.

Although defense experts felt that the patient's case was weak, they were concerned about the patient’s consent to post the photo. The authorization that the patient sent to Dr. A’s office via email message did not include all of the elements required by HIPAA. To avoid the patient filing a complaint with the U.S. Department of Health and Human Services’ Office for Civil Rights, Dr. A agreed to settle the case.

Case 2: Online Dispute Becomes Problematic for General Dentist

Dr. M, a general dentist, treated a male patient in his fifties for various dental issues. Although the treatments were successful, the patient was unhappy with Dr. M’s office staff and the amount for which he was billed. The patient joined an online forum and began posting negative comments about Dr. M’s billing policies, office staff, and efficacy of care.

The patient's comments in the online forum included extensive details about his dental conditions, dental and medical history, and diagnoses. He also provided comprehensive summaries of his dental care prior to treatment with Dr. M.

Eventually, the patient's negative comments came to Dr. M’s attention, and he became very upset about the postings. The doctor responded to the posts by refuting certain points that the patient had made. Dr. M did not disclose any new information about the patient; he merely used the facts that the patient had already disclosed. Regardless, the patient filed a lawsuit against Dr. M alleging, among other things, invasion of privacy. The case went to mediation; with Dr. M’s consent, a settlement was reached.

Case 3: Physician’s Tweets Prove Costly

A state medical board received a complaint that an internal medicine physician in a small town had posted information on Twitter about specific patients without their knowledge or consent. The postings occurred over a 12-month period.

The medical board initiated an investigation into whether the physician’s actions constituted (a) a breach of doctor–patient confidentiality, (b) a violation of laws connected with practice, and/or (c) unprofessional conduct.

The physician did not dispute that he tweeted about his patients; however, he argued that the tweets did not include any personally identifiable information. Some of the tweets included comments about the physician's interactions with patients, pictures of X-rays, and cropped images of notes from undefined individuals.

Nonetheless, the medical board initiated a formal investigation into the matter and the physician was required to submit a further response. Eventually, the medical board dismissed the matter because it was not able to prove that a violation occurred. However, the physician had significant expenses related to legal fees.

Addressing Social Media Risks

To avoid precarious situations — like those described in the case examples — healthcare providers should be aware of the risks associated with social media and proactively develop policies and guidance to reduce liability exposure.

Including staff in the development or updating of social media policies can support compliance, reinforce the importance of appropriate social media conduct, and increase the likelihood of identifying potential policy shortcomings.

Important areas to consider when developing your practice's social media policies include:

  • The practice's goals and target audience for social media communication
  • Acceptable and unacceptable uses of social media, with explicit examples
  • Authorization and accountability for developing and posting social media content on behalf of the practice
  • The review and approval process for social media content
  • Standard disclaimer and disclosure language
  • The patient consent process (e.g., for any marketing or advertising efforts on social media that will include patient information, such as pictures or testimonials)
  • Terms of use for visitors on the practice’s social media sites
  • The process for reporting inappropriate use of social media

When developing these policies, keep in mind that social media is dynamic and constantly changing. To address this, create policies that are flexible and adaptable to new or changing social media technologies. Doing so will help avoid the need for constant updating.1 Additionally, consider scheduling a routine review of your social media policies (e.g., yearly) to identify any outdated or missing information.

Learn More

For more information about developing effective social media policies, see MedPro’s article Social Media in Healthcare: A Slippery Slope. For guidance on responding to negative reviews, see MedPro’s Risk Tips: Managing Negative Online Reviews From Patients.


1 ECRI Institute. (2017, March 24). Social media in healthcare. Healthcare Risk Control. Retrieved from www.ecri.org/components/HRC/Pages/AdSup4.aspx

MedPro Twitter


View more on Twitter