Know Before You Post: Legal and Regulatory Considerations for Medical Office Social Media Contributors

While social media provides a great opportunity to connect with both new and existing patients, are you aware of all the guidelines and regulations when it comes to sharing on these platforms as a medical practice?

In this video, Etna Interactive CEO Ryan Miller takes us through the requirements that you need to be thinking about when sharing content and communicating on the web. Not only will this ensure that you are protecting patient privacy, but all employees and the practice as well. Follow along to learn what policies you should have implemented and what to avoid when you are on social media.

Video Transcription:

Hi, I’m Ryan Miller and today we’re going to be talking about the legal and regulatory considerations for individuals who contribute to social media on behalf of a medical practice. Bottom line, if you have a role that relates to social media and you’re concerned about keeping yourself, and your practice out of hot water, this video is designed for you.

There are two specific things that we want to point out here. This is limited to medical practices in North America, so the United States and Canada, and it’s specifically designed for practices whose medical director has already achieved their desired board certifications. If your doctor is board eligibleand seeking to sit for examination in the next year, to year and a half, it’s important that you step back, talk with your doctor and make sure that you understand the restrictions attached to their board eligibility status.

In California, if not an ABMS or MBC approved board, I counsel using, “Diplomate of the American Board of [non-ABMS]”, as opposed to “Board Certified by American Board of [non-ABMS].” This is due to BPC Section 651 (h)(5)(C).

Jeff Segal, MD, JD | Medical Justice

Keep in mind as well, this is not necessarily an exhaustive list of every law, code, or guideline that could apply to you. We’re looking at the big things that over the last 20 years we’ve learned, impact clinics who are participating in the online conversation and social media.

Let’s start by looking at the big picture. If you’re newer to communication for a medical clinic, this might be a new idea for you. But ultimately, medical practices are governed by a variety of layered regulations. We often are concerned with things that are coming out of medical specialty boards or professional associations to which your doctors belong. There are national guidelines, some of them are civil, some of them are criminal codes about which we need to be concerned, and then most specifically, and often these are first area where complaints might arise, are the regional licensing requirements. These would be things in the United States from a state medical licensing board, or in Canada from provincial colleges.

We’re going to walk through a series of guidelines and regulations that touch on requirements coming out of all of these different types of regulating bodies. Let’s use an example as an initial thought exercise to get us all engaged.

An injector inside of an aesthetic practice takes a photo with a patient on their personal phone, and then posts that photo to their own social media, perhaps celebrating an outcome but without the consent of the patient. Who’s ultimately responsible for that post?

Well, any communication on behalf of the practice that’s transmitted by any party is ultimately the responsibility of your medical director. That includes things like blog posts, before-and-after photos that go into a gallery, commentary and responses that appear on social media, whether they come directly from a staff member, or an agency that’s hired by the practice. It’s true whether the content is posted during normal business hours or after hours. So everything ultimately shines back onto practice leadership.

Now consider this, another kind of gray area that we have to be concerned about. You’re office collects a patient’s email on an intake form. Can you use that email for an unsolicited marketing message? Well the answer is somewhat complex. In Canada for example, where we have the Can-Spam Laws, there’s a very explicit prohibition from using emails other than their explicit and intended purpose. In the United States, the area is a little bit more gray. In this particular case we might have a HIPAA violation if we use data that’s collected in the course of care for an unsolicited marketing purpose.

In either case, and in general terms, it’s safest if you always assume the most conservative position relative to patient privacy and seek guidance from practice leadership if you are not sure. Our responsibility in every communication is to make sure we’re protecting the privacy of the patients and the prospects that we serve.  

So lets summarize the big picture. It’s your medical director’s license that’s on the line and they’re subject to multiple layers of regulation. They are ultimately accountable for any communication that happens on behalf of the practice, a variety of social media types of communications such as blog posts, posts on Facebook or Instagram, and on behalf of anyone representing the clinic, so it might be you yourself or the agencies that serve the clinic, and we have a shared responsibility to protect the privacy of patients.

Now, lets take a moment and think about the human resources implications that are attached to social media participation on behalf of the medical practice. Our advice here is to have a moment in time after you watch this video to ask practice leadership if there are specific policies governing your participation on social media.

Now here’s why, back as early as 2012 there were formal studies being published discussing the rise in specific incidents of online professionalism violations on behalf of clinics and physicians, many of which were resulting in specific disciplinary actions. This has been a problem for a while, its difficult to participate on social media as a medical professional, and you need to understand because of this, whether policies have been implemented inside your system or office that govern how you communicate.

What kind of policies exist? Well some policies that exist; articulate guidelines for the type of content that can be published on social media. Others look at workflow and how content needs to be reviewed and who needs to approve it before it can be published. Some limit which members of your team are actually allowed to participate on social media on behalf of the clinic, and still more describe what are the privacy policies for handling sensitive patient information when you’re working with that content and your social media responsibilities. Finally, some policies go far in defining the specific relationships that staff members can form with patients, some actually restricting your ability to form a private social media connection on your personal account with a patient.

Now, lets take a moment to reflect why these things are important. Lets consider the story of a North Carolina nurse who lost her job after a social media post. It’s a tragedy for two reasons. First, a woman in a car accident lost her life that also injured two other members of her family. This nurse at the end of her shift posted that the woman should have been wearing her seatbelt. That particular post resulted in outrage online and social media and a follow-up post from the nurse that she was present when the woman and the family members arrived in the hospital.

That second post was an admission of a private healthcare data point that ultimately constituted in the United States what is known as a HIPAA violation. That hospital system used that violation as the basis for the second tragedy which is the loss of the nurse’s job.

I share this story because I want you to understand that it’s important that you think about the fact that every one of your social media posts may ultimately impact your employment status and to keep it professional at all times.

Lets move on and we’ll talk about the importance of avoiding false, fraudulent, and misleading statements on social media. The bottom line is where in other areas you might be able to exaggerate to help sell a product or service, the stakes are higher in healthcare and you can never exaggerate or mislead the public in your posts.

In every region of the North American territory there are specific guidelines but they all have common language that prohibits false, fraudulent, misleading, or deceptive statements being present in communications that appear on behalf of a practice. What are examples of misleading communication that we need to watch out for? Well, making unsupportable claims, misrepresenting your provider’s certifications, underestimating pain, risk, or recovery associated to procedure, exaggerating results that may be typically expected, or offering a promotion and then omitting key data such as related costs or additional services that may be required to enjoy the full benefits of that particular procedure.

Here’s a great thing to consider: is your provider truly the best? It can be difficult to support except in cases where your provider has received a specific reward that we can name or mention inside of our marketing communications.

Here’s the checklist that you can use to ensure that you’re publishing language that’s free of false, fraudulent, misleading, or deceptive statements. Don’t exaggerate, reference the full name of your provider’s certifying boards rather than simply referring to them as ‘board-certified’. Use language and imagery that sets realistic expectations with patients, and in the event that you’re using stock photos consider overlaying the word ‘model’ on top of that image so patients understand that it’s not meant to portray an actual patient. If you’re using third party photos, such as images provided by a device or pharmaceutical company, be sure to reference the source so there’s no misunderstanding about who’s patient the depicted person actually is. In addition to that, include all of the material details any time you’re making an offer or promotion on the web. Finally, if you have a specific conflict of interest that patients would want to understand when they’re interpreting the information you’re sharing on the web, disclose those financial, professional, or personal conflicts adjacent to that messaging.

Now copyright law is another area you need to be concerned with. Be sure that you obey copyright laws in everything that you publish because without permission it’s plagiarism. Now here’s a question for you to consider, you’re working on a promotional project and you need to find an image fast. You turn to Google and you do a quick search for a woman running through a field. Is it safe to use the images you find on Google inside your posts? The answer there is, well, probably not.

Google finds both free and rights-managed images all across the web and it can be difficult at times to establish who owns the copyright. So before you use and image, or video, or audio content in any of your promotions ensure that you have the right to do so.

Secure the permission to use photos and text from other medical practices because it’s safest to assume that before-and-after photos or the original text appearing on their website is their personal property and cannot be reused without permission.

Now, let’s talk about a topic that can be difficult for someone to grasp if we don’t deal with disability personally which is the idea of accessibility on the web. It’s your responsibility when you’re publishing content on behalf of a medical practice to make sure it can be accessed by people with disabilities.

The moment that we need to reflect on here is whether we believe that the content on the web should be equally accessible, and to understand what are the laws that govern accessibility on the web. Here there is a significant difference between how the United States and Canada address this specific issue.

In Canada there is a federal mandate that businesses with more than 50 employees comply on a schedule that is rolling out province by province. If you don’t see your province here, do a little research today on the web to see what the status is of website accessibility in your province today. But in the United States it’s been established that under the Americans with Disabilities Act that your practice may be subject to a lawsuit where each violation could cost you $10,000 or more for a single instance of an inaccessible element of the content that you share on the web.

So let’s go over really quickly the way that you can limit that liability or risk for your practice. Accessibility in social media means that you need to be thinking about the images that you post and ensure that they have what’s called ALT text. ALT text is simply alternative text that’s read out loud by screen reader software when they encounter your images.

The good news is that most popular social media platforms use artificial intelligence to automatically assign alternative text to any image that you publish. You can override the automatically generated ALT text on every one of the major platforms like Facebook, Instagram, and if you are using an emerging platform there’s an important opportunity for you to slow down and check that they have AI auto-generated ALT text for your image content.

In addition to that you need verify that the platforms you’re using are automatically adding closed captions or add them yourself to any video content that you publish. Audio content that you may share, such as podcast content, will require a full transcript adjacent to that audio file. Keep in mind that again, the major platforms like Facebook and Instagram help you out by automatically adding closed captions to any video that you publish. If you’re using an emerging or new social media platform check to ensure that closed captioning is present on any video that you share there.

Should you share files, usually these would be in the form of PDF files on a social media platform, it’s your obligation to make sure that that file is what’s called machine-readable. The easiest way to detect this is to take your cursor inside the file, attempt to highlight an individual word and slide across the page, if you can highlight an individual word, it means that that word is detectable to a machine and can be read out loud by a screen reader. If you’ve scanned a picture of text, such as a picture of a magazine article, that likely is not machine-readable and you should contemplate either not sharing the file or sharing it in an alternate form.

Now, let’s talk about protecting patient privacy. We can look back at major stories, especially in the aesthetic arena where the irresponsible actions of an individual actor inside of a clinic have resulted in major financial liability, usually because we haven’t secured the appropriate patient consents before sharing their information on the web. The important thing for you to do here is never assume that you have consent or permission to use a patient’s information, and you need to do your part to ensure that we protect patient privacy as we participate on social media.

We need to ensure that we have signed consents, on file inside the clinic before we publish any identifiable content. Only post content to the accounts that are covered by social media. Now what I mean by this is that often times we find that staff members inside of elective healthcare practices maintain their own professional social media. But consent forms only cover the parent organization so posting things like photos, videos, or testimonial content from patients where consent is secured can only happen on the properties, the accounts that are covered by that consent. So be sure that you’re not taking the consent form and assuming that it broadly covers any member of the practice to publish patient content anywhere they like and instead observe the restrictions that are inherent in that actual consent paperwork.

In addition to that we need to take the time to de-identify anything that we publish because the permission to use the information doesn’t mean the permission to share the patient’s name in all cases. If your photography, for example, includes the patient’s name inside the file name, it’s important to remove that information before those photos get published to the web. And, if you’re replying to a thread on a public social media platform it is important that you not add any new information that is private or material to the patient’s care to that conversation. You might thank someone for a commentary but don’t thank them for coming into the office on Tuesday, that’s a detail that wasn’t present in the initial conversation and you’re now potentially adding information that is unique to that patient that didn’t need to be shared on the web that would create a patient privacy risk for you and for your practice.

Now let’s talk a little bit about maintaining professional boundaries. I mentioned that 2012 study earlier in this presentation and here’s the data from that study once again. Let’s focus on the 3 most common violations that were reported dating all the way back to 2012. The first and the third of these, using inappropriate types of communication and establishing the inappropriate practice of medicine, weighed heavily in that early finding. It’s important that we take steps to keep it professional and that you need to recognize that it’s not your position to initiate a new doctor-patient relationship with strangers on social networks.

The inappropriate practice of medicine was looking at instances where doctors were suddenly practicing medicine, issuing diagnoses, and recommending treatments for patients that they’d never seen or charted, or practicing medicine across regional boundaries in areas where they weren’t licensed to practice medicine by inadvertently extending a social media conversation a step to far.

In addition to that, we want you to remember you should act on social media as you would in person. Avoiding things like defamatory language or inappropriate behavior that could ultimately shame you or your practice. It’s safe practice to assume that everything that you post on the web will live online forever, that you won’t be able to take it down because things are so quickly copied once published.

Alright, let’s summarize everything that we’ve learned here. Every one of your social media posts needs to respect that it could reflect directly on your clinics medical director and could impact their medical licensure. Everything you post needs to be honest and straightforward including all of the details a patient might need to understand to make an informed decision. Everything that you post needs to protect patient privacy and observe copyright laws, and it should be accessible for those with specific disabilities that limit their ability to navigate the web. Keep in mind that everything you post reflects on your professionalism and the professionalism of your practice and can have a lasting impact not only on your employment but on how consumers perceive your brand.

If you have questions about these topics reach out to us by visiting www.etnainteractive.com.

---