The advent of online forums and social media platforms has the potential to work toward strengthening the physician-patient relationship. Patients get better access to physicians via very open lines of communication. The whole point of online venues is to engage openly with others, share information, and develop two-way conversations.

All of this openness runs headlong into the Health Insurance Portability and Accountability Act of 1996—HIPAA. HIPAA instills fear and loathing in most physicians and their staff. The great disconnect is that there is very little expectation of privacy online, yet physicians are held to a very high standard in this area.

HIPAA’s privacy rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The rule calls this information “protected health information (PHI).” (See
for more information.)

HIPAA allows what is called “deidentified information,” defined as “the removal of specified identifiers of the individual and of the individual’s relatives, household members, and employers is required, and is adequate only if the covered entity has no actual knowledge that the remaining information could be used to identify the individual.”

If you are venturing into social media, you must use extra vigilance to avoid even the vague semblance of privacy violations.

Although there are really no guidelines set in stone yet, caution prevails. From a HIPAA point of view, the most important issue regarding social media platforms like Twitter and Facebook is that the information posted is, for the most part, in the public domain—almost anyone can ultimately see it, forward it, or save it.

Even if you mention patients in the most general and anonymous terms, you may be putting yourself at risk. For example, “I did a difficult secondary rhinoplasty on a woman with a twisted nose.” This remark could conceivably be a violation, or you may upset the patient who thinks this is a reference to her. Similarly, even remotely recognizable facts should be avoided, such as time, place, details, and specifics of a case. Some identifiable traits naturally accompany your Twitter feed or Facebook posts, such as location and specialty, which is public information. The best rule of thumb is to avoid speaking about individual patients at all.

Another safe practice is to talk online in general terms that could apply to many patients—namely, conditions, symptoms, and treatments. For example, “I saw a patient with body dysmorphic disorder…” Turn that into, “Patients with body dysmorphic disorder are often obsessed with a minor flaw…”

Safe topics for online conversations include skin conditions, side effects, statistics, treatments, clinical data, FDA-approved drugs, and FDA-approved medical devices.


Safe Online Topics

Online conversations should be limited to general-interest subject matter that is public domain, such as the following:

Skin conditions;
Side effects;
Clinical data;
FDA-approved drugs; and
FDA-approved medical devices.

Take extra caution when replying to people in real time. On Twitter and Facebook, for example, I often see physicians tweeting to other physicians about branded products and treatments. In a public forum, criticizing colleagues, brands, and organizations is bad form.

Physicians should never approach patients as in to “friend” someone on Facebook. This action could be viewed as a violation of physician-patient privacy. The best way to enlist patients to “like” your Facebook page is simply by letting them know that you have one. Similarly, if a patient posts a comment on Facebook, technically you should not respond to it or acknowledge it.

Another HIPAA issue that often arises is best practices for posting patient photos in online forums. Technically, you may own the copyrights to photographs taken in your practice, but you are prohibited from displaying patient photographs without the patient’s written consent. If you use a standard operative consent that includes a phrase like “medical photographs may be used for educational purposes,” this does not cover promotional purposes such as a Web site or Facebook page.

When in doubt, a properly executed consent should itemize all potential platforms for publication or duplication of patient photographs. This can avoid litigation or miscommunication with disgruntled patients who did not expect to see their cosmetic surgery results online.

Wendy Lewis is president of Wendy Lewis & Co Ltd, Global Aesthetics Consultancy, author of 11 books, and founder/editor of She can be reached at .