Hey Doc, Be Careful on TikTok – Legal Pitfalls of Healthcare Providers in the Social Media Age

Imagine you are scrolling on TikTok, Facebook, Instagram, or one of the multitude of other social media platforms that almost every one of us have on our devices, and you come across a video of a physician discussing medical concerns. Because your “feed” is geared towards content, the doctor may very well be providing insight and recommendations that are pertinent to an issue you are struggling with—like cystic acne, a sprained ankle, or even the latest COVID-19 strain. What happens if that generalized advice—broadcasted to the entire Internet—doesn’t help you, but hurts you?

On the flip side, let’s imagine someone else’s story. A young doctor in a rural area writes a Tweet, briefly discussing a unique issue new to his or her community and in response, they receive feedback from physicians across the world who have encountered the issue and can provide guidance to improve patient care and immediately impact the case the young doctor was working on.

Whether you believe it is for better or worse—as illustrated by both of these stories—social media has been transformative in the healthcare industry and revolutionized the practice of medicine. The benefits are overwhelming: providers can expand their practice, increase their marketing, discover new clients, and build their reputations. But the costs are just as alarming, with social media usage potentially placing providers at an increased risk of (1) HIPAA violations, (2) cyber-security risks, (3) destruction of personal image, and (4) malpractice.

In this evolving landscape, it is critical that healthcare institutions and providers are thoroughly educated as to how best take advantage of the benefits—and avoid reputational, economic, or licensure costs.

I. HIPAA Violations
Under the Health Insurance Portability and Accountability Act (HIPAA), physician-patient relationships are strictly confidential, and publishing an individual’s Protected Health Information (PHI) is prohibited without patient authorization. It comes as no surprise then that HIPAA violations are a significant area of concern in the crossover space between the healthcare industry and social media.
For example, a group of Chicago nurses faced a lawsuit (and ultimately, misdemeanor charges and termination of employment) after a Snapchat video showed two of the nurses taunting a 91-year-old dementia patient.¹ Likewise, a dental association faced a $1.5M penalty when the business responded to a negative Yelp review and disclosed PHI in doing so (i.e., the patient’s name, treatment plan, insurance, and treatment cost).² Although the parties were later able to settle for $10,000, the economic cost is clear. Beyond monetary losses, healthcare providers can also their lose their licenses—as was the case in Georgia, when over 23,000 EMS professionals were cited for disclosing PHI when they posted graphic photos and videos to a Facebook page.³

In light of these risks, providers and institutions should take tremendous care as to what they post—whether it’s a blurred or cropped “before and after” picture for a plastic surgery procedure, or an attempt to respond to a positive or negative online review—and consult with internal and external advisors as necessary to ensure compliance with HIPAA and protect themselves and their licenses.

II. Cyber-Security Risks
In an age when many major hospital systems now provide cell phones (namely, smartphones), another potential concern is that social media may “open the door” to viruses, hackers, and other cyber-security concerns. While these cyber-security threats can harm businesses and individuals of all kinds, the potential consequences are especially devastating within the healthcare industry if a hacker is able to gain access to a patient’s private information.

And the risk is real: social media was recently deemed the catalyst of more than half of the billions of incidents surrounding compromised data records.⁴ In response to this discovery, the U.S. Department of Health and Human Services has developed a “Cybersecurity Newsletter” to further shed light on the dangers of online hackers.⁵ This newsletter encourages medical providers to “lock their cyber door” through strong authentication mechanisms.⁶ In turn, it is especially important to have password protected social media that lowers the possibility of confidential patient information being maliciously accessed.

III. Destruction of Personal Image
At its best, social media can be used to improve a physician’s reputation, increase his or her client base, and in turn allow clients to more thoroughly research and select their providers. But at its worst, it can also ruin a healthcare provider’s reputation—any negative review can grab the attention of the public and quickly tarnish the individual or organization’s reputation. At a time when negative reviews and harassment have become normalized—and people are more likely to leave negative reviews than positive feedback—it is no surprise that two-thirds of physicians face harassment on social media.⁷
In some of these cases, the harassment rises to such a level that physicians have brought defamation suits against these “internet trolls.” An Ohio plastic surgeon filed a defamation lawsuit after a patient left anonymous negative reviews on RealSelf, Yelp, and RateMDs.com following a rhinoplasty procedure. Eventually, the doctor settled with the patient and went on to be voted as one of America’s Best Plastic Surgeons by Newsweek. His case is not unusual; in fact, many others have also led to extensive legal proceedings ending in settlement.⁸

IV. Malpractice
Recent studies reveal that more than 33% of Gen-Z individuals and over 20% of all Americans seek advice from TikTok prior to speaking with their own doctor.⁹ As a result, the already looming threat of malpractice becomes increasingly tricky when providers give advice on social media or post content that could potentially expose themselves to negligence allegations.

When physicians, nurses, and other healthcare personnel respond to questions and give medical advice to strangers via social media apps, there is no “disclaimer” to shield them from malpractice—so providing such medical advice, education, or care in those informal settings could actually result in a provider being named in a lawsuit. This risk doesn’t end in the ER or operating room; even if a provider is off the clock, they’re at risk when posting and engaging on social media. And the risk is greater when providers are on the clock, as patients fear that their doctors may pay more attention to their phones and social media than to their patient or the procedure at hand.

For example, in a Texas case involving the death of a 61-year-old woman, a surgeon testified that the anesthesiologist responsible for monitoring the patient’s vitals had not noticed her dangerously low blood-oxygen levels until “15 or 20 minutes” after the patient turned blue.¹⁰ The anesthesiologist later admitted to texting, accessing websites, and reading e-books during procedures.

And in Ohio, the State Medical Board recently revoked the medical license of a plastic surgeon who had attrracted a massive TikTok following of over 800K subscribers by posting photos and videos.¹¹ To comply with HIPAA, she only posted content of patients who had signed social media consent forms. But despite this protective measure, the physician found herself under scrutiny after three of her patients suffered injuries from surgeries she livestreamed on her TikTok. The livestreams featured loud background music and moments where she looked into the phone camera rather than at her patient. Ultimately, the Medical Board found the surgeon’s behavior to be a substantial risk to patient safety, and permanently revoked her medical license. So in the end –she was left with no social media account, and no medical license.

Likewise, providers should also be aware that in the event of a malpractice lawsuit, a patient’s attorney will frequently request information about a provider’s social media and any posts that a provider may have made. In the world of social media, then, it is wise to remember: anything you say can and will be used against you.

V. Thoughtful Use
To maximize its benefits, while simultaneously minimizing risk, many healthcare facilities have begun to more carefully monitor social media usage and have also started implementing a multitude of social media risk management strategies, such as:

• Obtaining a patient’s written consent prior to posting any identifying information;
• Prohibiting cell phones or photographs within the healthcare facility;
• Designating an individual as the primary social media manager;
• Hiring an individual who is familiar with HIPAA and state privacy regulations to review and approve social media content and thereby ensure information does not violate patient confidentiality;
• Educating healthcare providers and staff members on HIPAA and state privacy laws, making them aware of potential consequences of violating these regulations (including mandated courses on social media ethics);
• Filtering or deleting negative comments;
• Creating procedures to investigate negative reviews and responding appropriately in a HIPAA-compliant and kind manner;
• Sending an anonymous survey to patients to gather information on social media preferences; and
• Reviewing other resources such as those created by the Association for Healthcare Social Media – a nonprofit that was organized in 2019 to help educate the medical community on how to responsibly and effectively use social media.¹²

As with any uncharted territory, the learning curve for appropriate social media use in the healthcare space will be steep—especially as Medical Boards across the country begin cracking down and regulating its use. For organizations and providers hoping to increase value to patients and their practices with its use, it is therefore more important than ever to curate a thoughtful and diligent approach to minimize liability. As the illustrations above make clear, failure to develop appropriate social media policies can result in the ultimate price: a medical license.

Written by Monica Davis and Clare Kelley

¹Outrage After Video Shows Staffers Taunting, Terrorizing Woman, 91, At Glenview Nursing Home, CBS CHICAGO (Aug. 8, 2019), https://www.cbsnews.com/chicago/news/glenview-nursing-home-abuse/.
² Paige Haughton & Edward Leeds, OCR Announces $10,000 Settlement for Disclosure of Patients’ PHI Through Social Media, JD Supra (Oct. 8, 2019), https://www.jdsupra.com/legalnews/ocr-announces-10-000-settlement-for-91924/.
³ Faith Abubey & Lindsey Basye, ‘Sick & Twisted’: EMS Dark Humor Page Exposed, 11 ALIVE, https://www.11alive.com/article/news/investigations/the-reveal/ems-dark-humor-investigation/85-7170a926-bab2-4f90-8cbb-5dc216a8ea0c (last updated Nov. 8, 2019).
⁴ Maria Clark, 15+ Real-World Examples of Social Media HIPAA Violations, ETactics (Aug. 10, 2021), https://etactics.com/blog/social-media-hipaa-violations.
⁵ HHS Office for Civil Rights and the Federal Trade Commission Warn Hospital Systems and Telehealth Provers about Privacy and Security Risks from Online Tracking Technologies, U.S. Dep’t. of Health & Human Servs. (July 20, 2023), https://www.hhs.gov/about/news/2023/07/20/hhs-office-civil-rights-federal-trade-commission-warn-hospital-systems-telehealth-providers-privacy-security-risks-online-tracking-technologies.html.
⁶ June 2023 OCR Cybersecurity Newsletter, U.S. Dep’t. of Health & Human Servs., https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity-newsletter-june-2023/index.html (last visited Sep. 8, 2023).
⁷ Win Reynolds, Two-thirds of Physicians and Biomedical Scientists Report Harassment on Social Media, NW (June 15, 2023), https://news.northwestern.edu/stories/2023/06/two-thirds-of-physicians-social-media-harrassment/.
⁸ Jayne O’Donnell & Ken Alltucker, Doctors, Hospitals Sue Patients who Post Negative Comments, Reviews on Social Media, WKYC, https://www.wkyc.com/article/news/health/doctors-hospitals-sue-patients-who-post-negative-comments-reviews-on-social-media/95-575254639 (last updated July 18, 2018).
⁹ Alexandra S. Levine, Doctors and Nurses are Becoming Internet Stars. Some are Losing Their Jobs Over It., Forbes (Dec. 21, 2022), https://www.forbes.com/sites/alexandralevine/2022/12/20/healthcare-influencers-medical-creators-firing/?sh=11c02d3c13ee; Deb Gordon, 33% of Gen Zers Trust TikTok More than Doctors, New Survey Shows, Forbes (Dec. 20, 2022), https://www.forbes.com/sites/debgordon/2022/12/20/33-of-gen-zers-trust-tiktok-more-than-doctors-new-survey-shows/?sh=4be5a05e6c7b.
¹⁰ Rebecca Buckwalter-Poza, Treat, Don’t Tweet: The Dangerous Rise of Social Media in the Operating Room, Pac. Stand. Mag (June 14, 2017), https://psmag.com/social-justice/treat-dont-tweet-dangerous-rise-social-media-operating-room-79061.
¹¹ Rob Frehse & Maria Campinoti, Ohio Plastic Surgeon who Livestreamed Patient Operations on TikTok has State Medical License Revoked Permanently, CNN, https://www.cnn.com/2023/07/13/us/ohio-doctor-tiktok-license-revoked/index.html (last updated July 14, 2023).
¹² Other resources include: Professionalism in the Use of Social Media, AMA Code of Med. Ethics, http://www.ama-assn.org/ama/pub/meeting/professionalism-social-media.shtml (last visited Aug. 3, 2023); Social Media and Electronic Communications, FSMB (Apr. 2019), https://www.fsmb.org/siteassets/advocacy/policies/social-media-and-electronic-communications.pdf; Social Media & Digital Communications Guidelines, State Med. Board of Ohio, https://med.ohio.gov/static/portals/0/resources/social%20media%20guidelines.pdf?ver=2019-08-27-075945-720 (last visited Aug. 3, 2023).