home
RSS
Doctors and Facebook: Is there a privacy risk?
December 16th, 2010
02:32 PM ET

Doctors and Facebook: Is there a privacy risk?

Doctors with a Facebook profile could be jeopardizing their relationship with patients if they don't correctly use the website's privacy settings, according to a study in the Journal of Medical Ethics.

Study authors surveyed 200 residents and fellows at the Rouen University Hospital, France, in October 2009.  The overwhelming majority had a profile on the online social media website Facebook and almost all displayed their real names, birth dates, a personal photograph and their current university.

About half of those surveyed believed that the doctor-patient relationship would be changed if the patient learned that their doctor had a Facebook account; most believed this would happen only if the patient had unrestricted access to the doctor's profile.

"These are young professionals who are sort of learning what's ethical behavior in their profession for the first time, and crashing up against what is an increasingly popular social norm, for them personally," said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology.  She added that the large percentage of people in the study who had Facebook profiles reflect the popularity of the website among young people.

Facebook has more than 500 million users around the world.

"Any professional faces the same dilemma.  You want to share information with your friends, and yet, given the reach of Facebook, what are you comfortable sharing in a personal space that could be cast in a different light in a professional context?" McGraw said.

In November, the American Medical Association adopted a social media policy for its members.

"Using social media can help physicians create a professional presence online, express their personal views and foster relationships, but it can also create new challenges for the patient-physician relationship," said Dr. Mary Anne McCaffree, an AMA board member.

Among the group's recommendations for physicians: Consider separating personal and professional content online.  Use the privacy settings as much as possible.  If interaction occurs, maintain appropriate boundaries.  Finally, recognize that online behavior can have a negative impact on reputations and may result in consequences to their careers in medicine.

Dr. Bryan Vartabedian, attending physician at Texas Children's Hospital, often writes about issues involving social media and medicine.

"It's hard to say black and white that the availability of information is or is not going to change the relationship. It really depends on the information that's disclosed. How we define what represents something inappropriate is really in the eyes of the beholder," he said.

"I would disagree with the fact that the doctor-patient relationship is going to be seriously impaired. Depending on the generation, patients are becoming increasingly aware their doctors have personal lives outside the exam room," Vartabedian said. "I think physicians have become increasingly aware that whatever they do, whatever they say, that that information is going to be scrutinized and it's going to be viewed publicly. We have to be looking at ourselves really as kind of being in the spotlight 24-7."

"I think over the next year, we're going to see a lot more research appearing like this," he added.

Facebook privacy settings have recently changed.


soundoff (37 Responses)
  1. Stephen Wilson - Lockstep

    I'm a privacy researcher. Recently I've been investigating the privacy implications of what Facebook innocuously calls "find friends" but which is really the mass importation of a new user's e-mail address book; see http://lockstep.com.au/library/privacy/more-trouble-with-facebook. It's not obvious that this is what happens when you opt in to "find friends", and FB doesn't draw attention to how it might use its knowledge of a user's contacts.

    Doctors increasingly (and quite properly) are using e-mail to comunicate with their patients. E-mail is reasonably secure, and can enhance the doctor-patient relationship. So a typical doctor will have the addresses of patients mixed in with their other contacts. That's fine, while the address book remains confidential.

    But if a doctor signs up to Facebook and allows "find friends" then FB will import those patients' e-mail addresses. So now anyone else on Facebook who knows one of those patients might be offered up to the doctor as a suggested friend. Will patients want their relationships with doctors exposed in this way? In rare cases, say in mental health, the results could be catastrophic. Note very carefully that the people in the doctor's address book never had the chance to consent to being imported; they don't even know it's happening.

    [This is only a problem if doctors are using hosted mail services, like gmail. But I am concerned that with 'cloud' e-mail services increasingly being offered to corporates by the likes of Google, the lines will blur between what people regard as personal e-mail and business.]

    In its Privacy Policy, FB appears to reserve the right to use contact information in other ways unspecified: there is no information at all in the FB Privacy Policy section 3 "Sharing information on Facebook", about what the euphemistically call “friend information” or “relationships” (i.e. imported contacts).

    This is a very murky and fast changing area for Facebook. Meanwhile I'd say doctors need to be told about the risks of inadvertently dragging their patients into the network.

    December 16, 2010 at 18:37 | Report abuse | Reply
    • Vanilla Gorilla

      I am in the business of securing individual electronic transmissions sent over the open and public internet – and Stephen is somewhat correct in stating that the internet is "reasonably secure". A physicians professional liability insurance probably does not cover any patient records that are intercepted or compromised – there are gaps in their coverage. And therefore the patients are at risk if their medical records with PII and HRC are intercepted.
      Anyone can buy the app package that allows one to intercept transmissions and this includes faxes. Doctors are notoriously lax when it comes to securing patient records – aka cheap.

      December 16, 2010 at 19:37 | Report abuse |
    • FreeSpiritGal

      Stephen, thank you for the informative post. Please excuse my basic question: If I have a gmail email account but do not deliberately create an entry in the address book (due to privacy concerns), are the email addresses of those I have exchanged emails correspondences with still considered my "address book" contacts? Are they at risk of being "imported" be the FB as well? Thanks in advance for your answer. FSG

      December 16, 2010 at 19:41 | Report abuse |
    • TonyH

      I find it astounding that a self professed privacy researcher would claim that email is relatively secure – it is nothing of the kind. All Internet email, unless specifically encrypted, is transmitted in the clear with no protection of any kind. It is also transferred by a store-and-forward system that leaves a copy on each mail server involved in its transfer – which will be at least two, and often dozens of systems between its origin and endpoint. It is up to the operators of each of those mail servers to ensure that the cached material is protected and eventually flushed from their systems, but it is relatively easy to harvest material from them. As a certified information security professional and information privacy professional of more than 25 years experience, I would never advise anyone to consider email anything other than a public conversation. Please, Stephen, reconsider your thinking and don't provide misleading advice to others.

      December 16, 2010 at 20:31 | Report abuse |
    • Almd

      I completely agree, Stephen. I am a physician who just set up a FB page and I inadvertently used the find friends feature. Emails were sent to several of my patients.

      December 16, 2010 at 21:50 | Report abuse |
    • just a thought

      Its definately something to think about, however, except for the private sector, and even many then, most physicians and other health professionals have an email specifically reserved for work and a personal email. I would hope in those situations that the work email is not being used as the facebook email... :) But it is something for people in general, regardless of being a healthcare worker, lawyer or anyone with a business to think about when using a personal email to communicate both on facebook and with patients or clients.

      December 16, 2010 at 23:45 | Report abuse |
    • Stephen Wilson - Lockstep

      TonyH says I am "misleading" people when I describe e-mail as "reasonably secure".
      E-mail security is a side issue in this debate; I made the remark to demonstrate that e-mail is normal in medical practice, and as a result, there will be patient names and contact details in doctors' address books (which may find their way into Facebook).
      But if you want to debate e-mail security, fine. Please note I said "reasonably" secure. That is, when used sensibly, with a well managed computer system, and a reliable service provider, it is perfectly reasonable to use e-mail for some clinical correspondence. Encryption is a good idea in general (and may be mandated by local rules) when clinical data is sent.
      Compared with the other avenues for misadventure in clinical practice, using e-mail to correspond with patients doesn't introduce grave risks. The attack surface for store-and-forward e-mail might look large but in reality, intercepting e-mail is like looking for a needle in a haystack, and rational attackers (the ones we security professionals focus on, rather than imagined threats) will target other systems, like EMR/EHR and good old paper files in clinics, if they really want to obtain patient information.
      The biggest "safety" issue to contemplate around e-mail is actually the patient's online proficiency. Obviously some patients won't cope with being sent test results, or making appointments by e-mail. And urgent matters should always be communicated first hand.

      December 16, 2010 at 23:50 | Report abuse |
    • Elexsor

      Plain and simple: If a doctor is going interact with patients via email then they need to have set up a separate email from their personal email to have this interaction. They are working and thus should be using a work email or external work email to conduct business. Their personal email is what they use to setup a facebook account.

      December 17, 2010 at 01:24 | Report abuse |
  2. Krazy Cook

    check out the warranty or SLA for FB – they have no security – if they did using FB would be so painfully slow no one would use it

    December 16, 2010 at 19:40 | Report abuse | Reply
  3. DrPete

    I'm a surgeon, and personally I have no problem with my patients discovering that I have a Facebook account. Would I ever friend a patient? Nope. I don't really see it as any different from real life. Sure, I'd tell a patient that I have a daughter in conversation, but I wouldn't invite them over to dinner to hang out with her. It's just a new social boundary that needs to be drawn.

    December 16, 2010 at 19:57 | Report abuse | Reply
    • Guest

      Excellent point.

      This article makes it seem as though doctors would want to friend patients. I seriously doubt if that's the case. It's probably more often that they RECEIVE friend requests from patients. The same problem exists in education.

      I've seen people handle it in several ways. Some people have an easily found, "Safe" account. It's an account they don't actually use (no photos, status updates, links posted, etc.), but they allow people to friend them, because it helps to keep the other person from feeling rejected.

      Other deny the request stating, "I'm sorry, but to friend you would violate my professional ethics/policies. Thank you."

      I would not want anyone who I work with in a client relationship to see my real facebook page.

      December 16, 2010 at 22:12 | Report abuse |
    • tony montana

      No one wants to come to your house to have dinner with your large, socially awkward daughter, while you hover around like a goon. Get a clue, "Dr. Pete." And by the way, no one thinks you're any cooler because you specified that you wish you were a surgeon.

      December 17, 2010 at 15:42 | Report abuse |
  4. Steve Johnson

    Dear CNN, will you please question facebook claim that, "Facebook has more than 500 million users around the world." What's the definition of an active user? Does this number take into account corporations who've created facebook pages, spammers, etc., etc.? Does grandma who signed in six months ago but doesn't use facebook count as an active user (maybe anyone who created a profile within one year is active)? Thanks! And hopefully you won't continue to do shoddy reporting since not ONCE have you EVER questioned facebooks claim of the number of users it has.

    December 16, 2010 at 20:06 | Report abuse | Reply
  5. Steve Johnson

    And if you really want to have some fun with facebook privacy type into google: "broke phone need numbers facebook." These are facebook groups that people created when their phone's broke and they're asking for friends to post their phone numbers. You won't believe what you'll find...or sadly, you will believe it.

    December 16, 2010 at 20:08 | Report abuse | Reply
    • Steve Johnson

      And make sure to look at the group's "wall" postings.

      December 16, 2010 at 20:09 | Report abuse |
  6. WhatUTalkin'BoutWillis

    Being a physician in a small town, there is not a lot of privacy as it is. Most of my patients know each other and shop in the same grocery stores. I friend my patients that send requests to me, but I always strive to be professional on FB as is. I think everyone should strive to be professional on FB and for that matter, anywhere online...these conversations can be viewed for longer than you realize. You don't want it to cause a negative issue years down the road.

    December 16, 2010 at 20:11 | Report abuse | Reply
  7. No_TMI_Here

    Symptomx.com is a much better place to connect with your doctor than Facebook. On Symptom Exchange PII is against the rules of the site, you never put in your email or your name so you and your doctor don’t have to worry about privacy settings or anything like that. If your doctor has an account you can just give them your shared ID and they can link to yours and send you messages within the site. The information you post is only health related – not mixed with personal photos of your kids, etc. and you can still control exactly what you share with people and what you keep to yourself. If nothing else the Health History reports are great if you hate filling out a new history form every time you see a new doctor. The site is still in Beta form, so they are still adding features, but it is so much better than traditional social networking for connecting with your doctor.

    December 16, 2010 at 20:57 | Report abuse | Reply
  8. Dr Bill Toth

    A wonderful gray area...Doctors are first and foremost human. The relationship between doctor and patient was way more personal at the turn of the century whne docs lived in town and made house calls. Now outside of a "Concierge Practice"
    it seems a lot like the doc might be more of an extension of the inusrance company...kind of like your accountant is really an extension the IRS. I could be wrong, that just the way it seems to be. Live With Intention, DrBillToth.com/blog

    December 16, 2010 at 21:08 | Report abuse | Reply
  9. Pendulum

    I'm not really concerned in general about my doctors being on facebook. I wouldn't friend them so that's not an issue. I do, however, plan on using facebook to check to see if any of my doctors are in the groups that mock patients or disrespect them (for example the now removed 'Fibromyalgia is B***S***' group that was only removed after facebook shut it down due to complaints). I don't want a doctor who is that disrespectful of any of his or her patients. But at least now the fact that such groups are on facebook means it's easier for me to find out who to avoid!

    December 16, 2010 at 21:36 | Report abuse | Reply
  10. kazz

    everyone needs to just chill about facebook

    December 16, 2010 at 22:54 | Report abuse | Reply
  11. Shreela

    Facebook has fan pages that many small businesses use, while the actual owner of those businesses keep their main Facebook profile for their friends and family. Perhaps physicians should consider this setup.

    December 17, 2010 at 00:01 | Report abuse | Reply
  12. renee

    I was assigned to a juvenile delinquent fellow. Unfortunately, his supervisor was out of the country to do "research". The fellow was told by supervisor to write a prescription. Would he return a phone call to a patient? H$ll no. Weeks went by of persistent calls to the office secretary. Faxes were sent. My insurance company called, pleading to talk to hi,. A concerned post to his wall about how his patients were concerned that he was on a bender since he wasn't able to be reached for weeks on end. An immediate response.

    December 17, 2010 at 00:08 | Report abuse | Reply
  13. ms

    Is no one else disturbed by the quote "patients are becoming increasingly aware their doctors have personal lives outside the exam room"? Were people really unaware of this? Do we really expect physicians to not have a life outside of their career as is the case with nearly every other job?

    December 17, 2010 at 00:16 | Report abuse | Reply
    • runinguy

      i feel ya. this article is pointless

      December 17, 2010 at 02:22 | Report abuse |
  14. HKW

    I have a friend who is a doctor and she saids negative things about her patients and staff on FB. I had to tell her not to post stuff about work because it could affect her medical license if she's posting private things about her patients.

    December 17, 2010 at 10:37 | Report abuse | Reply
  15. Reason

    Maybe people should just be proud to be themselves, consistently, and responsibly in all situations and all this privacy crap would be obsolete.

    December 17, 2010 at 12:24 | Report abuse | Reply
  16. Kidd

    Agreed with Stephen - doctors need a barrier from patients in social networking due to HIPAA regulations. But the last thing we want is to prevent these guys from using technology. For both personal and professional reasons (referrals and such) there should probably be some sort of online provider community that meets those security standards mentioned above and doesn't auto-invite their patients.

    December 17, 2010 at 17:04 | Report abuse | Reply
  17. get free content

    [...] Doctors and Facebook: Is there a privacy risk? – The Chart – CNN.com Blogs [...]

    December 17, 2010 at 18:08 | Report abuse | Reply
  18. Stephen Wilson - Lockstep

    [I have tried to post a few followups but the site isn't showing them all; sorry if this doubles up ... ]

    People, the privacy issue has nothing to do with doctors having their own personal lives, and nothing to do with banning Facebook. The point is that if a doctor has the address of a patient in their web mail book, and the doctor opts in to "find friends", an unexpected result of that innocent bit of networking is that others on Facebook may find out that certain people are patients of that doctor.
    Tell me if you think publicising patient's relationships with doctors is not going to strike those patients as just a little surprising, if not utterly scandalous.

    December 17, 2010 at 21:11 | Report abuse | Reply
  19. Stephen Wilson - Lockstep

    FreeSpiritGal wrote:
    > If I have a gmail email account but do not deliberately create an entry in the
    > address book (due to privacy concerns), are the email addresses of
    > those I have exchanged emails correspondences with still considered my
    > "address book" contacts? Are they at risk of being "imported" [by FB] as well?

    I can't answer for all web mail services that export to Facebook; they all tend to treat incoming e-mails differently. But some will automatically add a sender's address to your address book, even if you never respond. Even if you only ever get an email from this person once.

    So there might be a patient who tries to contact their doctor at a 'personal' address. Even if a cautious doctor calls them back out of band and asks them not to use e-mail, the patient's address may still be there in the doctor's system. It might stay there for ages, unnoticed, and then one day get sucked up into the Facebook 'matrix'.

    So unless a doctor can be 100% sure that there are no patients in their web mail address book (and who checks these things?) then there is a risk that Facebook will upload and publicise unexpected connections when doctors use the service.

    BTW I note that one of the doctors who wrote the Facebook paper gave a Gmail address for correspondence!

    December 18, 2010 at 01:26 | Report abuse | Reply
  20. book of rar

    Tja, Dinge können so einfach erscheinen! Danke :-)

    April 2, 2011 at 05:09 | Report abuse | Reply
  21. spiele online Book of ra

    Herzlichen Dank, jetzt endlich habe ich den Sachverhalt wirklich gerafft ;-)

    April 3, 2011 at 11:48 | Report abuse | Reply
  22. Alan

    As a doctor, regularly checking your profile with a privacy scanner will help ensure that your private data stays private. http://checksocial.net is a website that scans your Facebook profile and shows you all information that is publicly visible.

    March 28, 2012 at 16:04 | Report abuse | Reply
  23. seo

    This site is the greatest. You've a new fan! I can't wait for your next update, bookmarked! seo http://fiverr.com/twnseobacklink

    April 24, 2013 at 18:33 | Report abuse | Reply
  24. matosapo.blogspot.de

    Greate article. Keep posting such kind of info on your page.
    Im really impressed by it.
    Hi there, You have performed an incredible job.
    I will definitely digg it and in my opinion suggest to my friends.
    I'm sure they will be benefited from this site.

    July 10, 2014 at 14:52 | Report abuse | Reply
  25.  supplement store

    My brother suggested I might like this web site. He was totally right.
    This post truly made my day. You can not imagine simply how much
    time I had spent for this info! Thanks!

    July 11, 2014 at 12:40 | Report abuse | Reply
  26. rental properties in minneapolis

    Hey this is kind of of off topic but I was wondering if blogs
    use WYSIWYG editors or if you have to manually code with HTML.
    I'm starting a blog soon but have no coding expertise
    so I wanted to get guidance from someone with experience.
    Any help would be enormously appreciated!

    July 11, 2014 at 20:52 | Report abuse | Reply

Post a comment


 

CNN welcomes a lively and courteous discussion as long as you follow the Rules of Conduct set forth in our Terms of Service. Comments are not pre-screened before they post. You agree that anything you post may be used, along with your name and profile picture, in accordance with our Privacy Policy and the license you have granted pursuant to our Terms of Service.

Advertisement
About this blog

Get a behind-the-scenes look at the latest stories from CNN Chief Medical Correspondent, Dr. Sanjay Gupta, Senior Medical Correspondent Elizabeth Cohen and the CNN Medical Unit producers. They'll share news and views on health and medical trends - info that will help you take better care of yourself and the people you love.