Medbloggers Beware: Watch What You Say on the Web

Texas Medicine Magazine Logo  

Law Feature - May 2009  


Tex Med . 2009;105(5):29-32.  

By  Crystal Conde
Associate Editor  

News spread quickly throughout Suffolk, Mass., and eventually the nation, when a plaintiff's lawyer unmasked a pediatrician's online identity during a 2007 medical liability trial. The physician, known in the cyber world as "Flea," had been posting to his blog unsavory comments about the plaintiffs, their attorney, and the jury in this wrongful death lawsuit.

Upon cross-examination, opposing counsel shocked the courtroom by pointedly asking the defendant in the case, Robert P. Lindeman, MD, if he was "Flea." Under oath, the pediatrician admitted to his pseudonym and settled the case for a substantial sum the following day.

Bryan Vartabedian, MD, a pediatrician in The Woodlands, maintains a blog on parenting and child health. He says what happened to Flea serves as a cautionary tale for all physicians. (For those who don't know, a blog or Web log is an online journal where individuals post regularly updated commentaries and entries about their interests or personal experiences.)

"Flea was edgy, and his disparaging comments cost him his medical liability trial," Dr. Vartabedian said.

E-mail, blogs, Twitter, and social networking Web sites like Facebook are pervasive and offer physicians an opportunity for more rapid communication with patients. But physicians have a reason to be cautious when opening up online or communicating back and forth electronically with a patient. State and federal laws govern the privacy and confidentiality of patients' protected health information (PHI).

State and federal laws and regulations must be followed in physician communications with patients. (See "Laws, Regulations Cover Physician-Patient Communications.")

To ensure doctors fall in line with state and federal laws, Lewis Foxhall, MD, a Houston family physician and former chair of TMA's technology task force, stresses that physicians remain vigilant in safeguarding their patients' PHI.

"The rules are no different even though the vehicles used to transmit information have changed. It doesn't matter if it's a blog or an e-mail or what format the communication is in; it still needs to be considered confidential and handled in a secure way," he said. 

The Myth of Anonymity  

In a world of constantly evolving technology, physicians can find themselves encountering pitfalls when communicating electronically. One of the lessons physicians can learn from Flea's misstep is that online anonymity doesn't exist.

"A physician has to realize that when posting something online it's possible someone could find out it's you," said Jeffery P. Drummond, JD, a Dallas health lawyer.

Dr. Vartabedian identifies himself on his blog, Parenting Solved, because, he says, revealing who he is keeps him in check. "When I blog, I know my boss and patients will read it. I'm sure to maintain a civil tone. Even if it's my opinion, I say it in a way that's not harmful to someone," he said.

He also makes patient confidentiality a priority. "I make it a rule not to write about specific circumstances or cases that could be linked to a patient. I'll discuss general health topics but make sure no one person is identified," he said.

Allen Roberts, MD, an emergency medicine physician in Fort Worth, has a blog called GruntDoc, which he says allows him to satisfy his desire to be a computer geek while venting about working in the emergency room.

Dr. Roberts says he uses the pseudonym GruntDoc because it helped him ease into a blogging persona when he began his postings in 2002. But he knows he's not unidentifiable online. He seldom writes about patients or cases he's seen.

"Physicians who blog can step over the line if they release individual patient information. I rarely blog about interactions I've had with patients, but when I do, I change as many characteristics and details as I can to make it unrecognizable," he said.

Mr. Drummond advises physicians who blog, known as "medbloggers," to be careful when writing about patient interactions.

"The problem is a doctor could inadvertently disclose PHI. For example, if someone can tell from a blog that you're a certain specialist in a particular town, and you write about a specific case with identifying characteristics, someone could connect enough dots and identify the patient," he said.

He suggests medbloggers fictionalize a patient encounter when describing it online to avoid violating state and federal laws designed to safeguard a patient's privacy.

Confidentiality is a concern when physicians and patients correspond via e-mail, as well. Among its guidelines, TMA advises physicians to use a system that encrypts all personally identifiable health information and to inform patients about privacy issues.

Dr. Foxhall adds that electronic communication with patients doesn't replace the personal interaction a physician needs to diagnose and treat a patient.

For that reason, Mr. Drummond says it's a good idea for medbloggers to post disclaimers on their sites. The wording should let readers know the content of the blog isn't medical advice and should recommend they consult their physicians if they require medical diagnosis or treatment. 

HIPAA Silences Physicians  

When writing about personal reflections and experiences, Dr. Vartabedian says, physicians reveal a part of themselves they would not normally expose in the exam room. That can work against a doctor if patients see him or her as cynical or sarcastic.

"A doctor's comments on a blog could interfere with the physician-patient relationship if people disagree with the physician's opinions and grow to distrust that doctor," he said. "On the other hand, a blog can work in a physician's favor. If the physician blogger posts positive content with helpful information, patients may feel even closer to that doctor."

Likewise, some patients maintain blogs. They may use them as venues for criticizing a physician and, in the process, reveal their own PHI.

In a 2008 Health Law Perspectives article, attorney Nathan Andersen, JD, LLM, uses a hypothetical scenario in which a patient posts a disparaging comment on a blog, complaining that her physician was insensitive to the fact that she'd had a miscarriage. ( Health Law Perspectives is a publication of the University of Houston's Health Law and Policy Institute.)

Mr. Drummond says the Health Insurance Portability and Accountability Act (HIPAA) constrains a physician's ability to respond to such negative online comments.

"That type of situation puts physicians in a tough spot because they can't defend themselves. They're subject to maintaining patient confidentiality, even though the patient self-disclosed medical information," Mr. Drummond said.

In his article, "Patient Blogs, PHI and HIPAA - Social Networking and Patient Self-Disclosures as Waiver of PHI  [PDF]," Mr. Andersen outlines possible physician responses, including contacting the patient and blog administrator to request the post be removed. He warns doing so could antagonize the parties involved, magnify the problems, and open the door to retaliation. If neither of those avenues works, the physician might be able to sue the patient for defamation.

Mr. Andersen acknowledges that self-disclosure of PHI on the Internet is largely uncharted legal territory. But, physicians can act preemptively.           

To stifle patients from posting ratings on Web sites like Zagat's and Angie's List, some physicians require patients to sign forms barring them from commenting on the Internet about the doctor's professional capability or treatment.

While requiring such patient waivers is legal, Mr. Drummond says doing so might raise a red flag in patients' minds.

"If I'm a patient and see I'm asked to sign one of these forms, it makes me think the doctor might get a lot of complaints. If you have patients sign these agreements, [a doctor] may have inadvertently forced them to file a complaint with the TMB [Texas Medical Board] instead of just griping on a blog," he said. 

Crystal Conde can be reached by telephone at (800) 880-1300, ext. 1385, or (512) 370-1385; by fax at (512) 370-1629; or by email at  Crystal Conde.   



Laws, Regulations Cover Physician-Patient Communications

Physicians need to be aware of state and federal laws and regulations on physician-patient communications.

The  Texas Occupations Code contains confidentiality provisions for communications between physicians and patients. It prohibits physicians from disclosing communications with patients unless the patients authorize it. To view the Texas Occupations Code physician-patient communication stipulations, click here.

The federal Health Insurance Portability and Accountability Act (HIPAA)  privacy rule  defines and limits circumstances in which a patient's information may be used or disclosed. The law requires physicians to disclose protected health information when a patient requests it or when the U.S. Department of Health and Human Services (HHS) secretary requests access to information to determine a physician's compliance with the HIPAA privacy rule.

The Texas Medical Board (TMB) has rules governing the retention and handling of patient medical records, including electronic records.

The Texas Medical Association has weighed in on the issue of patient-physician electronic communications and has guidelines developed by the Task Force on Patient Medical Information and Privacy and Physician Use of Information Technology in 2001.

TMA's security guidelines say physicians should use a system that:

  • Requires authentication of users (patients, physicians, and office staff) and verification of their access privilege before they can access any identifiable personal or health information;
  • Encrypts all identifiable personal or health information; and
  • Has an audit trail to track time, date, content, and senders' and recipients' identification for all such electronic communications.

Electronic communication guidelines developed by TMA urge physicians to:

  • Establish turnaround time for messages to ensure you're responding within a certain period of time. Exercise caution when using e-mail for urgent matters.
  • Inform patients about privacy issues. Patients should know who besides the physician processes messages during the doctor's usual business hours and vacations or illnesses; the level of security of the communication system used; and that the message will be included as part of the medical record, at the physician's discretion.
  • Establish types of transactions (prescription refill, appointment scheduling) and sensitivity of subject matter (HIV, mental health) permitted over e-mail.
  • Instruct patients to put the category of transaction (prescription, appointment, medical advice, billing) in the subject line of the message for filtering.
  • Request that patients put their name and patient identification number in the body of the message.
  • Configure an automatic reply to acknowledge receipt of messages.
  • Print all messages, with replies and confirmation of receipt, and place them in the patient's paper chart.
  • Send a new message to inform the patient of completion of the request.
  • Request patients use an auto reply feature to acknowledge reading the clinician's message.
  • Develop archival and retrieval mechanisms.
  • Maintain a mailing list of patients, but do not send group mailings where recipients' names or addresses are visible.
  • Avoid anger, sarcasm, harsh criticism, and libelous references to third parties in messages.

TMA's principles are similar to those of the American Medical Association. To view the AMA's guidelines, click  here .

Back to article  



May 2009 Texas Medicine Contents
Texas Medicine Main Page