The use of social media applies to both personal and professional matters. In medicine, online platforms have become a popular medium to share patient information and cases with the purpose to either seek a colleague’s opinion on complex diseases and reach an exact diagnosis, or to share knowledge on medical forums. Such online activities presume doctors’ obligations of privacy and confidentiality and require a profound knowledge of the legal implications.
Confidentiality and privacy are very distinct concepts for sharing patient information, whereby:
- Confidentiality is the duty of a practitioner for discretional safeguard of the patients’ personal and medical records.
- Privacy is a legal matter governed by the Privacy Act, which regulates how patients’ information should be collected, stored and possibly disclosed.
Both confidentiality and privacy are cornerstones of the medical profession and need to be respected, particularly when working with online platforms, to ensure the correct use of the data acquired throughout the process of patient care. As advised in a recent article, it is paramount for practitioners to have a working knowledge of medical law.
How can physicians share patient information safely online?
The office of the Australian Information Commissioner (OAIC) puts substantial weight on the de-identification of patients’ medical information as a privacy-enhancing tool. Its application ensures the adhesion to the Privacy Act. However, there are caveats to the de-identification of patients’ data. De-identification must be robust, meaning that it minimises the risk of re-identification (by the patient themselves or patients’ next of keen, and friends) through supplementary information provided beyond the standard demographics (age, gender, etc).
The two steps recommended by the OAIC include the removal of “direct identifiers”, and a second measure being the removal or alteration of other information, e.g. diagnosis of a rare disease, radiologic images, medical history, injury mechanisms, to name a few.
The other measure relates to the instalment of safeguards for the storage of data sets that may be shared publicly to prevent any breach to the platforms. In addition, to protect patients’ privacy, the Act requires such data to be safely stored also in the original form to comply with record-keeping regulations.
Can patients’ consent protect the physician?
A fundamental suggestion of the Australian Privacy Principles contained in the Privacy Act is for physicians to request patients’ consent to allow for the disclosure of their medical records to their peers. This encompasses sharing medical information with the purpose of assisting the treating physician in providing the best possible care. Unfortunately, re-identification of a patient can be achieved when basic demographic information, details of the physician’s identity and practice location are mentioned online, or because of the specified medical history of complex diseases that make these cases unique. To reinforce the Privacy Act, the Australian Medical Association states, it is critical that “any patient or situation cannot be identified by the sum of information available online”.
Patient re-identification does happen
It is not a rare event that patients re-identify themselves through data shared on media and online platforms. If this occurs in the case where the consent was not provided to the physician, then the physician becomes liable for breach of confidentiality or privacy despite having de-identified the patient information. It is recommended that, even upon obtained consent, a physician should record any discussion held whether online or not, including which platform as well as provide screenshots of the online discussion with other physicians. However, this remains a suggestion and is not a requirement.
If a treating physician held discussions with other colleagues who provided some opinion on a case, the doctors being consulted have no duty to the patient as they were not having a direct relationship with the patient. Also, their opinion was provided exclusively to the treating doctor, who could have used it at his/her discretion, and not to treat the patient; thus, freeing the consulted doctors from any legal responsibilities.
Patients’ rights and responsibilities
The patient owns his/her medical information. It is at their discretion to request any documentation and share it or not with their health professionals or hospitals. The Australian Government offered the eHealth system (MyHealth Record), an online portal for medical information. This recently caused controversy as it was found to be unreliable for both, medical purposes as well as protection against information security attacks.
Patients are free to add or delete medical information or opt-out from eHealth altogether to prevent any potential misuse of their personal records. If a patient feels that a healthcare provider is breaking/abusing their privacy or confidentiality, the patient can speak to the professional, or the institution where the professional works or formally complain to the Complaints Commissioner.
Exemptions to privacy laws occur in cases of emergency where asking for consent is not possible e.g. the patient is unconscious, or when a medical condition diagnosed in a patient can affect the broad community, e.g. a contagious illness.
A guide to online professionalism for medical practitioners
Because of the risks brought by the mounting use of social media by medical professionals, a number of associations (the Australian Medical Association Council of Doctors-in-Training, the New Zealand Medical Association Doctors-in-Training Council, the New Zealand Medical Students’ Association and the Australian Medical Students’ Association) have joint together to generate guidelines and recommendations to doctors and medical students regarding both, their relationships with patients as well as how to handle medical records online. These guidelines also define the professional etiquette in collegial relationships among peers and in respect to the workplace in which they operate. This is particularly relevant to younger medical students and doctors who are more adept users of social networks.
This comprehensive document puts emphasis on doctors’ ethical and legal responsibilities to patients’ confidentiality. Breaching confidentiality may result in complaints to the medical registration authority, including the involvement of the Privacy Commissioner and legal actions. The medical boards of Australia have investigated physicians for having posted information on social networks that led to the identification of patients. Remaining in the doctor-patient relationship, it is paramount to maintain professional boundaries by avoiding, for example accepting a friendship request from a patient on social platforms. This could result in serious disciplinary sanctions against the doctor.
The document also guides professional codes of conduct online, whereby doctors should not harm the reputation of their colleagues, potentially leading to defamation lawsuits. When using social networks, breach of conduct can take different forms including the release of derogatory/discriminatory judgments, or when hospital staff share photos or comments of offensive nature towards patients and the institution, which may lead to their suspension.
Advice is also given to medical professionals regarding their use of personal social networks like Facebook. More frequently online searches including social media are accessed by an employer prior to recruiting a medical professional. This also concerns prospective students when they apply to medical school. Social networks are volatile and despite improvement in their privacy settings, any material posted or shared online is considered to be public. Even the material deleted will remain stored somewhere in cyberspace.
The content and images found in any educational material released by Lex Medicus and Lex Medicus Publishing are protected by copyright.