To help prevent privacy law violations on social media:
• Understand and comply with applicable federal and state privacy and data security laws
• Train staff never to disclose identifiable patient information or sensitive personal information via social media without proper patient authorization
• Keep in mind that patient information that is protected by privacy laws can extend beyond traditional patient records. Photo or videos of a patient, even just sitting in the waiting area, may be patient information that is protected by HIPAA. Merely revealing that an individual is a patient may violate privacy laws.
• HIPAA protects information that identifies a patient, or that could be used to identify a patient. Even if a patient’s name is not disclosed, if other data elements are disclosed that make the information identifiable, then the information may still be protected by HIPAA.
• Even if a patient has publicly disclosed his or her health information, HIPAA still applies to that information. A covered dental practice must protect patient information even if the patient has willingly made the information public.
• Responding to a patient’s comment on a social media site can result in a privacy law violation if the response includes information that identifies the patient, or that could be used to identify the patient. If a dental practice believes that it is prudent to respond to a post, restricting the response to a general statement that does not contain any information that could be used to identify a patient can help reduce the risk of a privacy law violation.
• Before posting patient photos, have the patient sign any authorization, consent or release forms required by HIPAA or any applicable state law. Applicable law may also require a dental practice to have staff members sign releases before posting their photos.
• Even photos depicting the interior of the dental practice should be screened to make sure they do not include any patient information. For example, make sure the photos do not include patient charts or computer screens displaying patient information.
In light of the importance of protecting patient privacy, and the risks associated with violating privacy laws, dentists may wish to have policies and procedures on privacy compliance when using social media.
Related References and Resources
• Question 121: What Effect Did the 2013 Omnibus Final Rule Have on HIPAA Compliance?
• Advertising Basics for Dentists and Dental Associations: A Guide to Federal and State Rules and Standards
ADA.org/en/member-center/member-benefits/legal-resources
• The ADA Practical Guide to Creating and Updating an Employee Office Manual
adacatalog.org or 1.800.947.4746
44. What Protective Measures Can I Build Into the Design of My Site to Help Avoid Liability?
Most websites use certain tools to protect against legal liability. The most common is the use of disclaimers. Disclaimers are typically housed in “Terms of Use” that explain and attempt to bind the user to the rules and limits of the site. Another tool is the “sign on” or “participation” agreement for particular site functions, which requires the user to specifically agree to certain additional rules, typically by clicking “I Accept” before accessing the desired Web page or function. These mechanisms usually purport to limit the user’s ability to sue for information on the site, or for what happens on the site, or for the results of using the site. The likelihood that these limitations will be upheld in court is at least theoretically advanced if your lawyer is able to tell the judge things such as:
• The user could not use those portions of the website without first seeing the rules
• The user had to proactively “click” his mouse on the “I Accept” button and thereby accept an agreement to play by those rules in order to obtain access to those portions of the website
• The user could always easily review those rules through a simple click on a readily identifiable link
If you post rules or policies that state you will not collect, use, disclose or track certain site visitor information, make sure that you abide by these rules or policies. The Federal Trade Commission (FTC) considers it a deceptive trade practice not to abide by a privacy policy that was posted on your website when the information about an individual was collected, unless you have obtained the individual’s consent to do otherwise. If your website may collect personal information you should take reasonable steps to protect the information.
Another legal concern has to do with website accessibility. The U.S. Department of Justice has stated that the websites of “public accommodations” must be accessible to individuals with disabilities under the Americans with Disabilities Act, a public accommodation is a business that is generally open to the public, including a dentist’s office. If you are developing a website for your practice, it would be prudent to have your website developer assure that your website will be accessible to persons with disabilities in compliance with some recognized standard, such as Section 508 or W3C Web Content Accessibility Guidelines (WCAG) 2.0.
45. What Steps About Site Content Can I Take to Reduce My Legal Exposure?
The specific words, graphics, and sounds on your site can make a world of difference legally. For example, do you really want to stand behind an absolute claim, such as “Whiter teeth guaranteed in 30 days”? Might a softer claim be just as effective from a marketing perspective? Words like “may, could, and might” are probably more defensible in many cases than “will, always, and shall.”
When developing your website’s content, think through what you are really trying to accomplish, and find the right words (and perhaps graphics and sound) to fit your objectives, while attempting to minimize your legal risks. Keep in mind the following:
• Be careful not to engage in the practice of dentistry online, unless that is your intent and you are properly insured
• To minimize the chances of being sued for inaccurate information, make sure your content is “solid” (accurate, truthful, and substantiated)
• Avoid using absolute claims (consider softer language where appropriate)
• Regularly update your site (e.g., take down information that is no longer accurate)
• Date the content on each page, so viewers will know what information is older and potentially less reliable (e.g., “created on …”, “last modified on …,” etc.)
• Archive your site, so you have a defense based on proof of what was actually on it if you are sued
• Maintain security, privacy, and confidentiality as appropriate
• Adhere to any applicable state and federal requirements
• Comply with copyright laws when using third party content
• Use a “Terms of Use” agreement to help protect against liability for third party content
Legal issues related to digital Internet marketing are, by and large, the same legal issues and concerns that arise when marketing in any other medium. What makes the Internet different is its ease