Skip to main content

  • AddRemove
  • Build a Report 
Legal Update

Managing Social Media Risks in Healthcare

9 October 2014
Mayer Brown Legal Update

The staggering statistics on the use of social media should come as a surprise to no one. According to 2014 numbers, 74% of adults with online access use social networking sites. For Internet users between ages 18 and 29, that figure is over 90%.[1] Facebook alone has 1.32 billion active users.[2]

For businesses, social media presents a multitude of both opportunities and challenges. Businesses in every industry have leaned on these online platforms to reach potential customers and build brand awareness in whole new ways, but at the same time these tools have raised consumers’ expectations of online availability and have run into employee use issues.

For the healthcare industry, both the opportunities and challenges are amplified. There is a clear demand for healthcare-themed social media content: according to the Pew Internet Project, eight in ten Internet users look online for health information, making it the third most popular online pursuit.[3]  

And social media has already proved useful to the extent it has been utilized: some research has shown, for example, that the number of “likes” a healthcare provider has on Facebook is correlated with the actual quality of that provider’s care. One provider is utilizing Twitter to monitor and respond to lengthy emergency room wait times. Or, in one very specific example, a woman with a rare heart disease found, via social media, more than 100 other people with the same condition, which allowed a research study at the Mayo Clinic to be expanded.[4]

But the benefits cannot overshadow the significant risks that are specific to the healthcare industry. For instance, providers have to protect the private health information to which they have access in compliance with the HIPAA Privacy Rule,[5] which only allows for very limited disclosures of individuals’ health information and imposes significant civil monetary and criminal penalties for Rule violations. Healthcare companies are also subject to numerous stringent regulations regarding approval of products and how they are allowed to promote those products.[6]  

Social media makes violations of such laws even more concerning because those platforms distribute information instantaneously to a wide audience and create a permanent electronic record that is likely discoverable in litigation. Below are just a few examples of how social media use has had negative impacts on healthcare companies:  

  • AMARC Enterprises received a warning letter from the FDA in 2013 for clicking “Like” on a Facebook patient testimonial that was discussing an unapproved claim regarding its product.[7]
  • A drug manufacturer received a critical letter from the FDA because its Facebook page for a drug failed to mention the drug’s risks, which the FDA found to be “misleadingly suggest[ing]” that the drug was safer than demonstrated.[8]

  • Indiana University Health had to terminate a number of employees based on social media use, including one employee who posted a revealing photo of a patient on Facebook and another who engaged in what amounted to treatment of a patient via a comment thread on a Facebook page.[9]

  • A Rhode Island physician was fired and reprimanded by the state medical board after she had written about a patient online. She did not use the patient’s name or intentionally identify the patient, but the doctor’s description of the patient’s injuries was specific enough that a third party was able to identify the patient.[10]

Some in the healthcare industry have reacted to these risks by minimizing or prohibiting the use of social media. That, however, is likely not the answer, as not only does it put these companies at a competitive disadvantage, but it also may leave companies unaware of how they and their employees are being represented on social media.

Instead, healthcare companies should carefully think through social media uses and risks, implement any necessary processes, and communicate to their employees how social media may impact their professional lives or the company. Below are several considerations:

  • Written policies and procedures should include provisions on employee use of social media, and companies should train and monitor employees’ use to the extent possible. Policies should be continually updated to account for all the different types of social media (Facebook, LinkedIn, Twitter, Instagram, Snapchat, etc.) and all the different devices that may be used for posting (work and personal computers, mobile devices, etc.).
  • Training and monitoring could also include an option for employees to anonymously report potential violations, as social media often may be filtered differently based on the network that is accessing the social media post (i.e., a Facebook “Friend” may have more access to an individual’s profile than a general member of the public).

  • Written policies and procedures should also detail how the company will be represented on social media. Such policies should take into account marketing regulations that apply to the company--regulations that should be followed across all platforms, no matter how short or “informal” the platform appears to be. Dedicated staff tasked with posting and monitoring social media may be advisable.

  • On a related note, allowing feedback from external entities increases the risk that negative comments or other negative exposure could be posted. Companies should consider controls for this concern, such as continually reviewing social media sites and removing offensive contributions.

  • Companies may want to consider liability insurance that specifically addresses this risk.

  • HIPAA compliance privacy and security programs should be proactively audited and weaknesses found should be corrected as soon as possible.

[1] Social Networking Fact Sheet, Pew Research Internet Project,

[3] Health Topics, Pew Research Internet Project,

[4] Same Pfeifle, How to Do Social Media in Healthcare with Privacy in Mind, The Privacy Advisor,

[5] See 45 C.F.R. Part 160 and Subparts A and E of Part 164.

[6] See, e.g., 21 C.F.R. §801.4 (defining the limits of “intended uses” for a medical device).  

[7] Warning Letter to AMARC Enterprises, Inc., U.S. FDA,

[9] Pfeifle, supra note 4.

[10] Chelsea Conaboy, For Doctors, Social Media a Tricky Case, The Boston Globe, (Apr. 20, 2011).

The Build a Report feature requires the use of cookies to function properly.  Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently.  If you do not accept cookies, this function will not work.  For more information please see our Privacy Policy

You have no pages selected. Please select pages to email then resubmit.