A bigger threat to patient privacy when doctors use Facebook

Stephen Wilson, Principal Consultant,
December 20, 2010

Moubarak et al conclude that "Residents and fellows frequently use Facebook and display personal information on their profiles. Insufficient privacy protection might have an impact the doctor-patient relationship". I agree strongly; users of Online Social Networking sites clearly need to take care with their postings, and exercise the same sort of social graces, including inhibition, as we do in the real world.

Yet I caution that the medical profession should worry about more than incidental privacy breaches by doctors who might in effect simply 'forget where they are'. There are more serious systemic risks that can automatically identify select patients of doctors and make that information public.

The "find friends" feature of Facebook surreptitiously imports members' web mail address books in their entirety. The feature's overt purpose is to allow Facebook to find individuals that are common to pairs of people, so that those pairs can be suggested as potential friends. The "find friends" process is not clearly explained to users; in particular, Facebook does not mention that the entire address book is uploaded and retained [1].

I want to raise a new and distinct privacy risk for doctors and their patients: if doctors on Facebook happen to have patients in their web mail address books, and they use "find friends", then it is possible for associations between individuals and their doctors to inadvertently become public. For doctors working in mental health, sexual health, family planning, substance abuse and so on, naming their patients could have catastrophic consequences.

"Find friends" operates through an automatic web interface provided by Facebook to participating web mail services, such as Gmail, Hotmail and Yahoo. How likely is it that a patient might appear in their doctor's web mail address book? E-mail increasingly figures in the way many healthcare professionals interact with their patients. More and more patients are pressing their doctors to make use of e-mail and other online media, since they are routine now in so many walks of life.

Usually, doctors will have a specific workplace e-mail account, but some don't have the option. Many allied health professionals, counsellors, specialists and the like run their sole practices as small businesses. They don't have a major investment in IT, nor a deep understanding of the technology. Many such medicos do use web mail with patients. Further, web mail is being re-branded in the market as a "cloud" service, offered to businesses as a cost-effective alternative to managing their own e-mail domains (I note that the e-mail address for correspondence with the authors of the paper in question is a Gmail address). So the line may blur between private and workplace e-mail usage. Chillingly, Facebook CEO Mark Zuckerberg has shown a degree of contempt for people who feel the need to operate separate digital identities [2].

One way or another, including simply by accident, patient contact details will inevitably appear in some doctors' web mail address books. As a result, if a doctor signs up to Facebook and innocently allows "find friends" then Facebook will import e-mail addresses, some of which may be for patients. Note carefully that these individuals never have the chance to consent to being imported; they don't even know it's happening. Subsequently, others on Facebook will come automatically to learn that individuals are associated with doctors, indicating they may be patients of those doctors.

In conclusion, healthcare professionals using web mail should be warned against the risks to patient privacy should they join Facebook and use "find friends". Wherever possible, providers should use separate professional and personal e-mail accounts, but because this may not always be possible, and because accidental crossover may occur, the warning about "find friends" remains important.

[1] Wilson S, Johnston J, More trouble with Facebook. Privacy Law Bulletin 2010;7.2:25-8.

[2] Michael Zimmer blog, Facebook's Zuckerberg: "Having two identities for yourself is an example of a lack of integrity" 14 May 2010 http://michaelzimmer.org/2010/05/14/facebooks-zuckerberg-having-two- identities-for-yourself-is-an-example-of-a-lack-of-integrity (accessed 18 Dec 2010).

Conflict of Interest:

None declared

Conflict of Interest

None declared