Can physicians google their patients and be HIPAA compliant?

When faced with incomplete patient data or the need to supplement existing information, healthcare providers might be tempted to use familiar tools like Google. Advice from the American Medical Association suggests, “Although AMA has no ethics policy that specifically addresses Googling patients, Patrick McCormick, chair of the AMA Council on Ethical and Judicial Affairs, said that physicians have a fundamental ethical responsibility to respect patient privacy.” While this approach does not directly violate HIPAA regulations, it is a practice wrapped in ethical complexities.

What does HIPAA say?

The act of a physician or healthcare provider using Google or another search engine to find information about a patient falls into a grey area under HIPAA. This is because the information obtained through such means is typically not part of the medical record and is often publicly available. As such, it is not considered PHI in the traditional sense, and HIPAA's stringent rules around the use and disclosure of PHI do not directly apply.

However, this does not mean that there are no ethical or professional implications. HIPAA sets a broader precedent for respecting patient privacy and confidentiality. While it might not explicitly forbid Googling a patient, such actions could be seen as at odds with the spirit of HIPAA.

See also: HIPAA Compliant Email: The Definitive Guide

The ethical dilemma 

Although there are many ways in which the research of patients may be used in practice, we are going to be taking a look at a more recognized approach to analyze the ethical dilemma. This practice takes the form known as "Patient-Targeted Googling" (PTG), which stems from the intersection of modern technology with traditional medical ethics. Let us take a look at the main points of contention:

1. There is the issue of patient privacy and trust. The foundational elements of the healthcare profession include respecting patient confidentiality and maintaining trust in the patient-provider relationship. Googling a patient can be seen as an intrusion into their private life, potentially eroding the trust they place in their healthcare provider. This is particularly sensitive if the information sought is not directly relevant to patient care or is driven by curiosity rather than clinical necessity.
2. How accurate is the information? The accuracy and relevance of information found online are not always guaranteed. The internet is replete with both accurate and misleading information. Decisions based on incorrect or irrelevant online data could negatively impact patient care, leading to biased or inappropriate treatment decisions.
3. There is also the issue of informed consent. In traditional medical practice, informed consent is required for procedures and treatments. However, when it comes to PTG, the lines are blurred. Should patients be informed that their doctor might use online sources to supplement their medical information? And if so, should they have the right to consent or refuse?
4. The act of Googling a patient can be seen as a departure from standard medical practice, where information is typically gathered through direct patient interaction, medical tests, and other professional channels. Relying on online searches may lead healthcare providers to bypass these standard, more reliable methods.
5. Why is the practice implementing this practice? Motivations behind PTG need to be examined. Is the search being conducted for the genuine wellbeing of the patient, or out of mere curiosity? The intent behind the search plays a role in determining its ethical standing.

See also: "We're not in a hurry," Google Research Expert discusses responsible use of AI

The trouble with using the internet

The internet, as a vast repository of data, includes an array of sources varying in credibility and accuracy. When healthcare providers turn to this digital landscape to gather information about patients, they risk encountering misinformation, outdated facts, or contextually incomplete data. Unlike medical records or direct patient interactions, which are governed by strict standards of accuracy and relevance, the information on the internet is not specifically tailored or verified for medical purposes. This can lead to scenarios where a physician might base their clinical judgments or understanding of a patient's background on erroneous or misleading online content. 

But at the end of the day, the decision to research patients using online sources ultimately rests in the hands of healthcare providers. 

See also: How to use tracking pixels and be HIPAA compliant

FAQs

When is sharing patient information a violation? 

Sharing patient information is a violation when it is done without the patient's consent or for purposes not permitted under HIPAA, such as non-medical reasons.

What is PHI?

Protected health information is any information about health status, provision of health care, or health care payment that can be linked to an individual.

Who governs the way PHI is shared by healthcare providers?

The U.S. Department of Health and Human Services (HHS) governs the way PHI is shared by healthcare providers.