Googling Patients It’s Not About Privacy, It’s About Respect

Photo by Christian Wiediger on Unsplash

INTRODUCTION

Huge amounts of public data on the internet and the ease with which we regularly search it have resulted in the phenomenon called Patient-Targeted Googling (PTG). PTG occurs when a clinician conducts an online search for information about a patient through any search engine, internet database, or social media site. The practice has provoked ethical discussion and the creation of practical guidelines to ensure clinicians use PTG ethically. One common theme in PTG literature is privacy and confidentiality. However, given that the relevant information is publicly accessible, privacy and confidentiality may not be applicable or accurate. In health and medicine, correctly applying the concepts of privacy and confidentially is important because these terms have rigid legal definitions that are often confusing and misunderstood. By refraining from legitimizing claims that patients’ publicly accessible data is “private” information, we can avoid the risks of inappropriately applying privacy and confidentiality concepts and further muddying the waters.

l.     Privacy and Confidentiality in PTG Literature

The literature on PTG consistently raises patient privacy and confidentiality concerns. For example, the article “Patient-targeted googling: The ethics of searching online for patient information” mentions the concept of privacy over a dozen times in its ethical and practical framework, designed for psychiatrists to use prior to engaging in a patient-targeted search.^[1] A later work begins with a statement that “[m]any physicians would agree that seeking information about their patients via Google seems to be an invasion of privacy . . .”^[2] Informal guidelines continue to address privacy and confidentiality when analyzing PTG and frame consent as necessary to respect patient privacy.^[3]

Research articles reporting investigations of PTG also categorize privacy violations as a risk to privacy and dignity.^[4] The AMA does not have a PTG ethics policy, but an article on the AMA website about PTG by a staff writer stated that “physicians have a fundamental ethical responsibility to respect patient privacy.”^[5] Ethical and practical discussions of PTG often involve concerns for privacy and confidentiality. However, the information found in PTG searches is not private or confidential.

ll.     The Information at Issue is Not Actually Private or Confidential

The information at issue in PTG is not hidden or secured from public view and is available to anyone conducting an internet search. Thus, it cannot be said to be private or confidential. Yet, privacy and confidentiality routinely come up in analyses of PTG. Perhaps this is because the information feels private. The thought of clinicians digging through the internet to find information about the patient feels like an invasion. They are trying to access information that the patient did not share with them in an unexpected way. People commonly associate privacy and confidentiality concepts with personal data access issues, so it is not surprising that privacy and confidentiality find their way into discussions on PTG.

While much of the literature focuses on privacy, some of the literature does acknowledge that this information is not really private or confidential. One article describes the patient experience as possibly a “perceived privacy” that stems from an assumption that clinicians will not conduct online searches for information about them just like they may assume “their psychiatrists would not eavesdrop on their conversations in restaurant.”^[6] Another acknowledges that there is a difference between legal definitions of privacy and confidentiality and “the layperson’s notion.”^[7] So, though looking up a patient’s Facebook profile does not legally violate the patient’s privacy, the patient may still consider it “private” in a layperson’s sense.

It is important for clinicians to be sensitive to actions that may feel violating to a patient. Clinicians should be aware that patients may consider PTG a breach of privacy. But literature geared towards ethics in clinical practice ought not confuse lay and legal definitions because doing so risks legitimizing an incorrect position. It is also not necessary to use privacy and confidentiality concepts to justify concerns and practice guidelines concerning PTG.

lll.     PTG as a Potential Violation of the Clinician-Patient Relationship

A better way to frame PTG is as a potential violation of the trust and respect inherent in the clinician-patient relationship. Patients understand and respect the traditional ways clinicians gather information about them. Clinicians simply ask their patients directly for most types of information, especially personal information. When done with sensitivity and patient understanding that the information is relevant to the interaction, collecting personal information does not feel inappropriately invasive (even if the process may be uncomfortable). This is partially because the questioning occurs within the confines of the clinician-patient relationship.

Some information a clinician may discover in an online search can also be gathered by “legitimate” means (like by asking the patient). Yet, accessing this information via PTG can still violate the clinician-patient relationship. This shows that it is not the nature of the information that makes the clinician’s access feel like an invasion, but the method they use to gather it. If the information clinicians seek is clinically relevant, patients expect that the clinician will ask for it. During that conversation, patients can ask why and how the information is relevant to their health care. It is the act of gathering this information outside the accepted boundary of the clinician-patient relationship that makes PTG potentially violating.

The use of PTG to gather information that is not clinically relevant is also problematic. Without resorting to privacy claims, the ethical analysis should identify the nature of the problem more accurately. Patients accept that clinicians ask them personal questions to serve their best interests. Once clinicians step outside that boundary by asking patients for clinically irrelevant information out of some voyeuristic or inappropriate interest, they break the trust and respect inherent in the relationship. A clinician that purposefully seeks out clinically irrelevant information is doing something problematic because the exercise does not connect to the clinician’s professional duties and patient interests. When clinicians ask for clinically irrelevant information during a patient visit, the patient has the opportunity to evaluate the questioning and respond accordingly (perhaps responding to an inquiry that seems purely conversational or designed to relieve stress or not answering an invasive, irrelevant question). With PTG, patients cannot evaluate and respond to the clinician or the inquiry, as they are unlikely to know it is occurring. Patients are not necessarily concerned that their doctor knows where they went to brunch last Sunday. Patients are concerned that clinicians are purposefully seeking out information neither connected to their health nor covered by the clinician-patient relationship and are likely doing so to satisfy their own interests. If the purpose of PTG does not serve the patient’s interests, clinicians should not conduct the search.^[8] Even if it does serve the patient’s interest, PTG may not be ethical.

The ethical significance does not hinge on whether the information is clinically relevant or not. What makes PTG potentially unethical is how it circumvents the methods of information gathering patients accept as appropriate in the clinician-patient relationship. Whether the information is or is not clinically relevant or in the patient’s best interests, the mode of collection is ethically problematic, nor addresses privacy.

lV.     Accurately Applying Concepts of Privacy and Confidentiality is Important

Privacy and confidentiality are not accurate concepts to apply to PTG. This point about privacy and confidentiality is worth making, even if it does not change the way PTG should be approached in clinical practice. The concepts and legal definitions of privacy and confidentiality are extremely important in health and medicine. Thus, it is crucial that privacy not be misconstrued to protect publicly available information.

One of the most important (and often misunderstood) examples is the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. This Rule protects only certain statutorily defined “individually identifiable health information” and “covered entities.”^[9] Violation of the Privacy Rule is grounds for statutory penalties.^[10] While there is room to criticize how well the Privacy Rule protects patients today, covered entities must follow it. The Privacy Rule remains an important component in protecting both patients and healthcare entities. Despite this, misunderstandings about HIPAA abound, even among clinicians.^[11] It has even been reported that some inaccurately claim that PTG violates HIPAA .^[12]

Other statutes also protect health data in a variety of ways. For example, the FTC Act creates an obligation to maintain appropriate security of health data and requires entities to keep promises they make about privacy.^[13] The Health Breach Notification Rule contains notice requirements for data breaches involving certain health information.^[14]

Additionally, the doctor-patient privilege protects confidential information from disclosure, and the exact confines of the privilege depend on the applicable statutes.^[15] As these examples demonstrate, there are many different legal requirements that concern privacy and confidentiality in the health sphere. These varying legal definitions and requirements create grounds for sincere confusion, even without adding non-legal definitions or perceptions into the equation.

Apart from the rigid context of existing statutes and laws, discussions surrounding the ethics of data, privacy, and security are occurring, and privacy laws are undergoing a period of rapid change. While patients and health entities can be reasonably sure what protections apply to medical records created by providers, there is significant uncertainty about the increasing amounts of health-related information generated and shared in our digital world by various entities. While it is clear that information located through a Google search is public, the actual (and ideal) legal and moral status of much of this new information is less certain.

For example, a multitude of health-related apps are available to consumers, many of which collect information that would be a part of a medical record if collected by a clinician. Numerous wearable devices collect data on consumers’ heart rates, exercise patterns and sleep patterns. In-home smart devices can track when users are active and what they are doing in their homes. It is often difficult for consumers to understand whether data collected about them is private and confidential, whether it is shared with or sold to third parties, and whether any legal protections apply. People may waive their right to privacy without fully understanding what companies may do with the data. An important part of our social discourse on health, data security, and privacy involves how we treat or ought to treat that data and what protections we should afford to patients as consumers.

It can be difficult to determine which health data is truly private or confidential. In our collective effort to decide how to categorize and use data, it is important not to muddy the waters unnecessarily by applying concepts of privacy and confidentiality to data that definitely does not meet those criteria and simply is not private. This is especially true in the healthcare context when there is already confusion on what is private and confidential. Getting it wrong can result in legal consequences and significant patient harm.

CONCLUSION

Literature on PTG often references or applies the concepts of privacy and confidentiality. However, the information found through PTG is publicly accessible. While patients may perceive PTG as a breach of privacy, patient perception is not a reason for the literature to claim that publicly accessible information is also private. Instead, PTG is better conceptualized as a potential breach of the trust and respect inherent in the clinician-patient relationship. Privacy and confidentiality are incredibly important in health and medicine and often have strict legal definitions. Data security and privacy issues are becoming increasingly important as we undergo a digital health revolution. We should be careful to avoid confusing these conversations by applying concepts of privacy and confidentiality to public information.

-

[1] Clinton, Brian K., et al. “Patient-Targeted Googling: The Ethics of Searching Online for Patient Information.” Harvard Review of Psychiatry, vol. 18, no. 2, 2010, pp. 103–112., https://doi.org/10.3109/10673221003683861.

[2] Baker, Maria J., et al. “Navigating the Google Blind Spot: An Emerging Need for Professional Guidelines to Address Patient-Targeted Googling.” Journal of General Internal Medicine, vol. 30, no. 1, 17 Sept. 2014, pp. 6–7., https://doi.org/10.1007/s11606-014-3030-7.

[3] Geppert, Cynthia. “To Google or Not to Google? Is ‘Patient-Targeted’ Googling Ethical?” Psychiatric Times, vol. 34, no. 1, Jan. 2017, pp. 1–4, https://www.psychiatrictimes.com/view/google-or-not-google-patient-targeted-googling-ethical.

[4] Chester, Aaron N., et al. “Patient-Targeted Googling and Social Media: A Cross-Sectional Study of Senior Medical Students.” BMC Medical Ethics, vol. 18, no. 1, 2017, https://doi.org/10.1186/s12910-017-0230-9.

[5] “Should Physicians Google Patients?” American Medical Association, 9 Mar. 2015, https://www.ama-assn.org/delivering-care/patient-support-advocacy/should-physicians-google-patients#:~:text=Although%20AMA%20has%20no%20ethics,responsibility%20to%20respect%20patient%20privacy.

[6] Clinton, “Patient-targeted googling: The ethics of searching online for patient information.”

[7] Lehavot, Keren, et al. “Ethical Considerations and Social Media: A Case of Suicidal Postings on Facebook.” Journal of Dual Diagnosis, vol. 8, no. 4, 2012, pp. 341–346., https://doi.org/10.1080/15504263.2012.718928.

[8] Clinton, B.K., “Patient-targeted googling: The ethics of searching online for patient information.” This paper provides an excellent framework for those interested in a deeper analysis of potential uses of PTG.

[9] 45 C.F.R. § 160.103.

[10] “Summary of the HIPAA Privacy Rule.” HHS.gov, Office for Civil Rights, U.S. Department of Health & Human Services, 26 July 2013, https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html#:~:text=The%20Privacy%20Rule%20protects%20all,health%20information%20(PHI).%22.

[11] Lo, Bernard, et al. “HIPAA and Patient Care: the Role for Professional Judgment.” JAMA, vol. 293, no. 14, 13 Apr. 2005, pp. 1766–1771., https://doi.org/10.1001/jama.293.14.1766.

[12] Geppert, “To Google or Not to Google? Is ‘Patient-Targeted’ Googling Ethical?”

[13] “Health Privacy.” Federal Trade Commission, https://www.ftc.gov/business-guidance/privacy-security/health-privacy.

[14] “Complying with FTC's Health Breach Notification Rule.” Federal Trade Commission, Jan. 2022, https://www.ftc.gov/business-guidance/resources/complying-ftcs-health-breach-notification-rule-0.

[15] “Doctor-Patient Privilege.” Legal Information Institute, Cornell Law School, https://www.law.cornell.edu/wex/doctor-patient_privilege.