Disclosure on social media

disclosure on social media

A photograph of an operating list posted on a social media networking site amounted to a breach of patient confidentiality.

Two surgeons who had been friends since medical school worked in trusts at opposite ends of the country. Pressures of work meant they rarely saw each other, so they kept in touch through social media networking sites.

The first doctor, an orthopaedics registrar, had been instant messaging his friend, complaining about how busy his new job was. As an example of a busy day he had had recently, he posted a photograph of his operating list on a publicly available website. 

The theatre list clearly showed not only what operations he was due to perform, but also the name of the hospital, the names of the 10 patients, their dates of birth and NHS numbers, amongst other identifying details.

His friend was concerned that this confidential information was now potentially in the public domain, even though the surgeon intended the photograph to be viewed only by his friends on the website. She rang the MDU to ask whether the disclosure of these details could make the patients vulnerable to identity fraud.

MDU advice

The MDU adviser agreed with our member that it was inappropriate to post this image and that it constituted a breach of the patients' confidentiality. It would be inappropriate even if it were intended only for the doctor's friends. There was also the risk that it might seen by a much wider audience.

The GMC's guidance in Good Medical Practice (2013) states in paragraph 69:

"You should remember when using social media that communications intended for friends or family may become more widely available."

And its guidance on Confidentiality (2009) says in paragraph 13:

"Many improper disclosures are unintentional. You should not share identifiable information about patients where you can be overheard, for example, in a public place or in an internet chat forum."

Given the potential for patients to be distressed by seeing their details posted in this way, and the possibility that the disclosure could leave them vulnerable to identity theft, the other matter to be considered was whether anyone else should be notified of this breach of confidentiality. 

The member was advised to contact the Caldicott Guardian of her friend's employing hospital and notify them of the inappropriate disclosure of confidential patient details. The trust could then decide whether to take steps to contact the patients, and consider if the incident should be reported to the Information Commissioner.

Our member was reluctant to contact her friend's employer because of the possibility that he could be disciplined for his breach of confidence. The adviser understood the member's concern, but explained that it was her professional duty to report the matter. Paragraph 23 of Good Medical Practice (2013) advises that all doctors "must contribute to adverse incident recognition".

Alternatively, the trust might be reassured if the doctor reported the incident himself, as this would help to demonstrate he had a degree of insight into his action.

The outcome

Our member contacted her friend and made him aware of her concerns. She asked him to take the photograph down and explained that she had been advised to notify his trust. She planned to contact the Caldicott Guardian the following day, but told him she hoped he would report the incident himself in the meantime. He did so.

Dr Sally Old
Medico-legal adviser

Previous article Next article

This page was correct at publication on . Any guidance is intended as general guidance for members only. If you are a member and need specific advice relating to your own circumstances, please contact one of our advisers.