Protection.

We protect you against frivolous lawsuits and damage to your good name.

Leadership.

We have the leadership to address the specific medico-legal issues physicians face.

Results.

We provide results our members count on for the health and prosperity of their practices.


Facebook has been with us for fifteen years. In three years, it will old enough to vote. What an invigorating thought.  

In those fifteen years, Facebook has distinguished itself as one of the most powerful advertising platforms on the planet. It has also made a name for itself as a regulatory compliance hazard. The desire to participate is strong. And the advantages of mastering the platform are plentiful. Doctors (particularly doctors in cash-pay fields) who ignore Facebook risk forfeiting coveted market share. Qualified patients may perceive a practice with no social media presence as out of touch. But those who embrace social media unconditionally risk making costly mistakes. FTC violations and breaches of patient confidentiality are the foremost concerns.  

Our members have voiced concerns about their social media endeavors in the past. We’ve assembled a list of their most commonly asked questions… 

Can we leverage social media in a way that minimizes the perceived risks and maximizes the benefits?  

“Can we use social media to advertise to users who are also patients? 

Are Facebook’s native marketing tools HIPAA compliant?  

My competitor is using Facebook’s custom audience integration. I suspect he’s targeting my patients deliberately. How does that work? 

This article will answer these questions and address many others. Let’s start by answering two big questions… 

How does Facebook advertising work, anyway? More importantly – why should doctors care?  

Facebook advertising works by asking questions. A doctor cannot use Facebook to advertise to its users until he tells Facebook who to target. Doctors should familiarize themselves with these processes so they can foreclose the misuse of these tools. If your practice manager suggests leveraging Facebook ads, you need to understand the risks. The road to targeted advertising is paved with regulatory landmines. 

Before a doctor can advertise through Facebook, he must first create something called an audience. This is an important step, as only members of a doctor’s audience are exposed to his advertisements. The process starts with a questionnaire. Its purpose is to define the doctor’s ideal patient. 

Is your ideal patient male or female? Non-binary? How old are they? Where do they live? What is their estimated income level? What are their hobbies? Political affiliations? Collegiate allegiances? Shoe size? You can get surgical (pun intended) with your specifications or swing for the fences.  

For example, an aesthetic surgeon practicing in Beverly Hills, California could tell Facebook he wants to target users who meet the following criteria… 

Female… 

Age 30 to 55… 

Married… 

Living in Beverly Hills, CA… 

The doctor’s advertisements are then served to Facebook users who possess these four traits. Facebook does this by comparing the doctor’s description of an ideal patient to data its users have volunteered about themselves. 

An audience constructed in this way is classified as a core audience.  Audiences come in three varieties. The remaining classifications are customized audiences and lookalike audiences, and we’ll dissect all three before this article’s conclusion.  

We believe core audience advertising is the least problematic of the three, as there is little room for the physician to betray the doctor-patient relationship. You cannot target specific users. You can only target a swathe of nonspecific users who claim to possess the traits you’ve specified.  

Core audience targeting is useful because it allows physicians to serve ads to nodes of qualified leads. When clicked, the hypothetical advertisements we’ve described would likely direct the qualified user to the surgeon’s website. The user could then research the specialist, study his offerings, examine patient reviews, view before and after images, and contact the office directly to schedule a consultation. While the targeting process is eerie, there are no obvious compliance issues.  

Which brings us to the second prong of our fork in the road and the axis of this article: Facebook Custom Audiences.

So – what makes the Custom Audience tool problematic for doctors? 

Custom audience targeting allows doctors to serve specific ads to specific Facebook users – i.e., their existing patients. How is this possible? Like with core audience targeting, it requires the physician to do some legwork. He must either feed Facebook patient data or create an environment where data can be extracted from patients. The physician can achieve this utilizing one (or a combination of) the three techniques described below. 

The doctor can upload a list of his existing patients to Facebook 

+ The doctor can tag visitors as they leave his practice’s website… 

+ The doctor can tag users interacting with his customized smartphone app… 

We’ll start by analyzing the most straightforward option – uploading a list of existing patients to Facebook.  

The process is not complicated. Facebook presents the business owner (doctor) with a node. The doctor attaches a spreadsheet to this node, and the file is delivered to Facebook. The spreadsheet is presumably populated with data Facebook will use to identify specific users.  

[DOWNLOAD FACEBOOK’S SAMPLE TEMPLATE]

Data provided is flushed against Facebook’s user records. If a name or email on the spreadsheet can be matched to a name or email within Facebook’s database, Facebook will assume that user is a member of your custom audience. This user is now a candidate for your advertisement.  

But more importantly – you’ve just told Facebook there is a strong possibility that every entity on your uploaded list is your patient. At the very least, you’ve presented Facebook with enough context to infer a relationship. 

This process is not unlike visiting a library. We approach the librarian (or engage with a computer) and offer a piece of data – the title of a book, its genre, its author, etc. That information is used to isolate the object of our desires and extract it.  

Facebook’s priorities when constructing this tool were likely: ease of use and utility. Regulatory compliance was less than an afterthought, and this is not a criticism. Facebook’s job was to create a system that allowed business owners to advertise to qualified candidates. In this respect, they succeeded. The problem is that the legislation that regulates the sale of most commercial goods is less robust than what you’d find in the healthcare industry.  

Should your local coffee shop seek permission before uploading a list of customers to Facebook? Yes. But our point is the coffee shop does not need to worry about a spontaneous HIPAA audit. The physician a practicing a few miles up the road does.  

We could dedicate the rest of this article to brainstorming all the nefarious ways the custom audience interface could violate a patient’s privacy. We won’t go that far, but here is a choice example to drive our point. 

You are a physician who treats HIV positive patients. Your patient is receiving treatment for HIV. His contact information is uploaded to Facebook using the methods we’ve described. That patient is then served advertisements for HIV related items: trial therapies, assorted medications, case studies, etc. Let’s pretend a loved one is looking over his shoulder while he is browsing Facebook. Perhaps at a holiday gathering. If this loved one sees the ads in great frequency, the dots may be connected.  

And if it wasn’t obvious, let’s make two things clear – not only have you told Facebook a specific user is your patient, you’ve implied Facebook that user has HIV.  

Without explicit authorization from a patient, physicians cannot upload a list of their patients to Facebook for the purpose of targeted advertising. Facebook is not a HIPAA business associate. Taking such action anyway is a recipe for regulatory catastrophe. The fact that a patient may have previously clicked through Facebook’s terms of use to use its platform will not save you.  

But what if a physician still wants to use custom audience advertising? Recall he has three options to consider when creating a custom audience. Uploading a list of existing “customers” is only one option.  

So, what about the other two? Are they any better?  

We’ll keep our opinions to ourselves – at least until we’ve finished explaining how each works. Until then, we encourage you to study the mechanics described and cast your own predictions. 

Let’s asses the risks of tracking website visitors with Facebook… 

If a physician is against uploading a list of patients to Facebook, he can still help Facebook identify strong candidates for his services by tracking people who visit his website. The process works like this: the physician inserts a snippet of code – called the Facebook Pixel – into his practice’s website. Not his practice’s Facebook profile – his actual website.  

When someone visits his website, the visitor is “tagged” by this pixel. To borrow a metaphor from Mother Nature – the prospective patient (a bee) visits the doctor’s website (the flower) and then, after interacting with his website, the visitor leaves with that special code we referenced earlier – the Facebook Pixel – embedded in his web browser. 

Think of the Facebook Pixel as a grain of pollen and the visitor’s web browser as a pollen brush – the part of the bee that collects the pollen. When the prospective patient returns to his Facebook account, that piece of code (the grain of pollen) interacts with Facebook’s own internal mechanisms. That visitor is then identified as a candidate for the physician’s advertisements. Not long after this “cross pollination” takes place, the visitor’s newsfeed is blooming with advertisements for the doctor’s services.  

If you’ve ever wondered why ads for products you’ve recently browsed on Amazon mysteriously appear in your Facebook feed, now you know.  

And much like in the real world, the grain of pollen (Facebook’s tracking code) does not ask the bee (the patient) if it can hitchhike – it just hangs on for the ride, and pollination happens naturally.  

Is this a problem? The entity in our example isn’t a patient, after all. He’s a “prospective” patient. Meaning the integral doctor-patient relationship doesn’t exist – yet. But what happens when he becomes a patient? Or what if he is an existing patient who has, for one reason or another, never previously visited his physician’s website?  

Assuming he isn’t a patient – once he becomes a patient, can his doctor remotely expunge this pixel from the patient’s web browser and exclude him from his advertising?  Yes and no. The doctor can tell Facebook to “exclude” a visitor if the visitor fulfills certain conditions when visiting the practice’s website. If the patient visits a special page (a patient portal, for example), he can, in theory, be excluded from advertising. This is an imperfect solution. For one, this strategy only works if the doctor can guarantee every patient will take the manual actions required to exclude himself from advertising. If even one patient deviates from the route his doctor has constructed for him, he’ll continue seeing ads.  

Onto the less obvious problem – inferencing. The purpose of advertising on social media is to drive qualified leads to your business. For doctors, this means driving qualified patients to their practices. Facebook did not build this advertising tool with HIPAA in mind, but we can assume Facebook knows why HIPAA exists. We must also assume any bad actors working within Facebook can infer the doctor-patient relationship if they are given enough context. 

Your relationship with the tagged user is not explicit, but it can be inferred. Facebook may have already known Jane Doe’s email and phone number, but this ritual (which you’ve enabled) has taught it something it did not already know – that a business identifying as a doctor’s office considers Jane Doe a candidate for a facelift. Or a bariatric procedure. Or a weight loss regimen. Or whatever services your practice provides. Facebook might serve this data to other third-party advertisers – either intentionally or as result of a security breach. And once advertisers infer a medical condition, pharmaceutical companies may seize that data and insert Ms. Doe into their own targeted campaigns.  

It does not matter if Jane has been regaling her followers with intimate details of her medical affairs for years – what matters is that an entity representing your practice has directly or indirectly identified her as your patient and then passed this information to an entity that is not a HIPAA business associate.  

The purpose of the Facebook Pixel is to facilitate the transfer of information – email, phone number, residence, etc. And if the practice implementing this technique has outsourced the technical work to a third-party who is already unfamiliar with regulatory compliance, imagine the legwork required to keep this entity from self-destructing. And if this third-party isn’t a HIPAA business associate, your problems have gone from bad to very bad. And for all the same reasons we’ve outlined above. With few exceptions, entities that are not HIPAA business associates cannot have access to patient data without the patient’s explicit authorization. 

The spools of yarn unfold onward, upward, and into infinity and beyond. And there’s still one more method to consider.  

It is worth noting doctors can construct a custom audience by extracting data from their practice’s customized smartphone app. This last option is only relevant if your practice offers such an application. Unless you work for large hospital or healthcare network, this last tool likely does not apply to you. The technical details differ, but the principles are identical. As are the compliance issues. When a user opens your application, he is tagged with a snippet of code. This code tracks the user’s behavior as he navigates his phone, covertly collecting data until the user opens Facebook. That user is then identified as a candidate for the business’ advertisements, provided he meets your prescribed criteria. 

We’re left with one more audience to dissect: the lookalike audience.  

This kind of targeting has the potential to be useful to doctors, but it comes with its own set of problems. The fundamental difference between a lookalike audience and its counterparts (core and custom) is that a lookalike audience cannot exist by itself. It must model itself after an existing audience. Meaning the doctor must present Facebook with a collection of data points and tell Facebook: 

“Assemble a new list of people who share traits with this old list of people.”  

The audience you designate as your “sample” can be a custom audience you’ve already created. Or it can be comprised of data points extracted from entities who’ve visited your website. You can also create a lookalike audience based on users who have “liked” your practice’s Facebook page.  

To be clear – the members of your lookalike audience and its sample audience do not co-mingle, unless you jump through some extra hoops. If Jane Doe is in your designated sample, she won’t appear in your lookalike. The objective of the lookalike is to market to new users who qualify for the same services as Jane Doe. Meaning you could offer Facebook a sample of your existing patients and never advertise to the entities featured on that list. 

Is this a problem? It depends on what is used as the sample audience. The scenario we’ve described assumes the doctor has presented Facebook with a list of his existing patients. In this case, our imaginary friend is on the cusp of making a big mistake. Conversely, if he presents Facebook with a collection of character traits like sex, age, income level, and place of residence, he’s straddling a comparatively “safer” fork in the road.  

The reason: He has not offered Facebook information about real patients, or even real people. All he’s fed Facebook is a list of desirable traits.   

We believe physicians can only safely leverage core audience advertising and lookalike audience advertising. And lookalike audiences can only be used if their sample audiences do not contain data extracted from existing patients. Custom audience advertising requires doctors to either upload patient information directly to Facebook or create an environment where it can be extracted without the patient’s consent.  

The congenital heel shared among these tools is their association with social media, a space known for its rapid evolution. In the rush to stay relevant, Facebook churns out tools designed to be used by business owners to engage their online audiences. The dilemma is that these tools are not designed with regulatory compliance in mind. And the frequency of their publication (and their alleged conversion rates) present doctors with new, attractive solutions to old problems, such the recruitment of new patients and the retention of existing ones. 

Creating an advertising tool with complete regulatory compliance in mind across all industries may be possible, but it would likely be ineffective and imprecise – two traits an advertisement platform should not possess. 

The bottom line… 

Learning to use Facebook is not a secret art, nor is it a dark one. There is a learning curve its students must walk – something true of all schools. The depth of this curve varies from user to user, but you should expect to make mistakes. The problem is that most physicians cannot afford to make mistakes online – the regulatory agencies presiding over us cast costly shadows. 

We hope this piece sheds light on some of those shadows. Join the discussion below and let us know your thoughts. But we wager most physicians prefer to avoid triggering these hidden landmines whenever possible. The trick to doing so often lies just beneath their fingertips. A doctor’s smartphone, when used properly, can ward off the worst regulatory disasters. But in the hands of the uninformed physician, smartphones can become regulatory disasters themselves.

Our follow-up piece, available for download below, reveals how smartphones are getting physicians in trouble, and what steps we can take to prevent the technology from damaging our practices and violating our patients’ privacy. The major points addressed are… 

The risks and benefits associated with advertising via patient photographs… 

The prevalence of recording devices in environments physicians previously considered private… 

The temptation presented by text message marketing, and what it is costing doctors who don’t play by the rules…

Don’t Miss Our Follow-Up Piece: 3 Unexpected (And Expensive) Smartphone Landmines Catching Doctors Off-Guard in 2019 

ABOUT THE AUTHOR

With our pioneering combination of medico-legal expertise, resources, and medical reputation management services, Medical Justice delivers as seasoned advisors and formidable advocates. We’re the first call doctors make when they sense trouble. We stand vigilantly by our member physicians with guidance and grit, relentlessly clearing out frivolous lawsuits before they start, and being the go-to for guidance when situations are at their most bewildering.

 

Perfect Patient Dismissal & Termination Letters

Respond Masterfully to Negative Patient Reviews

Discover the Regulatory Landmines Most Doctors Miss