Skip to main content
HIPAA Privacy & Security Compliance

Should Healthcare Providers 'Google' Their Patients?

The digital age in which we all live in and work in brings us unique opportunities from both a personal and professional standpoint. With most of us having easy access to the Internet while at home and on the go, which offers us free utilization of email, social media, and, to some extent, mobile apps, our ability to obtain and disseminate information has essentially become limitless. However, our access to and reliance on technology in 2017 also presents us with ethical dilemmas not previously encountered by past generations of healthcare providers. For instance, the potential to conduct Internet searching, or “Googling,” of patients in an attempt to learn about their backgrounds before they walk into a healthcare facility brings with it questions about how healthcare professionals should be using the Internet (aka “e-professionalism”1). The concept of e-professionalism encompasses issues that potentially originate in private settings but are rendered public via online, digital environments.2 There is little e-professionalism guidance currently available, however, and hardly any advice when it comes to the practice of searching patients through Google and other search engines. This article will offer practical tips that all healthcare providers should consider when deciding whether or not to conduct research on their patients.

Questions to Consider Before Using Google

First, let’s discuss why providers may decide that they want to research particular patients. Consider the following questions that could arise:

  • If you think a patient is potentially dangerous, would you want to “Google” him/her to search for any evidence of criminal history?
  • If you believe a patient could be suicidal, would you want to search social media (eg, Facebook, Twitter) to follow up on that hunch by attempting to see into his/her “personal space”?
  • If you find that your patient discusses an erratic health history, would you search for him/her online to see if you might find hints about his/her background?
  • If it were imperative for your patient’s health that he/she forgo alcohol in order to heal, would you search social media for confirmation of alcohol use?
  • If you learned that you have a well-known patient, or someone who was injured in an extremely unusual way, would you want to search the patient out of curiosity?

If you are unsure about the integrity of your responses to these questions, you are not alone. Ethical guidance from the healthcare professions on what has been termed “patient-targeted Googling”3  (PTG) has been largely nonexistent. Guidance is also not provided through HIPAA regulations; information gleaned from PTG is not considered protected health information (PHI). PHI is any information about an individual’s health status, provision of healthcare, or payment for healthcare that can be linked to a specific individual. Researching a patient online, then, is not a breach of PHI. HIPAA was enacted to legally protect patient privacy by limiting use and disclosure of PHI, thus legislating providers to keep confidentiality. However, public online searches are not prohibited by HIPAA regulations. So, PTG is not a legal concern, but it is an ethical issue with regard to how providers care for their patients.

Patient Privacy Vs. Patient Research

Searching for patients online is apparently quite common. In one study of psychiatrists, more than 93% had “Googled” patients for reasons such as “patient care” as well as “curiosity.”4 While healthcare providers typically abide by the notion of respect and the confidential nature of the provider-patient relationship, the Internet can provide us with new information about patients through a public domain on a near-constant basis. But are providers invading patients’ privacy when they search for them? That’s tough to answer. Privacy contains the following elements:

  • the right of individuals to be left alone and to be protected against physical or psychological invasion, or the misuse of their property, and
  • freedom from intrusion or observation into one’s private affairs, the right to maintain control over certain personal information, and the freedom to act without outside interference.5

That said, the answer can be “yes and no.” There is a “psychological invasion” factor involved to the searching, and there is some intrusion into the patient’s private affairs. Most patients would likely find it unsettling to know their healthcare provider had been conducting an Internet search on them in the general sense. However, the nature of the Internet itself makes this information easily accessible to the public. When, then, could a provider search for patient information that might seem justifiable to the average patient? Or should this type of searching be considered a standard practice? One report provides some acceptable reasons:6

  • When providers are duty-bound to warn patients about possible harm or if there is a concern about suicide.
  • When there is suspected physical abuse or substance abuse.
  • When patients are evasive in their responses to logical clinical questions.
  • When patients make improbable claims in their personal or family history or there are discrepancies between the patient’s verbal history and available clinical documentation.
  • When patients provide inconsistent statements or their statements contradict those of family members.
  • When there is evidence of “doctor shopping,” with patients visiting multiple physicians until they acquire a particular outcome, or when other health professionals report discrediting information about a patient’s story
  • When patients display an unjustified level of urgency in response to what is shown in clinical documentation.3

It certainly makes sense that if safety issues are at hand that one would wish to use any means available to thwart potential harm. But what about when the reason for the search is more murky — does the end justify the means?  If there are inconsistences in a patient’s story, does that justify a provider conducting a search? If a patient is suspected to be lying or malingering, does that give the provider the right to search for the “truth”? Information privacy refers to an individual’s ability to determine when, how, and to what extent personal information is communicated to others. Information privacy concerns refer to an individual’s subjective views of fairness within the context of information privacy.6 According to information systems researchers, individuals see the gathering of their personal data as fair only when:6

  • the individual is granted control over the information and
  • he/she has been informed about the intended use of the data.

So, while it is perfectly legal to look at a patient’s online life, there is a cost to the provider-patient relationship if the patient has not granted permission for the provider to do so and he/she has not been informed about how the provider will use the data. Trust in the patient-provider relationship can influence adherence to treatment, satisfaction with treatment, and continuity of care.7 Given that trust in the patient-provider relationship can impact therapeutic outcomes, can providers justify Internet searches into their patient’s livelihood? Considerations that may impact patient treatment may include informed consent, validity of Internet information, professional boundaries, impact on the patient-provider relationship, and influence of searching on treatment decisions and patient records. Consider these following domains to the overall conversation/debate related to the ethical reasoning:

Informed Consent. If Internet searches are being used to provide informed treatment, are providers compelled to ask for consent from the patient? Should providers share the information that’s found with the patient? Is it ok to use Google without letting a patient know about it?

Validity of Internet Information. If the provider is searching to aid the treatment of patients, he/she could be making treatment decisions based on erroneous information. Can providers always be certain that they’ve found the correct person? If the patient’s name is John Smith, it may be difficult to discern whether it is the exact John Smith that Google finds. How does a provider determine the credibility of information? With the multitude of misinformation available on the Internet, confirming the validity of the information is challenging.

Professional Boundaries and Respect. Would the average provider ask for permission to enter a patient’s home, or the home of a family member or friend, to learn background information?

Impact on Patient-Provider Relationship. What happens if a provider comes upon a website whereby a patient has given the provider a negative review? What if an online search results in finding that a patient is morally repugnant in the opinion of the provider — could that change treatment?

Influence on Treatment Decisions and Patient Records. If the provider wants to use information found online for treatment decisions, how would he/she document this in the case record?

Additionally, providers should consider these guiding questions when evaluating the possibility of online searches:3

  • Why do I want to conduct this search?
  • Would my search advance or compromise treatment?
  • Should I obtain informed consent from the patient prior to searching?
  • Should I share the results with the patient?
  • Should I document the findings in the medical record?
  • How do I monitor my own motivations and evaluate the risk/benefit profile of searching for patient information?

One author notes that the only legitimate time to conduct PTG is if there is a safety issue at hand.8 Searching out of curiosity, especially without patient consent, should be discouraged or banned within one’s practice. One’s business model may also want to offer a clearly communicated policy while giving the workforce definitive direction on this commonly encountered e-professionalism issue. 

Lorna L. Hecker is executive vice president and director of education and training at Carosh Compliance Solutions. She also runs the company’s professional practice in behavioral health and holds CHPS certification (certified in healthcare privacy and security) through the American Health Information Management Association. A frequent speaker on HIPAA topics unique to behavioral health practices, she is professor emerita of behavioral sciences at Purdue University Northwest, where she is on the faculty of the marriage and family therapy master’s program. She is the director for the Purdue University Northwest Couple and Family Therapy Center and teaches graduate courses in professional and ethical issues, couples therapy, trauma, theories of family therapy, and play-in family therapy. The author and/or editor of multiple mental health-related books, her most recent publication is HIPAA Demystified: HIPAA Compliance for Mental Health Professionals (Loger Press).

Roger Shindell is chief executive officer of Carosh Compliance Solutions, Crown Point, IN, which specializes in HIPAA compliance consulting for small to midsize practices and their business associates. He is also chairman of the HIMSS Risk Assessment Work Group and a member of the AHIMA’s privacy and security council. Shindell has more than 30 years of multidisciplinary experience in healthcare and has served as an advisor and principal in healthcare, technology, and service companies. He may be reached at


1. Spector ND, Matz PS, Levine LJ, Gargiulo KA, McDonald MB, McGregor RS. e-Professionalism: challenges in the age of information. J Pediatr. 2010;156(3):345-6.

2. Cain J, Romanelli F. e-Professionalism: a new paradigm for a digital age. Curr Pharm Teach Learn. 2009:1(2):66-70.

3. Clinton BK, Silverman BC, Brendel DH. Patient-targeted googling: the ethics of searching online for patient information. Harv Rev Psychiatry. 2010;18(2):103-12.

4. Most Psychiatric Professionals Google Their Patients, Survey Finds. Psych Congress Network. Accessed online:

5. Standard Guide for Confidentiality, Privacy, Access, and Data Security Principles for Health Information Including Electronic Health Records (Withdrawn 2017). ASTM International. 2014. Accessed online:

6. Malhotra NK, Kim SS, Agarwal J. Internet users’ information privacy concerns (IUIPC): the construct, the scale, and a causal model. Inf Sys Res. 2004;15(4):336-55.

7. Thom D. Physician behaviors that predict patient trust. J Fam Pract. 2001;50(4):323-8.

8. Warraich HJ. When Doctors ‘Google’ Their Patients. New York Times. 2014. Accessed online:

HIPAA Privacy & Security Compliance
Lorna L. Hecker, PhD, LMFT, CHPS, & Roger Shindell, MS, CHPS, CISA
Back to Top