The Aesthetic Guide is part of the Informa Markets Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

3 Digital legal threats (and how to navigate them)

Article-3 Digital legal threats (and how to navigate them)

As a plastic surgeon, you may think you’re following the rules when you carefully ask for permission when you post patient testimonials and photos. Consent forms are all you need, right?

Wrong. As an audience at The Aesthetic Meeting learned, the devil is in the details. For example, did you know that data lurking inside photo files could alert the entire Internet to your patient’s name and condition? And state laws may actually ban patient testimonials that tout your skill.

“Cosmetic practice has a lot less regulation than some other specialties,” says Michael Byrd, JD, a Dallas attorney who spoke at the annual meeting of the American Society for Aesthetic Plastic Surgery. “Nevertheless, things that make sense from a business perspective often have challenges from a regulatory perspective. It’s important that you navigate the rules out there.”

Here are some online areas where plastic surgeons should be especially cautious:

In This Article:

Patient Photos



NEXT: Patient Photos


Patient Photos

Don’t assume your work is finished when you get consent from patients to use “before” and “after” photos. Byrd says patient identities have been exposed because practices didn’t “scrub” photo files of data about their names. Website companies then posted the photos on a physician websites, and the information about the patients became searchable online.  

“When the patient Googles their name, their ‘before’ and ‘after’ pictures show up on Google Images,” Byrd says. “I can assure you this is a really expensive mistake. We’ve had a few of them that have been not-insignificant settlements, and there’s also a regulatory risk with HIPPA involving the government.”

What can you do? “Make sure your consents are proper, and I really encourage you to scrub the patient information internally before you send it outside to one of your vendors,” Byrd says. And your contract with the vendor should make it clear that they’re a business associate who handles sensitive information, he says, “so there’s risk to the vendor if there’s a breach.”

On another front, it’s wise to be careful about agreements regarding who gets to use patient photos. Does the practice control them or the individual doctor? In some cases, Byrd says, a physician may lose the right to use the photos upon leaving a practice. “If the physician wants to use them,” he says, “they have to start all over again and get the consents.”

What should you do? “Update your consents,” Byrd advises. “Make sure they’re proper in scope and cover your objectives.” 

NEXT: Testimonials



One of Byrd’s clients is a plastic surgeon in Texas who posted a patient testimonial on social media under the hashtag “#testimonialtuesday.”

That may sound like a creative marketing gimmick, he says, but the law has other ideas. As Byrd notes, Texas has a “really restrictive law on patient testimonials.”

Indeed, the Texas Medical Association says “testimonials regarding a physician’s skill or the quality of the physician’s professional services may be misleading or deceptive and therefore unethical.” It advises practices to “be very, very careful when considering the use of a testimonial in an ad.”

What to do? If you want to use testimonials, check your state’s rules.

NEXT: Texting



“If you’re not engaging your patients through texting, someone else is,” says Alex R. Thiersch, JD, an attorney in Chicago. “That’s how people are communicating. And texting, depending on state law, isn’t in and of itself illegal.”

So what’s the issue? “The problem is that texts are not generally encrypted,” he says. “If there’s a breach, you’ve lost a major defense.”

What to do? Explore services that offer encryption, he suggests. “It’s time for us to start looking at this.”

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.