Social media and the physician practice workplace Insight Article HIPAA HR Legal Sign in to save Elizabeth Cameron MBA, JD Tom Ealey CPA The social media revolution affects workplace relationships and creates privacy nightmares that disrupt the balance of rights of employers and employees under labor and employment law.1 Social media creates risks for the practice — reputational risk, employment law risk, morale risk and regulatory risk, all of which can result in financial consequences. There are no easy solutions, and law and management practices are constantly evolving. Diligence and anticipation are your greatest assets. HIPAA Healthcare employers have special risk issues related to the HIPAA Privacy Rule. Misuse of social media or use of smartphone cameras in the practice can result in HIPAA violations. There are regular media reports of injudicious use of cameras in healthcare facilities by staff. Training must be thorough and discipline must be swift when employees violate policies. Physicians are not exempt from the rules, which can create difficult situations for practice administrators. Photos for legitimate clinical purposes, marketing photos, surveillance camera footage and imaging present other potential HIPAA issues. Proper training is essential, both for new hires and for annual retraining. Social media training can be incorporated into the new-hire HIPAA training and annual HIPAA retraining programs. Common social media HIPAA violations: Images and/or video of patients posted without their consent Images and/or video of a practice with patients or Protected Health Information (PHI) in the frame Any personally identifying information about patients Cameras are not the only danger of smartphones. The ease of texting and sending email from any location at any time puts practice information in jeopardy, and the ability to post to Facebook, Instagram, Twitter and other sites from a phone makes it easier for what used to be called water cooler gossip to reach anyone in the world in a second or two. This has implications for both HIPAA and for employee relations. Protected health information (PHI) or proprietary information does not belong on Facebook, Instagram, Pinterest or any other site. Operational policies and employment policies should be consistent and not contradictory. At a minimum both sets of policies should be reviewed annually, with recent experiences factored into the evaluation and changing case law. Employer-employee relations Social media provides a means for employees to engage in concerted activity that is protected under the National Labor Relations Act (NLRA), affecting union and nonunion workplaces. Disgruntled employees have instant access to the public with the potential to cause catastrophic harm to a practice’s reputation. The doctrine of employment at will provides employers with substantial discretion to terminate employees, even without cause, yet an employer’s power to terminate an employee for social media activity is limited by certain “protected activity,” as defined by Section 7 of the NLRA. Understanding what constitutes a protected activity and when an employer can sanction or terminate an employee for social media activity is crucial to mitigating employment law risks in your organization. Criticizing a practice Complaining about the boss and the company has been going on since the dawn of work; however, complaining to a nearly infinite internet audience is something new and tricky. Several important court cases have focused on employees criticizing their employer. In the American Medical Response case, an employee ripped a supervisor on Facebook, and the employer terminated the employee.2 The National Labor Relations Board (NLRB) found in favor of the employee — by sharing the Facebook post with other workers, the communication was concerted action. The NLRB eventually elaborated: What’s the line? When do Facebook comments lose protected concerted activity status under the [NLRA]? A four-point test applies: (1) the place of the discussion; (2) the subject matter of the discussion; (3) the nature of the employee’s outburst; and (4) whether the outburst was, in any way, provoked by an employer’s unfair labor practice. Employee versus employee Bullying and gossiping used to require person-to-person contact, but now such negative behavior has gone digital and can continue after work and on weekends. What might have been done person-to-person or over the phone can now be displayed for the entire world to see. Such misconduct should be prohibited in any format and specifically prohibited in cyber formats. Policing this conduct has always been difficult, and policing bullying and gossip online is even more difficult. Discovery of these issues varies. Some problems are reported by employees or discovered by management, while others are noticed by clients. (Whether supervisors and managers should “friend” the people they supervise is a thorny question. In our opinions, physicians and senior management should not be connected online to employees, as a matter of sound management practice.) However they are reported, these issues should be dealt with promptly, fairly and in accordance with written policies. Learn more Learn more about the protected activities of employees as outlined in the NLRA on the National Labor Relations Board website. Monitoring social media Two questions often come up for healthcare employers: Should job applicants’ social media accounts be screened, and should employee social media be monitored on an ongoing basis? Some employers monitor perspective employee social media accounts to analyze risk factors before hiring, other employers monitor social media activity of current employees during the workday to regulate productivity, while other employers monitor the social media accounts of current employees outside of work hours to protect confidentiality and trade secrets. The decision to monitor social media and the extent the monitoring should be carefully considered for risks and benefits before such a policy is implemented. Caution must be used to ensure that social media monitoring does not reveal information that could potentially violate protected aspects (race, religion, sex, disability, etc.) of employment practices under Title VII of the Civil Rights Act. Training must be conducted for all employees who are responsible for hiring, supervising and/or monitoring the use of social media accounts of employees.3 Medical practices should have written social media polices regarding both social media activity by employees and employer monitoring. The policy should clearly state an employee’s expectation of privacy (or lack of) while engaging in social media at work with medical practice computers, networks and equipment and the extent to which the employer monitors such activities. This policy should be reviewed and updated regularly. Many complaints for inappropriate posts are being reported to management by coworkers and patients who were offended by posts or tweets online. In many cases these stakeholders are helping medical practices monitor behavior without active surveillance by the employer, which could create legal and morale issues. Potential employer risks of reputational harm or disclosure of confidential information must be balanced against an employee’s expectation of privacy. When in doubt consult legal counsel. Cyberslacking Another workplace concern created by social media is the problem of “cyberslacking.” Cyberslacking occurs when an employee engages in non-work-related social media activities at work. This phenomenon is widely viewed as an epidemic decreasing workplace productivity and may create problems with employee morale as someone else picks up the slack. Cyberslacking on a computer workstation may increase the chances of acquiring a virus or opening hacking pathways. It can also create liability if the employee is violating HIPAA or disparaging a client. This is more than a productivity problem. The NLRA cases involving cyberslacking have been decided against the employee. Cyberslacking is one of several elements that resulted in the NLRB not finding concerted activity. Employees are expected to further the employer’s business and engage in work-related activities while on the clock. A 2011 NLRB case illustrates this issue. At Children’s National Medical Center, in Washington, D.C., a respiratory therapist used her smartphone to post unfavorable comments about a co-worker to Facebook while she was in the back of the ambulance en route to an emergency call. Although her comments related to being treated disrespectfully by a coworker, the NLRB held that her action was not protected concerted activity because she was not actively engaging in collective concerns, but rather addressing a personal concern. This is an example of cyberslacking because she was supposed to be focused on the emergency. Your practice’s social media presence Most practices have some sort of presence on social media, which can be crucial to branding and marketing efforts. It is imperative that all content and postings be carefully designed, controlled and monitored. Facebook is not the place for political comments, personal comments, attempted humor or sloppy writing. The passwords for such sites should be safeguarded and changed regularly, especially when key personnel leave the practice. No one should be allowed to override these controls. Caution should be used when linking personal social media, including physician pages, with the practice’s online presence. Management actions Developing and publishing social media policies and procedures are of paramount importance. Especially critical or sensitive policies should be reviewed by legal counsel. Policies developed to counter current problems should be developed carefully and applied consistently. Notes: For a deeper technical view of these issues see Magaldi, Sales, & Cameron; “How the NLRB’s Decisions in Cases Involving Social Media are Narrowing the Definition of Concerted Activity … Whether Employees ‘Like’ it or not!” University of Toledo Law Review, Vol. 49, Winter 2018. Brotherhood of Teamsters, Local 443 (IBT), American Medical Response of Connecticut, Inc., Case No. 34-CA-12576 (October 27, 2010). Cameron E, Swink D, Blades K & Molesky M. “Social media privacy: What’s in a password: Rights and Protection.” Academy of Legal Studies in Business Proceedings, August 2013.