Creating a Medical Practice Employee Social Media Policy

March 14, 2017
Michael Sacopulos, JD

Every business needs two social media policies: One for its official social media communications, and one for employees' personal social media communications.

At this point in the digital age, every business needs two social media policies: one that governs material posted in the organization’s official social media communications, and one that governs employees’ mentions of work-related matters in their personal social media communications. The unique nature of a medical practice makes such policies essential, as HIPAA regulations require that all providers have policies, procedures, and systems to protect patient privacy firmly in place.

In addition to helping your practice ensure patient privacy and meet the standard for HIPAA compliance, an employee social media policy helps you comply with federal employment law, stay in step with human resource standards, maintain a positive image, and avoid legal liabilities. But, crafting an effective, legally enforceable employee social media policy can be complicated.

The violation of patient privacy, including the exposure of HIPAA-protected health information (PHI), should top any practice’s list of concerns about employees’ online behavior. While such violations can be the result of malicious intent, it’s more likely that a well-meaning employee will reveal PHI accidently, and with nothing but the best intentions.

Consider these two hypothetical examples of employee personal Facebook posts:

Mrs. Hill brought us donuts when she came in for knee surgery follow-up today. How awesome is that!

Everyone at church asks about Bob Bowman’s cancer. Great news! Dr. Brewster said Bob is out of the woods.

Neither of these comments qualifies as malicious. Both seem quite positive. But both are inappropriate, and both violate HIPAA patient privacy regulations. The second is an example of a situation that can be especially tricky for staffers. Replying to concerned friends and family who ask about a patient’s health is tempting, particularly when one has knowledge of a positive outcome. But doing so, online or in person, is a serious breach of patient privacy.

Patients who are upset because an employee revealed personal medical information online would almost certainly consider changing physicians. In addition to loss of income due to unhappy patients, your practice could be fined for violations of the Federal Government’s HIPAA and HITECH regulations, with the possibility of additional state fines. You could also find yourself entangled in expensive lawsuits, should patients decide they’re entitled to compensation for your employee’s mistake. Make sure your staff understands the nature and extent of PHI, and why restrictions protecting it are detailed in your employee social media policy.

PHI isn’t the only thing that requires protection. A practice’s confidential business information needs to be protected as well. Vendor agreements, marketing plans, employee files, and a wealth of other day-to-day business details are kept under wraps for good reason, and have no business appearing on social media.

Here’s another hypothetical. A practice is one of many about to be acquired by a large, publicly traded healthcare company. An employee of the practice tweets:

I’ll get a raise after XYZ Healthcare International buys the practice. It’s like Christmas in August!

The unwitting tweeter just disclosed confidential information that could violate insider-trading laws, sink a deal in progress, and result in civil lawsuits. Unacceptable-and preventable.

Playing doctor is another well-intentioned employee social media move that can have far reaching consequences. Someone posts a photo of a skin growth online, then asks if anyone can tell them if it’s a cause for concern. A receptionist at a skin care center comments:

“I work for a dermatologist, and that looks like a normal mole. Nothing to worry about!”

Mistaking amateur opinion for legitimate medical advice, the photo-poster does not seek treatment. Eventually, a physician’s examination reveals the “normal mole” is skin cancer. Outraged, the sufferer takes legal action against the dermatology practice, claiming an unqualified employee misled her with a bogus diagnosis.

Of course, you can’t simply ban your staff from mentioning work matters on social media. It’s both impractical and illegal. Article 7 of the National Labor Relations Act (NLRA) protects the rights of workers to act in concert to address conditions at their workplace, unionized or not. Under Article 7, employee discussions of wages and employment conditions are protected speech in most circumstances, even on social media, where they may reach an audience well beyond fellow workers. Mere griping by an individual, however, does not meet the standard for protected speech.

Employees who discuss salaries and working hours online are engaging in protected speech, while a lone wolf who constantly belittles co-workers with malicious, derogatory remarks can and should be subjected to appropriate disciplinary measures. Such measures also apply to employees who use social media to intentionally post PHI, masquerade as someone else, proffer unqualified medical opinions, engage in racist or abusive language, or threaten others.

The National Labor Relations Board (NLRB) is the federal agency charged with enforcing the National Labor Relations Act. The NLRB has ruled that employers can formulate rules based on expectations that employees will “comport themselves with general notions of civility and decorum within the workplace.” In 2016, the Board applied that reasoning as precedent in a decision regarding employee behavior on social media.

In the same case, some of which centered on a Chipotle hourly employee’s tweets, the Board ruled that certain tweets were merely individual gripes, while others met the standard for protected speech. The board also ruled that sections of the fast food chain’s employee social media policy used language that was too broad or too vague. Additionally, the decision emphasized that, before an employee can be punished for making false or misleading statements online, the employer must establish malicious intent behind such statements. 

It sounds complicated because it is. Having a HR professional and an attorney involved in the creation of your practice’s social media policy is always a good idea. They can ensure that your patients’ rights, your employees’ rights, and your practice’s rights are properly defined, communicated and protected.