Stifle Staff Web Abuse

November 15, 2004
Joan Szabo

Most medical practices, like other businesses, recognize the value of Internet access in the office but have concerns about productivity, confidentiality, and potential legal problems.


Are you worried about staff spending too much time with personal tasks on office computers? Most medical practices, like other businesses, recognize the value of Internet access in the office but have concerns about productivity, confidentiality, and potential legal problems.

"Medical groups often have some trepidation about bringing their practice online on an always-on and constantly-connected mode because there is concern the practice may have people using the Internet connection inappropriately," says Rosemarie Nelson, an independent practice management consultant in Syracuse, N.Y.  Nevertheless, the Internet continues to gain greater use in medical offices. The prevalence of office Internet access, and the amount of time physicians and staff spend online at work, isn't clear. But about three quarters of physicians surf the Web, according to an American Medical Association (AMA) survey in 2001. Of the physicians who use the Internet, about 30 percent have Web sites for their practices.

It's clear the Web offers many benefits to practices, including quick checks of payer policies, access to patient education information, and other free-and-easy resources. You can communicate with patients via a Web site and even through e-mail, perhaps cutting down the time your staff spends on the phone. Practice management experts say it's unwise to let your fears about misuse prevent you from taking advantage of these benefits. On the other hand, those concerns are legitimate. Perhaps it's time to put policies in place to address what staff members can and can't do on office computers. 

Staff computer usage is similar to the use of office telephones, says David Kirby, principal in the firm of Kirby Information Management Consulting in Raleigh, N.C. Kirby has spent 28 years devising information technology solutions for the healthcare field. If you normally allow your employees to use the phone to make a few personal phone calls like checking with family members or making dinner reservations, they should be able to do the same kinds of tasks on the office computer, say experts.

"This type of policy actually makes for happier and healthier employees as long as they don't take a lot of time on the Internet and don't jeopardize the system," says Jay Nawrocki, health law analyst with CCH, Inc., a Riverwoods, Ill.-based business law information provider. 

Alys Novak and Courtney Price, authors of the Medical Group Management Association's (MGMA) "Group Practice Personnel Policies Update," agree: "If you are hiring, training, and managing right, the number of misuses should remain small," they say.  That's been the experience of John Sattenspiel, a family physician in Salem, Ore. He says he is able to oversee staff use of the Internet without being too restrictive. His practice has two other doctors, two physician assistants, and 25 staff members. "All the staff members have work stations, but they are out in the open so if someone is surfing the Internet everyone knows," he says.

Overuse or abuse of the Internet is not a big problem, he contends. "We know that staff do have a tendency to check e-mail and do some shopping, but it is done in moderation," he explains. He tells staff not to load games or their own software onto office computers because such activity could jeopardize the system and affect productivity. Such verbal communication is adequate, Sattenspiel says, so the practice doesn't need a written policy on computer usage. "I think training is more important than rigid protocols."

Put it in writing

That might work fine in Sattenspiel's office, but experts say a written policy outlining proper computer etiquette is a good idea.
"A section on personal computer usage should be added to your office manual," says Nelson.

Putting the guidelines on paper helps protect the practice. If someone breaks the rules, you're on firmer ground for taking action. Indeed, your policy should be explicit in stating that violations may be grounds for disciplinary action, up to and including termination, according to Novak and Price.

When developing an Internet policy, first decide how much you want to limit employees' e-mail and Internet access. Your first instinct might be to demand that office computers be used for business purposes only. You can do that, but don't decide rashly. "Sometimes it's possible to be too restrictive and employees will think you don't trust them," says Nawrocki. This is especially true for small medical practices. Sattenspiel says, "In a small family medicine office such as ours, you have to count on your employees to work well for you." He feels a restrictive computer policy would demoralize his staff.

But if you decide employees can only use the Internet for business purposes, or if you plan to use special software to monitor computer activities, you should say so in writing. On the other hand, if employees are allowed to make personal use of office computers, then it is important to stipulate what they should and shouldn't do on them. Whatever your policy, you must be ready to enforce the rules as written.

Here are some guidelines to help you draft your policy:

Make sure staff understand the proprietary nature of your equipment. Employees should know that the practice's computers, telephones, software, and communications systems are the property of the practice and are intended to be used primarily (or only) for legitimate business purposes.

  • Be specific about what they can't do. For example, you should say that the display of any kind of sexually explicit image or document is prohibited. Go further by stating that sexually explicit material may not be archived, stored, distributed, edited, or recorded using company network or computing resources. And point out that employees who send denigrating ethnic/racial messages create a hostile environment, and such use won't be tolerated.

  • Explain when and what staff can do of a personal nature on the computer. For example, you might say that during meal times, break times, and when the office is closed, employees may use the Internet for nonbusiness research or browsing, as long as all other computer usage policies are followed.

  • Restrict personal solicitations on office computers. Solicitations during office hours for social, religious, and personal matters unrelated to the group's business could cause the e-mail system to get bogged down and thus interfere with the work of the practice, says Nawrocki. For example, if employees try to forward or download large personal files, they could crash the practice's computer network.

  • Be sure employees read and sign the policy. Every employee that has Internet access at work should be provided with a written copy of the policy. Then have staff sign a statement saying they have received and read the policy, they understand the terms, and agree to abide by them.

Keep an eye out

You may consider installing software to monitor and record all Internet usage. While such a step may seem extreme, it helps reduce Internet overuse or inappropriate use, and may be appropriate for larger practices in particular. Software can record every Web site each user visits, each chat, newsgroup, or e-mail message he reads or writes, and each file transfer into and out of the internal networks.

Written policies and technological safeguards also help a medical practice avoid legal tussles. For example, an employee who uses the workplace to look at inappropriate sexual material on a computer could cause others in the office to feel harassed, ultimately resulting in a legal complaint. 

Unfortunately, such voyeurism is not uncommon in the office. One-quarter of Americans polled recently by the Employment Law Alliance (ELA) said they or their coworkers use workplace computers to engage in sexually explicit online activity. It also found that this activity continues despite productivity losses. When asked if employees who use company computers for such purposes have a negative impact on productivity, 43 percent said yes. 

You should also take steps to strip your computer system of offline temptations. Most computers come loaded with games or drawing programs that can result in less time spent on work.

Moreover, it's a good idea to prohibit staff from downloading anything from the Internet, which could result in a computer virus, or to install their own software, which could clog your network.

Groundwork for security

The development of a good computer policy is also a good opportunity to begin preparing for compliance with the next phase of HIPAA.

The security regulations are scheduled to take effect April 21, 2005. That's why you should include policies for securing office workstations while you're developing your personal-usage guidelines.

Under the HIPAA security rules, practices will need to have written policies in place and make sure that all employees are familiar with them, says Kirby. Password management also is an important issue. Staff passwords should be secure, "robust" - meaning they don't consist of real words - and should be changed frequently, Kirby says. He recommends asking staff to select a few words of a favorite song and then have them take the first letter from each word to form a password.

Physicians or practice administrators should tell staff members not to leave password reminders under mouse pads or on computer screens where they can be found and used by individuals wishing to access private medical information.

HIPAA requires that each staff member have and use his or her own unique account for accessing patient data. In addition, staff should be sure the passwords they use in the office are different from the ones used at home on their own computers. Using the same password at work and at home can make it far easier for a hacker to break that password and enter the practice's system, says Kirby.

There are many positive uses for the Internet for physicians, and many more are sure to emerge. Says Kirby: "These improvements will have to be supported by thoughtful security and privacy practices. Having an Internet policy for your office is a great way to start providing this support."  

Joan Szabo can be reached at editor@physicianspractice.com.