Healthcare employers should create detailed policies for employees’ social media use. Social media poses significant risks for HIPAA breaches and other problems.

  • Social media use can be prohibited during work hours.
  • Policies must be crafted so they do not violate the National Labor Relations Act.
  • Privacy breaches on social media often are inadvertent.

Healthcare employees’ use of social media brings the risks of violating HIPAA, disseminating incorrect information, and damaging the reputation of the hospital or health system. However, social media is so pervasive in most people’s lives that it is difficult to ban its use outright, even during work hours.

That means healthcare organizations must carefully create social media policies that acknowledge its use by employees but set limits on what can be posted.

Employers can restrict the use of social media in the workplace as long as they do not run afoul of the National Labor Relations Act (NLRA), says Matthew T. Scully, JD, partner with Burr & Forman in Birmingham, AL. The law establishes the parameters of what employers can restrict employees from doing and saying in the workplace and is used, for instance, to protect employees who wish to unionize.

“Generally speaking, it protects employees when engaged in any protected concerted activity. That is two or more people, or one person acting for the benefit of other people, to improve working conditions,” Scully says. “That can involve social media when it is people going online to complain about their boss, or to say they need better pay, or their working conditions are not good. When that has a collective aspect to it, that can become protected.”

Scully also points out the National Labor Relations Board (NLRB) prohibits overbroad work rules, such as a rule barring employees from publicly complaining about the employer.

“Without that, it would be easy to tell all your employees to never go on social media and never talk about our company. That would be a solution to everyone’s problem with social media, but you can’t do that because of the obligations of the NLRA,” he explains. “What you can do is protect your company information and patient information from becoming public.”

Easy to Reveal Protected Health Information

HIPAA breaches are easy to make by mistake on social media, Scully notes. There need not be any intention to reveal private information. Any information that indicates a person even visited a particular facility could constitute a breach. Employees should never post on Facebook something like, “Saw you at the office today. Hope you had a good visit.”

Posting photos also can be problematic. If a nurse posts a photo with a friend, stating “Great to see my best friend at my clinic today,” that is a potential breach.

“It’s very broad and it arises in instances where people may not think they did anything wrong,” Scully says. “You need to have good policies on the front end that set out what they can and can’t do online, what sort of information you expect to be protected, and the consequences for not protecting that information. Of course, you can fire people for not following your policies.”

Policies Should Be Specific

Social media policies should be specific, Scully says. Detailed explanations of what information cannot be revealed will help avoid overly broad declarations that might run afoul of the NLRA. For instance, a policy that states “You cannot reveal confidential information about our organization” could be construed as going too far under the NLRA. It might be considered too broad because, for example, confidential information might include wage and salary information, which the NLRB says is protected concerted activity.

“It’s hard to craft a good policy that toes the line, but what you can do is say you cannot reveal PHI [protected health information]. That should give healthcare providers comfort that you can go that far without any worries,” he says. “After that, it can get a little bit more gray and vague.”

The NLRB does allow employers to prohibit employees from checking social media during work hours and when they are in work areas, Scully says. The best way to do that is to prohibit employees from using their cellphones in work areas.

However, employers cannot prohibit employees from checking social media during their break times, Scully notes. The NLRB reasons that employees may want to engage in protected concerted activity during their breaks and the employer has no right to stop them. The employer does not have to point out they can use social media on break time.

Employees Must Understand

Any social media policies must be communicated effectively to employees. “It is easy to put them in a 40-page handbook and think you’ve done your job, but there’s another step to that. For something like social media that is so commonplace, it is important to tell them and do training on what your social media policies say, what they can and can’t do,” Scully explains. “It doesn’t help you when there is a breach and you say ‘The policy is on page 32 of our handbook’ because they may have never even read that. It’s a pitfall not to address this with employees in a meaningful way.”

Another potential problem involves giving medical advice online, Scully notes. Employees and physicians should be cautioned to never provide medical advice on social media while identifying as associated with your organization.

Also, be wary of public posts in which a patient or family member criticizes the care received, a clinician, or the overall organization. Responding in any way could reveal PHI.

“Employees should understand that they should never respond on behalf of the entity, even if they are trying to defend and support their employer,” Scully says. “They are not authorized to speak on behalf of the entity.”

Valuable Tool Brings Risks

Social media use by medical providers can be a valuable tool says Elizabeth L.B. Greene, JD, partner with Mirick O’Connell in Worcester, MA. Social media can help providers engage with and educate their patients and the public at large, debate healthcare policy, educate themselves, network, obtain input from other clinicians on challenging practice issues, emotionally support one another, enhance their employer’s visibility, and more.

Still, as with many beneficial things, there also are significant risks and potential harms from social media use by healthcare providers. The most obvious risk is the improper disclosure of PHI, which includes any words or pictures that could identify a patient.

Social media use by healthcare providers can place them and their employer at risk of violating state and federal laws and regulations, as well as institutional policies, and can damage the reputation and goodwill of the healthcare provider, their employer, and others, Greene says.

Many employer organizations and medical societies use social media policies for healthcare providers, which include efforts to address online professionalism and protect patient privacy.

“Healthcare organizations depend on a work environment that is respectful, tolerant, and productive. Some employers are more stringent about their social media policies, prohibiting social media usage during work hours, while others take the approach that social media may be used at designated times, such as lunch breaks,” she says. “Employers have the right to place restrictions on their employees’ use of social media, while being mindful of the National Labor Relations Act protections of employees’ rights, and current NLRB rulings and guidance on employer’s social media policies.”

Employers should consult with legal counsel to develop clear, easily understandable social media use policies, Greene says. The policies should ensure the appropriate use of social media during and outside work hours, identify what social media use is impermissible, the tools to assist employees if they have concerns, and the consequences for violating the policy.

Employers’ social media use policies should include reminders that social media use encompasses all means of communicating or posting information or content of any sort on the internet, Greene says. This includes responding to someone else’s post, and posting in a chat room/application or in a “private” group, regardless of whether the group is affiliated with the employer, as well as any other form of electronic communication.

What to Include

Greene says social media policies also should include these points:

  • Employees’ use of social media must not interfere with productivity and/or ability to perform their duties and responsibilities of employment.
  • Employees should only share medical information from credible sources.
  • Employees should not interact with their patients on social media nor disclose any patient information.
  • Employees must not reveal any confidential, privileged information about patients, must not violate HIPAA or impermissibly use or disclose PHI, and must protect against the inadvertent disclosure of confidential information.
  • Employees must not send, receive, access, create, print, distribute, or otherwise transmit any form of offensive, discriminatory, obscene, harassing, or maliciously false communication, at any time, to any person.
  • Employees may not anonymously post or transmit any content to circumvent the requirements of an employer’s social media use policy.

Employer’s social media use policies also should include the consequences for violating the policy.

“Employers should consider encouraging employees who used social media in contravention of the policy to step forward and admit the error as soon as it occurs, by reporting it to human resources or any other member of management,” Greene says. “Although errors cannot always be erased, prompt notification can make a significant difference in the employer’s ability to correct or remedy the issue.”

Ask When in Doubt

Social media policies should state that violations of the policy, including failing to report violations by others, will be subject to appropriate discipline, up to and including termination of employment. Employers should encourage employees who are unsure whether a particular posting or contribution to online social media violates the social media policy to ask human resources or a member of management.

“It is also wise to include a reminder that as a general rule, if an employee is hesitating to post something, it probably should not be posted, but that questions and concerns are nevertheless welcomed and encouraged,” Greene says.

It is a best practice for healthcare systems to train their employees on the HIPAA Social Media Rules and the HIPAA Privacy Rule, which prohibit the use of PHI on social networks, Greene says. Reminders about social media restrictions should be set forth in company policies, may be referenced in employee handbooks, and should be restated on signage in public spaces, like lunchrooms and elevators, where HIPAA warnings often appear.

In addition to social media policies, some employers use codes of conduct that contain guidance for employees applicable to social media use, Greene notes.

Greene is familiar with one medical group’s code of conduct that includes a tried-and-true set of questions to ask when faced with a potential ethical issue, which might include what or whether to post something on social media.

The questions include, “Am I certain my actions are legal? How will my actions appear with the benefit of hindsight? Could this harm the reputation of the company? How will the situation be described in a newspaper headline?”

A leading hospital’s code of ethics, which applies to employees’ social media posts, includes, “Make every effort to ensure that your posts and comments are accurate and factual. Link directly to online references and original source materials,” Greene says.

“Healthcare providers who post publicly and ‘privately’ on social media would benefit themselves and their medical systems to consider the potential risks and liabilities before posting. Ultimately, employees are solely responsible for what they post online,” she says. “Before creating online content, employees should consider some of the risks and rewards that are involved, and keep in mind conduct that adversely affects their job performance or otherwise adversely affects patients, colleagues, people who work on behalf of the organization, or the company’s legitimate business interests may result in disciplinary action up to and including termination.”


  • Elizabeth L.B. Greene, JD, Partner, Mirick O’Connell, Worcester, MA. Phone: (508) 860-1514. Email: egreene@mirickoconnell.com.
  • Matthew T. Scully, JD, Partner, Burr Forman, Birmingham, AL. Phone: (205) 458-5321. Email: rstewart@burr.com.