The trusted source for
healthcare information and
Facebook, other social sites continue posing risk problems
Nurse fired after commenting online about treating "cop killer"
Social networking sites such as Facebook and MySpace continue to be a tricky problem for health care risk managers, who need to ensure that employees do not violate patient privacy even when off duty but also must avoid violating the personal rights of those employees. Failing to address the situation adequately could mean a HIPAA violation or damage to the provider's reputation, but using too heavy a hand could run afoul of labor laws.
Facebook and other sites have been a difficult issue in health care for as long as the sites have been around, but the growing popularity brings added concerns, says Sharona Hoffman, JD, professor of law and bioethics and co-director of the Law-Medicine Center at Case Western Reserve University School of Law in Cleveland. Not only are more people using the sites, but people are becoming more complacent about posting information on them, often giving little consideration to the fact that a post on a social networking site can be viewed by a large number of people, if not everyone, and the information can be copied and posted elsewhere, Hoffman says. This problem of complacency, thinking nothing of posting innermost thoughts or work-related rants, can be most prevalent among younger people who grew up using social networking sites, Hoffman says.
"Everyone else gets to [go] home and vent about their boss or the work they had to do that day, but health care providers sometimes don't understand that their situation is different," Hoffman says. "People have [been] disciplined for posting patient information, pictures, and videos of surgery. There have been cases where people posted pictures of themselves, but a patient chart was in view. That's problematic."
The ongoing problem was illustrated recently by a case in Detroit, when Cheryl James was fired from her job as a nurse at Oakwood Hospital, after posting a statement on her Facebook account indicating her displeasure with having treated a "cop killer" that day, according to a statement released by the hospital.
The posting did not include the patient's name, but Hoffman says this is a good example of how employee education sometimes fails. The nurse may have sincerely thought that she was not violating HIPAA because she did not identify the patient, Hoffman explains; but the patient was identifiable because there was ongoing media coverage about the shooting incident. And it was well known who the alleged "cop killer" was. Employees must be educated about how they can violate HIPAA, even without publishing names.
"The incident also shows another problem with these postings, and that is the way an employee's social networking comments can damage the hospital's reputation," Hoffman says. "Nurses and doctors are supposed to just care for their patients and not think about who they are or what they've done, so a public comment like this can be very damaging to the hospital. A hospital is certainly within its rights to take disciplinary action against an employee who says treating certain kinds of patients is distasteful."
James will fight her termination, because she says she did not violate HIPAA, and the hospital violated labor laws by dismissing her, according to a story on MyFoxDetroit.com (http://www.myfoxdetroit.com/dpp/news/local/oakwood-hospital-employee-fired-for-facebook-posting-20100730-wpms). Healthcare Risk Management made several calls to James' attorney seeking comment, but they were not returned. She isn't likely to prevail, says David Gevertz, JD, a shareholder and vice chair of the labor and employment department at the law firm of Baker, Donelson, Bearman, Caldwell & Berkowitz in Atlanta. The hospital will be able to show that the posting violated HIPAA and most likely that it violated the hospital's own policies about what information can be shared regarding patients, he says.
The hospital's policy can be the linchpin in such cases, Gevertz says, but he also cautions that it can be a mistake to go too far with prohibitions on what employees can post online. The provider must insist that website postings not violate HIPAA or any other law for which the health care organization is accountable, but stating that employees may not post about their work or the provider is going too far, he says.
"I do not advise that health care providers adopt blanket prohibitions on the use of social media. Such prohibitions limit the creation of innovative ways to use new technologies, hamstring employers into making unfortunate personnel decisions, and expose employers to liability for invasion of privacy," he says. "Instead, I counsel that the best approach is to develop a task force within the client's company that includes employees from the human resources, marketing, information technology, compliance, legal, and risk management departments. That group should then explore the utility of social media to their organization's culture in order to develop a clear scope of the activities it wishes to regulate."
One attorney cautions risk managers not to think of website postings as unique from other forms of communication. No matter how the information is disseminated, the same basic rules apply, says Kevin Troutman, JD, an attorney with the law firm of Fisher and Phillips in Houston.
"This comes up regularly, and we generally advise clients to consider their existing policies and update them to reflect the existence of Facebook and similar sites," he says. "In essence, they should treat an employee's statements on a public website the same way they would treat those statements if made orally in another public or semi-public forum. Patient privacy policies still apply, as do policies regarding other confidential information or public comments about the hospital."
On the other hand, hospitals have to be careful not to violate employee privacy rights and/or their rights under the National Labor Relations Act, says Leslie Spasser, JD, a shareholder with LeClairRyan in Virginia Beach, VA. Having a specific policy on social networking sites, with a signed acknowledgment from the employee, is an important first step in protecting the employer from charges that it ran roughshod over the employee's rights, she says. The information provided to the employee should make clear what is acceptable and what is not, and it should notify the employee of the possible disciplinary actions for violating the policy, she says.
"At the same time, it's critical to do training for the employees. HIPAA itself requires training, and I think you would benefit greatly from adding a Q&A session to discuss how the social networking policies apply," she says. "It forces employees to think about what is acceptable and what is not."
Employers have considerable leeway in disciplining and dismissing employees, but Spasser says it is always best to have clear policies in place and to provide notice to employees. That will greatly diminish the challenges from employees and provide a firmer footing if you are sued. Public employers may have more difficulty in this area, notes Mark Nelson, JD, an attorney with Drinker Biddle in Chicago. Public employers must consider state and federal constitutional protection of free speech rights, which can constrain them more than private employers, he says. Even so, private employers may have to consider state laws.
"For example, some states have laws that restrict an employer's ability to discipline or hold against an employee a lawful off-duty conduct in which the employee engages," he says. "Most of those laws concern activities like smoking, saying an employer can prohibit smoking in the workplace but can't ban employees from smoking when off duty. Depending on the wording of these laws, however, they could be applied to something like posts on a social networking site, particularly if it doesn't rise to the level of a HIPAA violation."
That is not to say that employers can't be firm. Hoffman says there is no problem in telling employees that they may not post information regarding patients.
"I think it is appropriate for an employer in the health care arena to say you do not post anything about patients in any way on your website," she says. "It's just too sensitive. Sometimes, you think it is not identifiable, but it is. Health care is not like being a car salesman. There is a higher level of responsibility, and it is appropriate to tell employees they cannot post anything about patients on their own websites and social networking sites."
However, the employer should not demand access to employees' website postings, she says. Spasser agrees, saying the courts are inconsistent now regarding how much employers can monitor employees' Internet postings and hold them accountable. It is better to educate employees about the risks than to depend on looking over their shoulders and checking what they post, say Spasser and Hoffman.
"Then, you get into some problems with employee privacy," Hoffman says. "Employees put all sorts of private information on their sites that is not meant for employers to look at. You have to balance the employee's rights and the patient privacy rights."
Sharona Hoffman, JD, Professor of Law & Bioethics, Co-Director of the Law-Medicine Center, Case Western Reserve University School of Law, Cleveland, OH. Telephone: (216) 368-3860. E-mail: email@example.com.
Leslie Spasser, JD, Shareholder, LeClairRyan, Virginia Beach, VA. Telephone: (757) 217-4535. E-mail: firstname.lastname@example.org.
Mark Nelson, JD, Drinker Biddle, Chicago. Telephone: (312) 569-1326. E-mail: email@example.com.
David Gevertz, JD, Shareholder and Vice-Chair of the Labor and Employment Department, Baker, Donelson, Bearman, Caldwell & Berkowitz, Atlanta. Telephone: (404) 221-6512. E-mail: firstname.lastname@example.org.
Kevin Troutman, JD, Partner, Fisher & Phillips, Houston, TX. Telephone: (713) 292-0150. E-mail: email@example.com.