Social sites continue posing risk problems
Social sites continue posing risk problems
Nurse fired after comment about "cop killer"
Social networking sites such as Facebook and MySpace continue to be a tricky problem for managers, who need to ensure that employees do not violate patient privacy even when off duty but also must avoid violating the personal rights of those employees. Failing to address the situation adequately could mean a HIPAA violation or damage to the provider's reputation, but using too heavy a hand could run afoul of labor laws.
Facebook and other sites have been a difficult issue in health care for as long as the sites have been around, but the growing popularity brings added concerns, says Sharona Hoffman, JD, professor of law and bioethics and co-director of the Law-Medicine Center at Case Western Reserve University School of Law in Cleveland. Not only are more people using the sites, but people are becoming more complacent about posting information on them, often giving little consideration to the fact that a post on a social networking site can be viewed by a large number of people, if not everyone, and the information can be copied and posted elsewhere, Hoffman says. This problem of complacency, thinking nothing of posting innermost thoughts or work-related rants, can be most prevalent among younger people who grew up using social networking sites, Hoffman says.
"Everyone else gets to [go] home and vent about their boss or the work they had to do that day, but health care providers sometimes don't understand that their situation is different," Hoffman says. "People have [been] disciplined for posting patient information, pictures, and videos of surgery. There have been cases where people posted pictures of themselves, but a patient chart was in view. That's problematic."
The ongoing problem was illustrated recently by a case in Detroit, when Cheryl James was fired from her job as a nurse at Oakwood Hospital after posting a statement on her Facebook account indicating her displeasure with having treated a "cop killer" that day, according to a statement released by the hospital. (See the story, below for more details.) The posting did not include the patient's name, but Hoffman says this is a good example of how employee education sometimes fails. The nurse might have sincerely thought that she was not violating HIPAA because she did not identify the patient, Hoffman explains; but the patient was identifiable because there was ongoing media coverage about the shooting incident. And it was well known who the alleged "cop killer" was.
Employees must be educated about how they can violate HIPAA, even without publishing names. "The incident also shows another problem with these postings, and that is the way an employee's social networking comments can damage the hospital's reputation," Hoffman says. "Nurses and doctors are supposed to just care for their patients and not think about who they are or what they've done, so a public comment like this can be very damaging to the hospital. A hospital is certainly within its rights to take disciplinary action against an employee who says treating certain kinds of patients is distasteful."
James will fight her termination, because she says she did not violate HIPAA, and the hospital violated labor laws by dismissing her, according to a story on MyFoxDetroit.com (http://www.myfoxdetroit.com/dpp/news). AHC Media, publisher of Same-Day Surgery, made several calls to James' attorney seeking comment, but they were not returned.
She isn't likely to prevail, says David Gevertz, JD, a shareholder and vice chair of the labor and employment department at the law firm of Baker, Donelson, Bearman, Caldwell & Berkowitz in Atlanta. The hospital will be able to show that the posting violated HIPAA and most likely that it violated the hospital's own policies about what information can be shared regarding patients, he says.
The hospital's policy can be the linchpin in such cases, Gevertz says, but he also cautions that it can be a mistake to go too far with prohibitions on what employees can post online. The provider must insist that web site postings not violate HIPAA or any other law for which the health care organization is accountable, but stating that employees may not post about their work or the provider is going too far, he says. (See p. 129 for more on social networking policies.)
"I do not advise that health care providers adopt blanket prohibitions on the use of social media. Such prohibitions limit the creation of innovative ways to use new technologies, hamstring employers into making unfortunate personnel decisions, and expose employers to liability for invasion of privacy," he says. "Instead, I counsel
that the best approach is to develop a task force within the client's company that includes employees from the human resources, marketing, information technology, compliance, legal, and risk management departments. That group should then explore the utility of social media to their organization's culture in order to develop a clear scope of the activities it wishes to regulate."
One attorney cautions managers not to think of website postings as unique from other forms of communication. No matter how the information is disseminated, the same basic rules apply, says Kevin Troutman, JD, an attorney with the law firm of Fisher and Phillips in Houston. "This comes up regularly, and we generally advise clients to consider their existing policies and update them to reflect the existence of Facebook and similar sites," he says. "In essence, they should treat an employee's statements on a public web site the same way they would treat those statements if made orally in another public or semi-public forum. Patient privacy policies still apply, as do policies regarding other confidential information or public comments about the hospital."
On the other hand, hospitals have to be careful not to violate employee privacy rights and/or their rights under the National Labor Relations Act, says Leslie Spasser, JD, a shareholder with LeClairRyan in Virginia Beach, VA. Having a specific policy on social networking sites, with a signed acknowledgment from the employee, is an important first step in protecting the employer from charges that it ran roughshod over the employee's rights, she says. The information provided to the employee should make clear what is acceptable and what is not, and it should notify the employee of the possible disciplinary actions for violating the policy, she says.
"At the same time, it's critical to do training for the employees. HIPAA itself requires training, and I think you would benefit greatly from adding a Q&A session to discuss how the social networking policies apply," she says. "It forces employees to think about what is acceptable and what is not."
Employers have considerable leeway in disciplining and dismissing employees, but Spasser says it is always best to have clear policies in place and to provide notice to employees. That will greatly diminish the challenges from employees and provide a firmer footing if you are sued. Public employers may have more difficulty in this area, notes Mark Nelson, JD, an attorney with Drinker Biddle in Chicago. Public employers must consider state and federal constitutional protection of free speech rights, which can constrain them more than private employers, he says. Even so, private employers may have to consider state laws. "For example, some states have laws that restrict an employer's ability to discipline or hold against an employee a lawful off-duty conduct in which the employee engages," he says. "Most of those laws concern activities like smoking, saying an employer can prohibit smoking in the workplace but can't ban employees from smoking when off duty. Depending on the wording of these laws, however, they could be applied to something like posts on a social networking site, particularly if it doesn't rise to the level of a HIPAA violation."
That is not to say that employers can't be firm. Hoffman says there is no problem in telling employees that they may not post information regarding patients. "I think it is appropriate for an employer in the health care arena to say you do not post anything about patients in any way on your web site," she says. "It's just too sensitive. Sometimes, you think it is not identifiable, but it is. Health care is not like being a car salesman. There is a higher level of responsibility, and it is appropriate to tell employees they cannot post anything about patients on their own web sites and social networking sites."
However, the employer should not demand access to employees' web site postings, she says. Spasser agrees, saying the courts are inconsistent now regarding how much employers can monitor employees' Internet postings and hold them accountable. It is better to educate employees about the risks than to depend on looking over their shoulders and checking what they post, say Spasser and Hoffman. Hoffman says, "Then, you get into some problems with employee privacy. Employees put all sorts of private information on their sites that is not meant for employers to look at. You have to balance the employee's rights and the patient privacy rights."
Sources
- Sharona Hoffman, JD, Professor of Law & Bioethics, Co-Director of the Law-Medicine Center, Case Western Reserve University School of Law, Cleveland, OH. Telephone: (216) 368-3860. E-mail: [email protected].
- Leslie Spasser, JD, Shareholder, LeClairRyan, Virginia Beach, VA. Telephone: (757) 217-4535. E-mail: leslie. [email protected].
- Mark Nelson, JD, Drinker Biddle, Chicago. Telephone: (312) 569-1326. E-mail: [email protected].
- David Gevertz, JD, Baker, Donelson, Bearman, Caldwell & Berkowitz, Atlanta. Telephone: (404) 221-6512. E-mail: [email protected].
- Kevin Troutman, JD, Partner, Fisher & Phillips, Houston, TX. Telephone: (713) 292-0150. E-mail: [email protected].
Off-duty web post gets nurse fired Nurse Cheryl James didn't think she was violating any rules when she posted her frustrations on Facebook, saying she had treated a "cop killer" that day. The posting followed the shooting death of Taylor Police Corporal Matthew Edwards in July 2010. James was one of the nurses who helped treat the accused shooter, Tyress Mathews, at Oakland Hospital in Detroit after the incident. James told Fox News that she was emotional after the events of the day, knowing that a police officer was dead and she had worked to save the life of the man accused of shooting him. After work one night, while at home, she vented her frustrations and anger on Facebook, saying she had come face-to-face with a "cop killer" and that she hoped he rotted in hell, along with other obscene comments, she told Fox News. (For the full story from the news site, go to http://www.myfoxdetroit.com/dpp/news.) A few days later the hospital fired James, saying she had violated HIPAA by posting protected health information on Facebook and had made disparaging remarks about a patient. After the firing, Oakwood Hospital released this statement: "As health care providers, we have a legal and ethical responsibility to protect patient privacy, and we are bound by HIPAA rules and regulations to ensure that we do so. All of our employees are trained and expected to protect patient information. This means keeping details confidential that might make it easy to identify a patient, even if his or her name has not been revealed. That's why disciplinary action, even termination, may result from sharing information about patients inappropriately in any public forum or setting. While we cannot discuss specific details regarding any current or former employee, we all have a legal and ethical responsibility to put our personal opinions aside and provide the care required for any patient who has entrusted us with their health." |
Policy is crucial To avoid web breaches Only about a quarter of employers have a policy on employees' use of social networking sites, says Danielle Urban, JD, an attorney with the law firm of Fisher & Phillips in Denver. "Without a policy, it's harder to discipline and to fire an employee," Urban says. "We recommend that employers have policies against employees blogging, posting, or Tweeting anything that identifies that person as an employee of the organization. Or if you don't go that far, you can require employees to post a disclaimer that anything they say is not endorsed by the hospital and is being said only as a private person, not your representative." Urban also suggests the policy include a requirement that the employee not mention a coworker, patient, vendor, or any other contact from work without obtaining permission from that person first. "Remind employees that what they do on their private time can be a violation of company policy and maybe even the law," Urban says. "It's amazing how many people think they can post something on the Internet and it will be seen only by the people they want to see it. It's out there for people to see, and employers will find out about it even without doing anything sneaky to monitor what you do. These things can cost you your job." Employers have a legitimate interest in limiting what their employees post, says Amanda Vega, a consultant in New York City specializing in social networking sites and media management. "The written policy on the use of social networks should be signed by all employees, so there is no misunderstanding. The hospitals cannot say that employees are not allowed to use social networks, but they can have a policy clearly stating that they may not write, chat, take pictures, Tweet, or post on Facebook, etc., about any patient," Vega says. "This can also apply to stating information about any personnel within the hospital doctors, nurses, interns, technicians, or medical reps." Even after the written policy is in place, there should be at least an annual policy review and training for the employees in case there are any issues to address or new social networks that have come into play, she says. "If the employee agrees to not post any patient information and does it anyway this would include referencing a patient as a cop killer this can be terms for a serious violation and/or termination," Vega says. The best policies tend to limit Internet usage and prohibit most blogging or posting on sites while at work, says David Gevertz, JD, a shareholder and vice-chair of the labor and employment department at the law firm of Baker, Donelson, Bearman, Caldwell & Berkowitz in Atlanta. Gevertz says the policy also should include these points:
Sources
|
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.