The Legal Pitfalls of “Friending” Social Media in Healthcare

Jeana M. Singleton, Esq. Rosina M. Caponi, Esq. Brennan, Manna & Diamond LLC

OACHC Annual Spring Conference March 6, 2013

Social Media Web-based platforms whereby users

communicate, network, and share user created content with others participating in the platform

Facebook, Twitter, YouTube, Instagram,

LinkedIn, Foursquare, Tumblr, Blogs, user comments

2

SOCIAL MEDIA Commonly used for marketing purposes -

many hospitals, practices, and health centers now have their own Facebook and/or Twitter pages

Used in recruiting – LinkedIn

Employers often look at social media

pages of job applicants

3

Increased use of Health Care Social Media

4

Increased use of Health Care Social Media • Pricewaterhouse-Coopers April 2012

Report: • Over 1200 hospitals participate on 4200 social media sites.

• Facebook and YouTube were most commonly used social media channels to access health related information

5

Increased use of Health Care Social Media • Pricewaterhouse-Coopers April 2012 Report:

• More hospitals evolving from social media marketing to social business strategy – understanding patient’s needs and behaviors, responding to complaints

• In the consumer survey portion of the study:

• 4 in 10 had used social media to find health-related consumer reviews (e.g. of treatments or physicians)

• 1 in 3 have sought information related to other patients’ experience with a disease

• 1 in 4 posed about their health experience • 1 in 5 joined a health forum or community

6

Problems Caused Employees disparaging employer, boss, or

co-workers Contacting other employees with

unwelcomed or inappropriate messages Posting confidential information, pictures,

and videos online relating to patients ◦ What kind of actions can employers take?

7

Problems Caused Risks of employment-based claims arising out

of the use of social media to investigate and screen potential employees, as well as allegations of discriminatory hiring practices based on the results of social media searches

Viewing social media sites can give employer

information protected under the Civil Rights Act such as race, religion, sex, and national origin.

8

Social Media and the Law Recent cases taken up by the National Labor

Relations Board (NLRB) for employees fired because of social media

Employees right to be protected from employer

retaliation when engaging in “concerted activity” NLRB released guidelines specifically for social

media

9

National Labor Relations Act NLRA protects rights of employees: union

and non-union Section 7 – protects an employee’s right

to engage in concerted activities for the purpose of mutual aid and protection

10

“Concerted Activity” Activity by individual employees who are united

in the pursuant of a common goal. Action must be engaged with or on the authority of other employees, and not solely by and on behalf of the individual employee

Certain concerted activities are protected –

activities for employees’ mutual aid or protection or efforts to improve working conditions. Includes scenarios where employees act to initiate group action, and also actions by individual employees bringing group complaints to the attention of management

11

Retaliation Under the NLRA, an employer cannot

retaliate against employee because of employee’s protected concerted activity

12

Relation to Social Media Recently, the NLRB has focused on social

media cases Various Facebook postings have been held

to be protected concerted activity

13

Facebook Cases Many instances held that employers violated

NLRA. Focus on whether discussion involves terms and conditions of employment

Example 1: Employee fired for Facebook

posting expressing frustration of being demoted. Co-workers commented and echoed employee’s frustrations. This was held to constitute complaints about working conditions and thus protected concerted activity.

14

Facebook Cases Example 2: Employer violated NLRA for firing

5 employees who commented on Facebook regarding concerns of the job performance other employees.

Administrative Law Judge held: ◦ “Employees have a protected right to discuss

matters affecting their employment amongst themselves. Explicit or implicit criticism by a co-worker of the manner in which they are performing their jobs is a subject about which employee discussion is protected…”

15

Facebook Cases Other recent cases NLRB declined to issue

complaints involving employer discipline for social networking activity, even when comments were job related. NLRB determined postings were not concerted activities, but rather personal complaints

Ex: Wal-Mart employee posted disparaging

comments about manager and Wal-Mart on Facebook. Was not deemed effort to engage in group action

16

Facebook Cases Provisions of employer’s social media policies have

been deemed overly broad, and thus prohibited protected conduct

Ex: Hospital employee posted negative comments on

Facebook about a co-worker’s absence and was terminated. ◦ NLRB concluded that the hospital’s policy provided no

specific guidance on what was not allowed (e.g. it didn’t describe what was “private” or “confidential” relating to any person or entity) and was overly broad in areas (e.g. didn’t define broad terms such as what constituted embarrassment by the hospital) without limiting conduct in any way that would exclude protected activity

17

Recent NLRB Guidance Employer policies should not be so sweeping that

they prohibit the kinds of activity protected by law, such as the discussion of wages or working conditions among employees.

◦ Example – policy cannot prohibit “making disparaging

comments about company through any media or electronic media.” This is overly broad, needs limiting language that does not restrict NLRA rights

An employee’s comments on social media are

generally not protected if they are mere gripes not made in relation to group activity among employees.

18

What should you do? Review policies. Do they broadly restrict

social media commentary? Must not restrict discussions relating to an employee’s terms and conditions of employment.

◦ Specifically outline types of posts that are

prohibited. Appropriate training for staff and employees

to recognize what is and is not allowed on social media

19

Suggested Elements of Social Media Policies No use of social media at work No use of a patient’s name, pictures,

videos, or any other identifying information

No disparaging patients, even if not identifying them

20

Suggested Elements of Social Media Policies No disclosure of confidential information

relating to organization and employees No stating that personal opinions are

endorsed by organization No use of organization’s logo on personal

social media pages – want to avoid any appearance that a personal page could be construed as being statements of the organization. 21

Harassment and Social Media Harassment issues often arise when co-

workers and supervisors are friends on Facebook or followers on Twitter

Be cautious of any interaction between

employees, especially those in supervisor-subordinate roles

22

Harassment and Social Media Harris v. North Park Clubhouse Lounge ◦ Employee complained to HR when manager called her sexual slurs

◦ Owner and other employees posted threatening comments on her Facebook

◦ Employee filed charge with Equal Employment Opportunity Commission (EEOC) claiming retaliation for her original harassment complaint. Consent decree entered

23

Defamation and Social Media Common issue: employees or students

posting negative comments or untrue statements on social media about employer or institution

Can lead to defamation and libel

accusations

24

Defamation and Social Media Example: Low & Tritt v. The Pizza Kitchen

(Tenn.) ◦ Marketing firm filed $2 million libel suit against former client for comments posted on Twitter and Facebook claiming they hurt reputation

◦ Firm alleged that former client called them “crooks” and that they stole e-mail lists and hacked into Pizza Kitchen’s Facebook page

25

Personal Privacy and Social Media Employers must make sure that company

policy clearly states that employees have no reasonable expectation of privacy on company owned computers

For personal employee social network

pages – employee may have privacy interest if they have taken reasonable efforts to keep the information private

26

Personal Privacy and Social Media However, if page is open to internet users,

no reasonable steps have been taken to keep such information private

Example of steps to keep information

private: page only can be accessed with a password, password is only provided to select individuals

27

Personal Privacy and Social Media Stored Communications Act: 18 USC §2701 Prohibits third parties from intentionally

accessing electronically stored communications (e.g. e-mail) without authorization

Intended to prevent hackers from accessing stored communications, however it has been used in lawsuits against employers

28

Personal Privacy and Social Media Example case: Pietrylo v. Hillstone Restaurant

Group (D.N.J. 2009) ◦ Employer found liable of violating Stored

Communications Act when managers intentionally accessed a chat group on the employee’s MySpace page without receiving authorization from employee to join the group. Manager coerced password from another employee. Employer fired employee based on content of the chat group.

◦ Compensatory and punitive damages awarded to

employee due to malicious conduct – manager knew access was unauthorized.

29

Personal Privacy - Passwords

Instances of employers requiring employees (or schools requiring students) to turn over social media passwords have been in the news lately

6 states have legislation banning such

practices (CA, MD, MI, NJ, DE, IL) Ohio has similar proposed legislation: S.B.

351 would prohibit employers from requiring applicant or employee to provide access to their electronic accounts

30

Personal Privacy and Social Media Lesson: ◦ Deception can never be used by employer to obtain

information that is intended to remain private ◦ Cannot coerce employees into giving access to

private information ◦ If you believe an employee’s postings needs

investigation, go direct to employee/site owner for access ◦ Not recommended to require employees to supply their personal passwords due to privacy concerns and pending Ohio legislation

31

Patient Confidentiality and Social Media

HIPAA – health care providers must keep a patient’s individually identifiable health information confidential, except in specific circumstances when disclosure is allowed

32

Patient Confidentiality and Social Media

EXAMPLE: ◦ HIPAA violation occurred when grief counselor helped establish a Facebook group with teens. Counselor’s involvement amounted to HIPAA violation, even though teens could have started group on their own.

33

Common Problems Discussion of patients over social

media ◦ Example 1: Doctor fired and fined by

Rhode Island Board of Medicine for posting a trauma patient’s information on Facebook. Although patient’s name not used, could still identify patient with other publicly available information.

◦ Example 2: Patient was involved in a

violent crime and ER employee posted patient’s health information on Facebook.

34

Common Problems Posting pictures of patients on Facebook ◦ Example 1: Hospital workers, including nurses, took pictures of stabbed, dying man, posted on Facebook. Led to firings and suspensions.

◦ Example 2: Nursing aide took pictures of elderly patients using bedpans, posted on Facebook. She was sentenced to jail (served 8 days) for invasion of privacy.

35

Common Problems ◦ Example 3: Resident posted picture on Facebook of his suturing technique on patient. Also included summary of patient’s health history and medical state in the ER. Resident was disciplined.

36

Social Media Journal of the American Medical

Association 2009 survey: ◦ 60% of medical and nursing students polled had made unprofessional postings online that violated patient confidentiality, contained discriminatory language, or included inappropriate sexual language

37

Consequences of HIPAA Violations Penalties can be severe for covered entity Not knowing: fines can range from $100 to

$50,000 per violation Willful neglect: $50,000 per violation fine Those who knowingly obtain and disclose PHI

can face fines up to $50,000 and imprisonment of up to 1 year.

No private right of action under HIPAA. Ohio also has no private right of action for a HIPAA violation. Recently reaffirmed in 2012 case by the 10th Dist. Court of Appeals.

38

American Medical Association Social Media Policy AMA recently issued social media policy Focus on professionalism in the use of social

media Separate personal from professional with

online presence Encourages patient confidentiality and the

use of privacy settings on personal social media accounts to maintain personal and professional privacy

Maintain professional boundaries if interacting with patient online

39

LESSONS: Have clear and concise social media

policies in place! Define what is and what is not appropriate

use of social media by employees/ students. Provide examples.

Explicitly state policy is not intended to

interfere with protected activity or infringe upon employee’s rights.

40

LESSONS: Prohibit: false or obscene statements,

harassing language, discriminatory statements, posting of any patient related information or discussion of patients in general

Include social media in all HIPAA training Monitor social media of employees to ensure

no HIPAA protected information ends up online

41

LESSONS: Reiterate that your harassment and discrimination

policies still apply to social media content Prohibit any unauthorized use of data Require employees to sign acknowledgment that they

have received and read social media policy Explicitly state potential consequences and

punishment. Consistently enforce policy. This will help avoid lawsuits that will hurt your

reputation and finances!

42

National Council of State Boards of Nursing Social Media Video

43

QUESTIONS?

Jeana M. Singleton Rosina M. Caponi

Brennan, Manna & Diamond, LLC

75 East Market Street Akron, Ohio 44308

330-253-5060

jmsingleton@bmdllc.com rmcaponi@bmdllc.com

44