The numbers are staggering. According to a recent report published by the Pew Internet & American Life Project, the percentage of adults who use social networking sites such as MySpace and Facebook reached 35% in 2008, up from only 8% in 2005.i For employers, these numbers suggest that a large portion of your workforce is actively participating in online social networking communities. This also means that if employers' Internet policies do not cover the appropriate use of social networking and blogging, they are leaving themselves exposed to abuse, embarrassment, and potential liability. But what does this mean for health care providers, for which the social networking revolution offers many advantages and even scarier risks in terms of private patient data being disseminated across the worldwide web?
This article discusses how to craft an appropriate social networking policy which minimizes the risks of employee online networking, while still allowing health care organizations to make the best use of new Internet technologies to help their patients and uphold the mission of their organizations.
The Benefits Of Social Networking for Health Care Providers
Social networking has place and usefulness in assisting hospitals and other health care providers in building online communities for its patients and programs. Patients, often with the assistance of those providers, are building increasingly sophisticated online support groups that enable them to share information about treatments, discuss their experiences, and assist each other in coping with illness. The same technologies make it possible for advocacy groups, government agencies, and health care providers to update consumers on relevant health news and deliver personalized healthcare-related messages, reminders and alerts to email accounts, mobile phones and other wireless devices.
Given the numerous positive ways in which social networking sites can be used by health care providers, do blanket prohibitions serve the best interests of the health care providers or the patients they serve? According to at least one hospital President, Paul Levy, President and CEO of Beth Israel Deaconess Medical Center in Boston, blocking employee access to social networking sites is a bad idea.ii He argues that such bans will "impede the sharing of ideas and information -- practices that are vital to modern health care organizations' day-to-day operations and long-term planning and teaching missions."
Social Networking In The Age of HIPAA
On the flipside, penalties for allowing breaches patient confidentiality are increasingly stringent. HIPAA requires that personally-identifying information about patients, as well as information about a patient's medical procedures, treatments, etc. cannot be transmitted electronically without first being encrypted. The 2009 American Recovery and Reinvestment Act (ARRA) also includes new, stiffer regulations for protecting electronic patient data. And an increasing number of states, such as Nevada and Massachusetts, have recently passed their own laws addressing patient data security.
Despite tougher laws, a survey published in the September 23/30, 2009 issue of JAMA, entitled "Online Posting of Unprofessional Content by Medical Students reports that a majority of respondents (60%) reported incidents of medical students posting "unprofessional" content online. Among the inappropriate content reported, 13% of respondents described inappropriate posts that "violat[e] patient confidentiality," including posts that contained "enough clinical detail that patients could be potentially identified." In this legal climate and given the severe penalties involved when patient confidentiality is breached, it is understandable that most health care organizations believe that the easiest and best approach to this issue is to ban all access to social networking sites, personal emails and blogs.
However, many argue that the potential benefits social networking offers health care providers outweigh the risks, and that an outright ban is not the best solution. Moreover, even if employers ban the use of social networking sites or other personal Internet use at work, they cannot completely monitor employees' activities on these sites outside of work. Indeed, employers run the risk of incurring significant liability to the extent their policies attempt to censor lawful speech posted by its employees outside of work. Similarly, employers who seek to monitor their employees' online activities must avoid running afoul of laws that offer protection to employees, including the federal Stored Communications Act, which prohibits third parties from accessing electronically store communications without proper authorization, and Section VII of the National Labor Relations Act, which protects employees' right to form, join and assist labor organizations, and to engage in other concerted activities. In the end, blanket prohibitions do not make sense, nor are they in the best interest of the health care provider. They limit the creation of innovative ways to use new technologies to the benefit of the provider, hamstring employers into making personnel decisions they might not otherwise choose to make when the policy is violated, and potentially leave employers open to liability for violations of labor and employment regulations based on their Internet usage policies and monitoring of same.
Crafting a Social Media Policy to Balance the Risks And Rewards
A well-crafted social policy can limit the risks associated with employee electronic media use, while allowing health care providers to take advantage of new technologies.
- If a provider chooses to allow employees personal use of the Internet at work, its policy should limit usage to: checking personal email, handling personal business via the Internet, or passive reading of news or other informational websites. Employees can and should be prohibited from blogging or posting on sites while at work, unless such usage is for sanctioned, work-related activities.
- The policy should emphasize that employees remain responsible for the content of texting and Internet postings done outside of work. For example, employee posts should not violate any policies including the Code of Ethics or Anti-Harassment/Nondiscrimination policies. Employees should also be encouraged to use good judgment and discretion when posting information. For example, if a profile can link someone to their place of employment, the employee should not post anything that could potentially embarrass or otherwise reflect poorly on the health care provider. Moreover, if an employee posts information to a posting site that could impair or injure the reputation of, or otherwise harm the provider, the policy should reserve the company's right to demand that the employee remove the information from the posting site and discipline the employee.
- The policy should strictly prohibit the dissemination of, posting, or reference to patient information, unless done via encrypted communication and for work purposes only. Willful violations of this rule should result in immediate termination.
- All policies should also emphasize that:
- employees should have no expectation of privacy with respect to any information communicated via the company's electronic communication systems; and
- the company reserves the right to monitor, review and inspect all e-media use conducted through its networks and the contents thereof.