The explosion in popularity of social media has, in my opinion, been a blessing and a curse for businesses. On the one hand, social media helps businesses market products and services, and reach-out to current and potential customers, with relative ease and little cost.  On the other hand, social media provides employees and customers with a platform to complain, air dirty laundry to the world, and otherwise draw negative attention to the business.

A medical center in Cincinnati recently experienced the curse of social media.

A patient at the University of Cincinnati Medical Center has sued the Medical Center alleging that one or more hospital employees posted on Facebook a screenshot of her medical records, including her name and diagnosis, syphilis.  To make matters worse (if that’s possible), the Facebook group on which the information was posted was called “Team No Hoes.” Comments accompanying the screenshot referred to the patient as a “hoe” and a “slut.”

The patient sued the Medical Center, two hospital employees, and the patient’s ex-boyfriend.  The ex-boyfriend is alleged to have put the Medical Center employees up to the task.

The patient’s attorney has characterized the Facebook post as “devastating” to his client.  The attorney contends “all of this could’ve been avoided if UC Med Center had proper protections in place.”

To the Medical Center’s credit, within days after learning about the incident, the Medical Center terminated an employee believed to have been responsible for the Facebook post.  The termination, however, was an after-the-fact response – after damage had already been done.

Is there anything the Medical Center could have done to prevent the situation in the first place? Without knowing what policies the Medical Center had in place, it’s difficult to say whether the Medical Center could have done anything differently.  It’s possible that the Medical Center simply employed a few “bad apples” who were aware of, but ignored, the Medical Center’s policies designed to protect patient information.

There are things that all employers can do in an effort to decrease the risk of liability stemming from employee use (or misuse) of social media:

  1. Develop a social media policy that is easily understood and that puts employees on notice of prohibited use.  Use specific examples in the policy so there is no misunderstanding about what is, and is not, permitted.
  2. Don’t assume that employees have read your social media policy.  If it’s buried in your handbook, many employees may not have read it.  So, train all employees periodically about social media “do’s and don’ts.”
  3. Enforce your social media policy consistently.  If you turn a blind eye to a violation, that may send a message to employees that you’re not serious about enforcement.
  4. Make sure your social media policy is not overly broad and cannot reasonably be interpreted as infringing upon employees’ rights under Section 7 of the National Labor Relations Act to engage in concerted activity.  For example, a policy must not prohibit employees from using social media to discuss, gripe, or complain about wages, hours, benefits, or other terms and conditions of employment.  Over the last few years, the NLRB has been very aggressive in striking down social media policies in both unionized and non-unionized workplaces.

If you have not revised your employee handbook for several years, you may not have a social media policy. And, even if your handbook has a social media policy, it may not adequately protect your business interests, or it may infringe upon employees’ Section 7 rights (at least in the eyes of the NLRB).  Review your handbook today . . . and then make sure your employees are trained.