Electronic medical record software and social media offer wide-ranging ways for health care providers to connect with their patients and the public. Having robust technology offerings support healthcare employers’ efforts to improve clinical integration and value-based care delivery efforts. It also provides greater patient access to healthcare information and engagement with their care team. Internet-based publishing and other social media channels allow healthcare providers opportunities for marketing and for patient education, and may expand access to health information for patients who may not seek regular medical care. There are huge benefits available from these resources for healthcare institutions and providers at every scale and in every specialty, which are likely to continue to expand in the future.
Why Do Healthcare Employers Need Current Policies on Internet and Social Media Use?
Even with the substantial benefits of the internet and social media, healthcare employers need to regularly assess their policies governing internet and social media to ensure that their employees use these tools responsibly. Every healthcare organization, from small medical groups to large health systems, should adopt a social media use policy that outlines permissible uses, best practices, and potential discipline in the event of violations by their employees.
These policies should outline the employer’s expectations, ability to review employees’ public activities, and remind employees about potential legal and/or reputational risks to their organization and themselves individually. Many of these technologies are so highly integrated in daily life that any user can lose perspective. Employees may forget that their online activities are almost always likely to be, or capable of being made, public, searchable, and potentially permanent, even if the person thinks they are protected by privacy settings or a pseudonym.
In addition to having a written policy, we recommend that employers actively audit employees’ internet and social media use at regular intervals, both on the employer’s networks and on publicly-available social media platforms and websites. Doing so helps employers identify problems earlier and reduce potential legal and reputational risks. Inadvertent missteps by employees could result in employer liability. For example, in our recent blog, we described a recent HIPAA-related settlement with the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) stemming from a provider’s disclosure of Protected Health Information (“PHI”) in responding to online patient reviews.  In addition to active monitoring efforts, we also recommend that employers ask their insurance advisors about what coverage is available with respect to liabilities that may arise from employee’s internet and social media use.
What Should These Policies Cover, as a General Rule?
First, a policy should require that employees only communicate with patients through the employer’s designated electronic health record and related communications platforms to protect PHI. It should remind employees that all professional, ethical rules governing their practice apply to electronic communications, including duties surrounding confidentiality, privacy, patient-provider relationships, etc. The policy should remind employees of limitations on disclosures of the employer’s confidential and proprietary information. The policy should remind employees that rules governing appropriate conduct in the workplace (e.g., non-discrimination, non-harassment, etc.) apply to all internet and social media activity and communications. Finally, the policy should inform employees that their activities may be monitored, as described above.
Wait – Do Our Employees Have a First Amendment Right to Free Speech Online?
As a general rule, employees’ rights to free speech at work vary depending on whether their employer is a public or private organization, and whether the employee is protected by federal and state laws governing collective bargaining activities. Healthcare employers in the private sector have greater flexibility here because they are not bound by the free-speech obligations applicable to governmental employers. However, employers should confirm with an attorney which laws may apply to protect employees in their state and these considerations should be factored into their policies.
For example, in California, these policies should include express exceptions for employees’ protected speech rights under federal law and state law. Those protections include an employee’s right to engage in collective action, to discuss potentially unlawful conduct in the workplace, and to be protected from workplace discrimination based on the employee’s political affiliation. California employers may not discriminate against an employee for conduct that is lawful outside of work, such as engaging in political activities or speech. However, California private employers also do not have a duty to protect free speech on behalf of employees. So, for example, if an employee were engaging in lawful protected conduct online, such as expressing a political affiliation or engaging in political activities or speech, that would be protected under the employer’s policy. By contrast, if an employee were to use racist slang in communications with a colleague in email or on social media, that would not be protected, and a private employer may take disciplinary action consistent with its policies on that basis.
What Specific Elements Should Our Policy Include?
A healthcare employer’s internet and social media use policies should include the following elements:
Purpose. A clear purpose statement of the employer’s goals (i.e., a commitment to protecting patient confidentiality, ensuring compliance with state and federal regulations, etc.).
- Expectations. Clear expectations for employees’ behavior on social media, such as avoiding any conduct that could harm the employer’s reputation or violate patient privacy rights under HIPAA, and refraining from any activities that are or could be perceived as unprofessional or unethical.
- Conflicts of Interest. Outline that employees should refrain from endorsing specific products or services, disclose any relevant financial relationships with third parties, and if appropriate, include disclaimers that an employee’s opinions do not represent those of the employer.
- Training/Education. Require that employees attend ongoing training and education on responsible and effective social media use on an annual basis or otherwise.
- Disclaimers. Remind employees that violations may result in disciplinary action, legal liability, or termination of employment.
By establishing clear guidelines for employees’ internet and social media use, healthcare employers can maximize the benefits of such technology while mitigating legal and reputational risks. Because the legal landscape surrounding social media is ever-evolving, healthcare employers should regularly review and update their policies to ensure that they remain current with the latest trends and best practices. If you have any questions about developing a social media policy, the Healthcare team at Sheppard Mullin is available to assist you.
 HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information, HHS (Dec. 14. 2022), HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information | HHS.gov.
 New Vision Dental resolution Agreement and Corrective Action Plan, HHS (Dec. 14. 2022), New Vision Dental Resolution Agreement and Correction Action Plan | HHS.gov.