Here’s a disturbing statistic: 70 percent of all pornography use on the Web occurs during normal working hours. Can you be sure your employees aren’t accessing pornography sites, buying and selling items on eBay or participating in long chat sessions with their friends when they should be working?

And if employees are abusing their Internet privileges, what can you do about it?

“A small practice has to protect itself,” said Dana Holtz, JD, a health care attorney with Wade, Goldstein, Landau and Abruzzo of Berwyn, Penn. Ms. Holtz will teach an AAOE course at the Academy’s Joint Meeting on this problem.

The stakes are high. Not only does abuse of Internet access result in lower productivity for your office, but also your practice can be held liable in cases involving offensive material, Ms. Holtz said. In addition, unchecked abuse of this sort can increase the amount you must spend on technology and can lead to security breaches.

You can’t keep an eye on every employee every minute of the day. But like the related problem of overuse of office phones for personal matters, there are policies you can put in place and actions you can take to discourage abuse and deal with the problem if it does occur.

#1 Know the Risks
While protections are needed, it’s generally agreed that abuse of the Internet isn’t as much of a problem in small- and medium-sized medical practices as it is in most business settings. “In the corporate world, people can hide much easier because they’re in an office or cubicle,” said Michelle Drolet, CEO of Conqwest, a Holliston, Mass., Internet security vendor that counts small practices among its clients. “In most small practices, typically the PCs are out in the open and they’re shared, so you don’t usually find as much abuse.”

But the fact that Internet abuse is less likely to be a problem in your practice doesn’t mean it won’t happen, Ms. Holtz and Ms. Drolet agreed. And the stakes are just as high for you as they are for any other type of company, Ms. Holtz said.

Legal. “Employers have been sued for copyright infringement for downloading copyrighted material,” Ms. Holtz said. “They’ve been sued for racial discrimination or sexual harassment because of Internet usage.” For instance, in a widely known case involving a nonmedical business, a woman passed a coworker’s computer screen that was displaying pornographic material and successfully sued the company for sexual harassment. 

Financial. Another obvious problem is a drop-off in productivity, said Ms. Drolet.

Plus, this abuse can cost you money in extra equipment for faster access, she noted. Employees who download or upload pictures and music can eat up a lot of precious bandwidth, slowing down legitimate Internet-related operations, said Ms. Drolet. Many organizations, she added, have upgraded their equipment and Internet access when, in fact, they could have solved the problem by cracking down on personal use of the Internet.

Security-related. Unauthorized use of popular instant messaging products can open the way for hackers to infect your system with viruses or, even worse, gather data from your records, Ms. Drolet said. Besides disrupting your business, this could compromise the safety and security of protected health information, which represents a potential violation of HIPAA regulations, she said.

#2 Find Tech Solutions
Software. One solution frequently used by large businesses is special software that monitors employee Internet and e-mail usage. This class of software collects data about who is sending e-mail and whom they are sending it to. It can monitor the contents of that e-mail and send up red flags if it encounters certain words or phrases. In addition, software can actively prevent users from accessing specific Web sites or monitor what Web sites employees go to. 

Ms. Drolet noted, however, that these solutions are typically used by large enterprises and not smaller ones because they are expensive and take a lot of technical expertise to administer. However, hardware and software solutions are available for small offices. You could, for instance, use consumer-oriented PC software such as Net Nanny to prevent access to specific sites, she said. (Net Nanny from LookSmart and another Internet filtering product called CyberSitter from Solid Oak Software cost approximately $40. Similar programs range from $25 to $50.) 

Hardware. Plus, you have some additional options if your office uses a firewall to prevent intrusions—and given the existence of so many security threats plus the HIPAA security and privacy regulations, more and more small practices are using hardware firewalls.

“Even my ophthalmologist’s office has one, and they only have two PCs,” Ms. Drolet said. She should know: She installed their firewall.

It is possible to build e-mail monitoring and Web filtering into firewalls used by small businesses. That will increase your cost slightly, but it’s worth it. Ms. Drolet said that such firewalls cost about $1,000 for companies such as her ophthalmologist’s, and she charged them about $150 to set it up.

“You’ll want somebody who knows what they’re doing [for installation] so you pay once, get it set up correctly and then it’s done,” she said. 

#3 Set the Policy
By far the most important thing you can do to prevent employee abuse of the Internet is to establish a policy, communicate it clearly and enforce it consistently, Ms. Drolet and Ms. Holtz agreed.

“You need a policy that says we can and will monitor Internet usage in the workplace,” Ms. Holtz said. “Otherwise, employees have the expectation that they have privacy when they’re using the Internet for their own purposes.” 

The policy should be in writing because it minimizes your liability if abuse occurs, Ms. Holtz said. She said the four key elements of an Internet usage policy are straightforward statements that address the following:

• Office computer systems and Internet access are the property of the practice.
• The practice has the right to monitor e-mail and Web and other Internet activity.
• The Internet should be used only for business reasons unless otherwise stated in the policy.
• The employee can’t create new passwords without giving them to the administrators. 

You may want to allow some personal use of the Internet. For instance, some businesses allow employees to access nonoffensive Web sites during the lunch hour or before or after normal work hours. 

As with many employee-related issues, you’ll also want to include in the policy what will happen should an employee violate the policy. When you’ve completed a draft, Ms. Holtz recommends running it past an attorney. “Unfortunately, a lot of practices will put together their own policies, and they miss issues and things aren’t written as they should be,” Ms. Holtz said.

After the policy is finalized, there are two steps left. First, incorporate it into a larger employee handbook. Finally, take steps to make sure that employees know its contents, such as discussing it at a staff meeting.

______________________________
Top Six Internet Abuses

Ms. Drolet helps small businesses, including medical practices, fight Internet abuse. Here’s her list of the top six abuses.

1. Listening to music or radio online. “This eats up bandwidth, but people do it all the time. I tell our customers to buy people radios.”

2. Use of personal Web-based e-mail accounts such as those offered by Hotmail or Yahoo. “These make security much more difficult since they invite in viruses.” 

3. Pornography. Ms. Drolet cited a study that found 70 percent of Internet pornography is accessed during the workday. This poses a serious liability problem for your practice.

4. Peer-to-peer applications. These refer to file-sharing programs such as Kazaa. They chew up bandwidth in great quantities—plus, they open your system up to spyware that enables outsiders to monitor your computing activities. Use should be prohibited.

5. Instant messaging. Security is difficult to enforce, so using instant messaging to chat with friends invites viruses and similar problems.

6. Uploading and downloading digital photos. “This takes a ton of bandwidth and also can use up a lot of space on your server.”

______________________________
Personal Business/Electronic Monitoring Guidelines

If you are interested in writing an Internet policy for your office, Ms. Holtz has generously provided the "Personal Business/Electronic Monitoring" guidelines below.

Additionally, the AAOE has developed The Ophthalmic Executive's Resource Guide: Developing Your Employee Handbook—Protective Shield or Legal Minefield. Both the book and enclosed CD-ROM include documents that you can use as templates in developing your own employee handbook. To purchase, please go to the Academy store at www.aao.org/store.

Personal Business/Electronic Monitoring
The use of company time and company resources for personal matters is not a new issue for employers. However, the commonplace problem of personal use of telephones in the workplace pales in comparison to the problems posed by the potential abuse of the Internet and email in the workplace. As employee use of email and the Internet increases, so does the potential for an employer to be held liable for employee misconduct. For example, employers have been sued for copyright infringement when an employee downloaded copyrighted material from the Internet, for racial discrimination when employees circulated offensive emails, and for sexual harassment when employees posted harassing comments on an electronic bulletin board. In addition, excessive personal use of the Internet and email can have a profound effect on employee productivity.
 
There are many issues implicated by personal business being conducted in the workplace and the company policies that are designed to minimize the amount of such personal use. It is important to create workplace policies and rules that protect both the employer's business interests and the privacy rights of employees. It is essential for employers to distribute these policies to employees, and to ensure that the employees understand what is expected of them.
 
A monitoring policy can be the employer's best mechanism for controlling the degree of personal business conducted in the workplace, as well as the employer's best defense against employee lawsuits for invasion of privacy. In general, issues that should be addressed in a carefully worded electronic monitoring policy statement should include the following:

The computer system is company property and should be used for company business only. Employee use of the network is considered consent to the policy and to management's right to review email or listen to telephone conversations or voicemail and monitor Internet activity.

• Email, the telephone, and the Internet should be used only for a valid business reason. Email, telephones, and the Internet should not be used to solicit or to advocate non-company or purely personal interests. Foul, offensive, defamatory, pornographic, or other inappropriate communication is strictly prohibited.
• The employer reserves the right to monitor the telephones, Internet and email networks.
• Employees do not have a personal privacy right in any matter created, received, or sent from the company telephone, Internet, or email systems. Telephone calls, Internet sites, and email can be read, or intercepted by others, including inadvertent disclosure, accidental transmission to third parties, or purposeful transmission to a third party. The company has the right to retrieve and read any message or file, and for this reason the employee must disclose his or her password to the employer.
• Information obtained through monitoring will be disclosed only to those with a legitimate business need to know.
• Policy violations will subject an employee to disciplinary action, up to and including discharge.

Notwithstanding the foregoing, employers should limit their monitoring to the extent necessary for legitimate business purposes. Employers should generally access an employee's voicemail only if, as the provider of the service, it has a legitimate business reason, in the ordinary course of business, to do so. In addition, if an employer has a policy allowing the monitoring of employee telephone conversations, once the subject matter of the conversation becomes personal, the employer should discontinue further monitoring (although it may log the length of time of the personal phone call).

This material is excerpted from the handout for the "Personnel Policies and Employee Handbooks for the Small Ophthalmic Practice" Instruction Course presented during the Joint Meeting by Dana L. Holtz, JD, Wade, Goldstein, Landau & Abruzzo, PC.