As recent statistics demonstrate, social networking sites are more than just popular, they are changing the way people communicate and maintain connectivity, as well as being used in the hiring process.
A Nucleus Research study found that approximately 77 percent of workers have a Facebook account and nearly two-thirds of those employees access their accounts during work hours.1 Facebook alone now has more than 800 million active users, more than half of whom log on to the site on any given day.2 LinkedIn, which is heavily relied on for job networking, currently has more than 135 million members, and, as of Sept. 30, 2011, was gaining more than two new members per second.3
With employees’ use of social networking sites growing daily, employers have reason for some serious concerns. Not only could this activity negatively affect employees’ workplace productivity, but the content of postings could potentially create legal risks for employers. To mitigate these risks, it is critical that employers identify and design appropriate policies and procedures governing employees’ use of social networking sites.
Special HIPAA risks for employers
In addition to the reputational, intellectual property and other risks facing employers generally, employers that store, process, use or otherwise handle sensitive personal data — such as medical data — also face additional risks of liability for violation of data-privacy laws. Because an employer is liable for the conduct of its employees when the employees are acting within the scope of their employment, the employer could be held liable for an employee’s disclosure of another person’s health information on a social networking site.
Indeed, employers that are “covered entities” under HIPAA face direct liability for the acts of any member of their workforce that are inconsistent with the data privacy and security regulations issued under HIPAA.4 “Covered entities” include most health-care providers and health plans, and their “workforce” includes “employees, volunteers, trainees, and other persons whose conduct, in the performance of work for [them], is under the[ir] direct control, whether or not [the workers] are paid by the covered entity.”5 All such workforce members are prohibited, with limited exceptions, from using or disclosing individually identifiable health information (“protected health information,” or PHI) without a written authorization from the individual to whom the PHI pertains, and any such authorization must contain very specific language to comply with HIPAA.
To post or not to post: specific cases
There are a variety of ways in which employees’ use of social networking sites could result in employer liability under HIPAA. This could include employees simply “discussing their days or unusual health care cases they witnessed — acts they mistakenly feel do not violate patient privacy.”6 For example, in one case, a group of nurses “began using Facebook to provide unauthorized shift change updates to their coworkers. ... They did not use patient names, but they did post enough specifics about patients so that the incoming nurses could prepare for their shift.”7
These disclosures apparently were made with the best of intentions, but they plainly violated HIPAA. “Omitting a patient’s name does not guarantee that the person cannot be identified. The uniqueness of a situation alone could allow people to reasonab[ly] identify a patient.”8
In another case, Doe v. Green,9 a paramedic who treated a sexual assault victim posted information about the assault on his MySpace page.10 The paramedic did not disclose the victim’s name, but he did post enough information for news reporters to discover the identity of the victim and then search for her at her home.11 Although in this particular instance the employer was ultimately not found vicariously liable for the paramedic’s disclosures nor directly liable for negligent supervision,12 such claims clearly pose a significant financial and reputational threat for medical employers.
Violations of the HIPAA rule can result in severe sanctions. Since enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act,13 HIPAA-covered entities face exposure to civil penalties ranging in amount from a minimum of $100 per violation to a maximum of $50,000 per violation (up to $1.5 million within a single year).14 Moreover, state attorneys general may now bring civil actions on behalf of state residents who allegedly have been harmed by HIPAA violations, with damages potentially running as high as $100 per violation, or $25,000 for all violations of an identical requirement or prohibition during a single calendar year.15 And, although HIPAA itself provides for no private right of action, individuals are increasingly using its privacy standards as the basis for suits under various state laws, opening up another realm of potential liability.
Four tips for mitigating your risk
How can employers navigate through these potential legal minefields? The best way to avoid liability for wrongfully terminating an employee or for the unlawful disclosure of confidential information is to have a clear, widely distributed company policy that specifically addresses the use of social networking sites both on and off the job. Here are some tips for revising and disseminating your practice’s policies on social-networking.
- Extend existing compliance policies to explicitly include the use of social networking sites and other Internet activities such as blogging, and clearly state that company policies apply to both on- and off-duty use of social networking sites. Policies should emphasize professional behavior, both within and outside the workplace and during working and non-working hours, in compliance with all other company policies involving electronic communications.
- Include specific examples of the kinds of statements on social networking sites that could run afoul of HIPAA and emphasize how even small, seemingly innocuous disclosures can constitute HIPAA privacy rule violations.
- Distribute social networking policies both as a part of employment manuals and separately as stand-alone policies. Consider doing this on your practice’s internal computer network systems as well.
- Require employees to acknowledge receiving and reading these policies and periodically remind them — for example, through workplace postings and e-mail notices — of the risks involved with using social networking sites and their personal responsibilities to abide by the letter and the spirit of the policies.
A clear, well-defined and widely disseminated social networking policy that emphasizes compliance responsibilities during both work and non-work hours, and in using both company computer systems and any other devices with access to the Internet, is an employer’s most effective weapon against liability for employee misuse of social networking sites.
Issue Index | Related Articles | YO Info Archive
* * *
About the authors: This article has been adapted from the original version, which appeared in the January 2011 issue of AAOE’s Executive Update. It was written by Nancy L. Perkins and Adriane R. Theis. Perkins is counsel in the Washington, D.C., law firm Arnold & Porter LLP, where she regularly advises clients on federal and state requirements for privacy and security of medical, financial and electronic data. She has particular expertise in HIPAA and its recent amendments by the HITECH Act. Theis is an associate at the firm.
1 NUCLEUS RESEARCH, FACEBOOK: MEASURING THE COST TO BUSINESS OF SOCIAL NETWORKING, 1 (July 2009), available at http://nucleusresearch.com/research/notes-and-reports/facebook-measuring-the-cost-to-business-of-social-notworking/.
2 Facebook.com, Press Room, http://www.facebook.com/press/info.php?statistics (last visited Jan. 21, 2012).
3 Linkedin.com, “About Us,” http://press.linkedin.com/about (last visited Jan. 21, 2012).
4 45 C.F.R. Part 160 and Part 164, Subparts A and E.
5 Id. § 160.103.
6Chris Dimick, Privacy Policies for Social Media, JOURNAL OF AHIMA, Jan. 6, 2010, http://journal.ahima.org/2010/01/06/social-media-policies/.
9 Doe v. Green, No. 0704-04734 (Cir. Ct. Or. County of Multnomah Feb. 19, 2008).
10 Doe v. Green, Citizen Media Law Project, http://www.citmedialaw.org/threats/doe-v-green#description (last visited Jan. 14, 2011).
12 The court granted summary judgment in favor of the employer regarding the vicarious liability claim, finding Green’s MySpace post did not occur within the scope of his employment. Doe v. Green, No. 0704-04734 (Cir. Ct. Or. County of Multnomah Feb. 19, 2008) (Order Ex. 1 at 4.)
13 Title XIII of Division A of the American Recovery and Reinvestment Act of 2009, Pub. L. No. 111-5 (2009).
14 42 U.S.C. § 1320d-5(a) (2010).
15 Id. § 1320d-5(d).