It’s no secret that people are spending more and more of their time on social media sites, sharing everything from vacation selfies to political opinions to photos of last night’s lasagna. But what about social media rules at your own practice? Do your employees understand the consequences of inadvertently or intentionally sharing sensitive patient information? Are they familiar with patient privacy rules? Do they know whether they’re allowed to be on social media while on the clock, or which sites are off-limits at work?
If your practice doesn’t have a clear and defined social media policy in place, the answer to those questions is probably a resounding no, says Ericka Adler, a healthcare attorney and partner at Chicago firm Roetzel & Andress.
According to Adler, having a social media policy that educates employees, sets expectations and outlines consequences is important for practices of all sizes.
“Every group should have a policy, or at the very least a detailed discussion,” she said. “Exposing patient information is a huge liability concern, and you can’t just assume employees understand that. “Staff operate better with rules, and a good social media policy gives them those rules.”
So what should your practice’s social media policy look like?
First, Define HIPAA and Why It’s Important
At its most basic, a good social media policy should explain the basics of patient privacy rules as well as the consequences for violating them, including the potential for sizeable fines and damage to the practice’s reputation, says Adler. “Explain why patient privacy is so important and discuss employees’ role in protecting it,” she said.
Be Specific (and Realistic)
Policies should include rules about whether employees can use their own devices at work, and which sites they’re not allowed to access. Make it clear which types of content employees are prohibited from sharing, including protected health information, offensive material, unprofessional comments and proprietary business information.
Rules can vary for different people, Adler says. For instance, front-desk staff might be prohibited from using social media at work while physicians are encouraged to maintain an online presence.
It might be tempting just to say, “No phones allowed” or “No social media allowed,” even on personal devices, but that’s not realistic, says Adler. “We need to have reasonable expectations and balance those with our ability to enforce the rules,” she said. “You’re not going to be able to monitor all of your employees’ social media activity on their own devices.”
As an added layer of assurance, practices can consider using devices that block access to certain websites. “There are some great devices out there that can track all of the devices in your office and limit access to certain sites like Facebook,” she said. “We have a few clients who are trying these devices out, and they explicitly say so in their social media policies.”
Don’t stop at the practice site, Adler says. Social media policies can also address what happens during employees’ personal time by addressing restrictions on sharing patient information while off the clock and highlighting employees’ role in upholding the reputation of the practice.
Under current labor laws, practices can’t prohibit employees from discussing where they work, but they can restrict the sharing of HIPAA-protected information. Examples like that one illustrate why it’s helpful to have an attorney review your social media policy to make sure it aligns with applicable laws, said Adler.
Pair Your Policy with Regular Training
Requiring employees to sign your newly crafted social media policy without providing any accompanying training will probably not have much of an impact at all, says Adler.
“Most of our clients conduct regular HIPAA training and we encourage them to include social media as one component,” she said.
Adler also advises her clients to use sample scenarios to illustrate different rules, and to follow those scenarios with brief quizzes. For instance, are front-desk employees allowed to post funny stories about patients if they don’t use their names? Can employees “friend” patients?
“Acting it out really helps people understand what’s appropriate and what’s not,” Adler added. “I’ve had people who were in charge of compliance who didn’t realize certain scenarios were HIPAA violations.”
Practices should conduct training both for new hires and on an ongoing basis for existing employees, especially because the social media landscape is changing so fast, she adds.
Consider Recruiting a (Young) Staff Champion to Aid Your Efforts
If you have young employees working in your practice, chances are they’re using social media apps you’ve never even heard of. Adler says many of her clients assign a staff member to manage the practice’s social media policy so they can keep tabs on new trends and the risks they might introduce.
“That way, the process becomes a collaboration,” she said. “Staff are also more receptive because the message comes from a fellow employee.”
Clearly Outline the Consequences
The biggest mistake practices make when creating a social media policy is forgetting to include what will happen if employees violate it, Adler says.
Depending on the nature of the violation, discipline could be a verbal warning, a written reprimand or even termination if the situation is serious enough to warrant it. The important thing is that the consequences are spelled out clearly and the practice enforces them, she says.
