(June 20, 2012): A few weeks ago, you may have heard our Firm present a webinar on “Healthcare Providers and Social Media: Risks to be Considered.” Our article here summarizes some of the more important points of that presentation. As an update, we are detailing some new issues to be taken into account by providers when incorporating social media risk issues into your Compliance Plan. As we will discuss, different governmental regulatory bodies have recently released conflicting guidance that could make your social media compliance policy very difficult to implement and enforce.
I. Social Media and Healthcare Recent Developments:
While each of you are well aware of the many privacy provisions set out under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), along with its obligations to secure and protect certain types of patient health information, this ongoing obligation has recently become significantly more complicated by the rise in social media use by patients, employees, competitors and referral sources. In fact, the intersection of social media and healthcare has perplexed many providers in terms of "best practices" for HIPAA compliance.
To make matters worse, other non-HHS governmental regulatory bodies are issuing guidance which (at first glance) appears to stand at odds with a number of HIPAA’s accepted practices, leaving many healthcare providers caught in the middle. For instance, the National Labor Relations Board (NLRB), under the authority of the National Labor Relations Act (NLRA) of 1935, recently issued guidance regarding what social media policies implemented and enforced by employers are lawful. Prior to this guidance, the simple answer for healthcare providers regarding social media was simply to limit access during work and inform employees that any confidential information regarding the company, its business, its patients, or the care it provided, could not be posted online. In this way, the healthcare provider hoped to protect both its patients and the company itself from any wrongful or inadvertent breaches of protected information. Now, however, a healthcare provider’s Compliance Plan and policies and procedures must be adjusted to account for concerns raised by the NLRB. As recent case holdings have held, employers are prohibited from restricting an employee’s comments regarding terms and conditions of employment. Unfortunately, there have been cases where such disclosures were alleged to have ultimately resulted in the breach of a patient’s privacy. Keep in mind, there are 18 elements of Protected Health Information (PHI) and the 18th element is a catch-all category which basically covers any information that might disclose any individual’s identity. As a result of the NLRB’s ruling, healthcare providers will need to take care when drafting their social media policy to better ensure that it hits that "sweet spot" in between limiting usage of social media for HIPAA and allowing usage of social media for NLRA purposes.
This is a delicate balance, and providers would be well cautioned to review their current policies for adherence to labor and employment issues, in addition to the regular compliance risks normally facing healthcare entities. The last thing you want is to be stuck with disgruntled employees who file a complaint with the NLRB.
II. What Types of Policies Should I Avoid?
The relevant law regarding this issue is contained in Sections 7 and 8(a)(1) of the NLRA, which state:
Sec. 7 – Rights of Employees – Employees shall have the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in other concerted activities for the purpose of collective bargaining or other mutual aid or protection, and shall also have the right to refrain from any or all such activities except to the extent that such right may be affected by an agreement requiring membership in a labor organization as a condition of employment as authorized in section 8(a)(3).
Sec. 8. – Unfair Labor Practices – (a) It shall be an unfair labor practice for an employer –
(1) to interfere with, restrain, or coerce employees in the exercise of the rights guaranteed in section 7 . . .
There are some takeaways from the NLRB guidance, however. Specifically, it is important to have a policy which does not infringe upon or "chill" the employee’s right to discuss their terms and conditions of employment both inside your company and with third-parties (i.e. their family, friends, or the NLRB). To do this, social media policies must not be overbroad or unduly restrictive, and should have limiting language and specific examples which put any social media restrictions in context. For instance, you might caution employees about the effects of HIPAA on social media usage, and the risks to an employee both personally and professionally for unauthorized disclosure of protected health information. As well, you might describe prior examples of social media usage that resulted in a HIPAA violation, so that employees would not reasonably think that the policy is intended to restrict their ability to discuss their terms and conditions of employment.Initially, the idea that an overly-restrictive social media policy would have anything to do with employees organizing or collectively bargaining might be far-fetched or tangential. But think about the impact of social media tools in other types of protests around the world. For instance, in the "Arab Spring," students and young people used social media tools to coordinate protests, recruit volunteers, and make their ideas known far and wide. While on the other side of the globe, this is exactly the same type of activity that protesters and picketers might utilize in the United States. And like it or not, that is the type of activity the NLRA and NLRB is designed to protect.
Admittedly, this has muddied the waters even further. Restrictions on what you can and can’t do as a healthcare provider are becoming more complex every day, and that is why it is important to have an effective compliance plan in your practice. It’s also important to seek advice regarding these issues from a qualified healthcare attorney who understands both these confusing questions and your business. When in doubt, get assistance from your qualified healthcare counsel.
Robert Liles is the managing member of Liles Parker PLLC, in our Washington, D.C. office. Robert provides representation of healthcare providers in Medicare and Medicaid audits and appeals, trains healthcare professionals on compliance issues, and drafts and implements Compliance Plans for healthcare providers. For a complimentary consultation regarding your case, call Robert today at: 1 (800) 475-1906.