Presentation Slides

Social Media &
Cyber Liability
Andrew C.S. Efaw
Kara Rosenthal
Ellen Herzog
Why Do I Care?
Jail Time
Ethical Obligations
Civil Lawsuits
Why Do I Care?
Facebook T & C: “You hereby grant Facebook an irrevocable,
perpetual, non-exclusive, transferable, fully paid worldwide license
with the right to sublicense) to (a) use, copy, publish, stream, store,
retain, publicly perform or display, transmit, scan, reformat, modify,
edit, frame, translate, excerpt, adapt, create derivative works and
distribute (through multiple tiers). . . .”
Gmail T & C: “By submitting, posting or displaying the content you g
ive Google a perpetual, irrevocable, worldwide, royalty-free, and
non-exclusive license to reproduce, adapt, modify, translate,
publish, publicly perform, publicly display and distribute
any Content. . . .”
Why Do I Care?
HIPAA Privacy Rule
Information that:
(1) is created or received by the healthcare provider
(2) as related to past, present or future physical or
mental health, the provision of healthcare, or the
payment re: healthcare, and which
(3) identifies the individual or, with respect to which
there is a reasonable basis to believe the information
can be used to identify the individual.
45 CFR § 160.103
HIPAA Privacy Rule
MYTH: You’re Ok If You Avoid Names
Why Do I Care?
Unknown disclosures:
Fines of $100 per
disclosure, up to $25,000
per year
Reasonable Cause: $1,000
per violation, up to
$100,000 per year
Willful neglect: $50,000
per violation, up to $1.5
million per year
Why Do I Care?
HIPAA: Fines up to
$250,000 and/or 10 years
imprisonment for
knowingly misusing
individually identifiable
personal health
Why Do I Care?
• Theft of medical records (ex: Colorado)
Unauthorized copying of medical record
Medical record includes x-rays
Copying includes taking a photograph
• Personal invasion of privacy (ex: Oregon)
– Photographing nudity without consent when the
person has a reasonable expectation of privacy
– Misdemeanor
• Official misconduct/disorderly conduct (ex: New
Why Do I Care?
Job, Reputation & Discipline
MYTH: You’re Ok If You Avoid Names
Why Do I Care?
Ethical Obligations
Why Do I Care?
• Tort of invasion of privacy
– No private right of action for patient under HIPAA, but
privacy rule used as negligence per se
Outrageous conduct or emotional distress
Negligence (breach of confidentiality/fiduciary duty)
The number of published cases involving social media
evidence from 2010 through the first half of 2012 was
Taking Action Against Employees
• Facebook Post: “My dear client ms 1 is cracking up at
my post, I don’t know if shes (sic) laughing at me, with
me or at her voices.”
• Terminated because post was not recovery-oriented,
used illness for personal amusement, and raised
confidentiality concerns
• National Labor Relations Board sided with employer:
“the employee was not seeking to induce or prepare
for group action, and her activity was not an
outgrowth of the employees’ collective concerns”
Taking Action Against Employees
• Consult attorney before taking disciplinary action
• Protected Activities (NLRB)
• Concerted activities – group griping about working conditions,
pay, schedules, safety conditions
• Unprotected Activities
• Comments made solely by and behalf of employee himself
• Individual griping or personal contempt
• Disclosure of confidential information
• Harassment, discrimination, or threats
• Attributing post to company
Colorado’s Lawful Activities Statute
“Smoker’s Right”
• Prohibits terminating an employee for
lawful off-duty conduct unless the conduct:
• is reasonably and rationally related to the
employment activities and
responsibilities of a particular employee
• involves a conflict of interest with
responsibilities to the employer
C.R.S. 24-34-402.5
Creating a Better Social Media Policy
• Policy should not be overbroad.
Does the policy explicitly or implicitly reasonably chill or
restrict collective bargaining activities?
Ex: prohibiting disrespectful commentary = too broad
• Policy should provide examples.
• Consequences should be clear.
• “Inappropriate postings will not be tolerated and
may subject you to discipline, including
• Purpose should be stated up front.
Creating a Better Social Media Policy
• Accessing social media is off limits from work
• Ban social media access from personal phones and
devices during work hours.
• Prohibit the use of camera phones at work.
• Do not mix professional and personal identities.
• “Do not use work email address to register for
social networks, blogs, or other online tools.”
• “Do not represent yourself as a spokesperson for
the hospital.”
Creating a Better Social Media Policy:
Not So Black and White
Acceptable Policy
• Be respectful of fellow
employees, business
partners, competitors,
partners, and customers
• Expectation to represent
the company in a positive
and ethical manner
• Maintain confidentiality
• Refrain from representing
your posting as that of the
Overbroad Policy
Prohibiting disrespectful conduct or
negative conversations
Refrain from name calling or behavior
that will reflect negatively on company
Communicate in professional tone and
avoid objectionable topics
Avoid unprofessional communication
that could negatively impact hospital
Prohibiting derogatory attacks on
hospital representatives, physicians,
fellow employees and patients
Prohibiting posting of pictures of
employee in uniform
Educating Employees
• HIPAA applies even when off duty.
• Don’t talk about patients, even in general terms.
• You wouldn’t take a copy of an x-ray home, why
would you take a picture?
• Off-duty postings can affect employment and subject
you to termination.
• Discourage response by healthcare workers to social
media or new stories.
• Anonymity is red flag.
Use Common Sense

similar documents