The vision for this blog is to create a community of harmonious professionals across the care continuum who encourage each other in exploring digital media as a way to support businesses and families dealing with elder care.
Written on March 22nd, 2011 by tasha
You may be deciding to wait a bit yet before you jump onto the social networking bandwagon. (Somewhere between 33-40% of American Boomers, are participating on sites like Facebook. You can probably afford to sit this out for another year or so, but I would not advise for much longer if the adoption curve keeps growing as it has.)
While you are waiting, however, your employees are not, at least in their personal lives. The younger your employees, the greater the chance that they are participating on Facebook, sending tweets or maybe even have their own blog. And though many may argue that what they say on their own pages is their private business, this IS the World Wide Web. It’s a new world out there. The rules are different.
“I am not a lawyer and I don’t play one on the Internet.” What I share below are principles and questions to consider. Social networking is a very young medium. It’s still evolving. But based on my swimming in this Internet ocean since its early days, and my work as a researcher needing to protect confidentiality and HIPAA rights of participating subjects, I mention in this blogpost issues I think it’s fair to address. How you address them will depend entirely on you, the flavor of your business, and what your lawyer advises.
Let’s start with the biggest issue: HIPAA
As a HIPAA covered entity, you have an ethical and legal responsibility to be sure that your clients’ information remains private. You teach your employees about confidentiality measures in the office, on the phone, over email, in the elevator, and in their personal conversations with friends after work. You now need to extend that policy to their personal online presence.
Merely changing names is not enough. It’s too easy for identifiable details to slip out. And unless the patient/client has given express permission, in writing, to your employee (unlikely), posting any of the following, even on a personal page, is a violation of protected health information:
You may be surprised to learn that this list also applies to relatives, employers, and household members of the client/patient. The litmus test is whether the information is unique enough that an individual’s identity could be deduced by publication of any of the above. Unless there is written permission, it cannot be posted.
Beyond HIPAA, other restrictions to consider include “forbidding” the mention of:
You do run a business so it’s appropriate to think in terms of what types of information might compromise your standing financially or otherwise.
What your employees reveal about their work simply does reflect on you and your company. And because anyone can have access to what they say, you are right to have concerns about managing your reputation as well as data that is strategically or ethically sensitive. But in the category of respect, where do you draw the line between a person’s right to self expression and your rights as an employer? This is murkier and I will absolutely say again, I AM NOT A LAWYER! But you may also want to consider what you want to say, or not say, concerning “private” voicing of:
Some companies go so far as to just say that employees cannot mention the name of their place of work or talk about their work on their private social media channels. Other companies require that if a person chooses to identify their place of work, a disclaimer be posted in the “About” section of their personal profile that the opinions expressed are those of the individual and not those of their employer.
Whatever you decide is the right policy for your company, be prepared to make employees accountable. Include in your policy the consequences of breaching the policy, as well as the procedure for others to report a breach. And you need to account for mistakes. We are all human. It is wise to outline a process for the employee to present his/her side of the story. You may also want to delineate a process for assessing intent vs. ignorance, and the degree of damage, or potential damage, caused by the employee’s action. Obviously you should to consult a lawyer about what you can legally do and weigh that with what you intuitively feel is the right stance for your business. But to be fair, you do need to put some teeth in your policy and outline procedures for handling violations.
Bottom line: If you don’t show that you take HIPAA and your company information seriously, why should your employees?
Lastly, appoint someone to be the go-to person for social media questions and training. This is a new medium for everyone. The rules and etiquette are evolving. No one quite knows the full ramifications of a Web 2.0 world. You want to be fair. Encourage employees to admit mistakes so that you can work together to quickly remedy any damage. And ideally, at such time that you do move into social networking, believe it or not, you will likely want your employees to participate. They can be your best fans and they certainly can help to promote discussion and an understanding of the personality of your business. But there have to be guidelines and a person to consult for guidance. Start grooming that person now as you put together your personal use policy.
To get a sense of what others have done for social media employee policies, go to the Social Media Governance website, a repository where companies such as the Mayo Clinic and Kaiser Permanente have made their policies available so that everyone can share and learn through collaboration. Web 2.0 at its best!
I also like the Social Fish employee policy. It’s as much about employees posting for the company as it is about their posting personally. The tone is friendly and accessible. Social Fish is not a HIPAA covered entity, so it does not have to address privacy regulations. Still, I like the Social Fish approach as a model for encouraging WISE engagement.
This blogpost was about social media policies relating to employees’ personal activities. In future posts we’ll talk about questions to address when you set up guidelines to encourage employees, as part of their jobs, to engage in your official social networking channels.
Any thoughts? Comments? Requests?
This is an excellent post on privacy and HIPAA. In addition readers should consider security standards for HIPAA and HITECH. While a family member may request communication via social media products, most will not meet the security and process standards for HIPAA. Gently guide your clients to compliant communication tools. Also, the HITECH act now applies the HIPAA standards to most providers of senior care services. You may not be a covered entity, but you are likely to be a business associate.
For those who don’t know, the HITECH Act, passed as part of the stimulus package, requires businesses that contract with covered entities and have access to patient data (e.g., EHR providers, computer repair people) to have the same level of HIPAA protection as the medical care providers themselves. This added a very demanding set of policies and procedures to peripheral businesses and has been a source of consternation for many. Ethically the right thing to do, but a lot to take in since you have to implement physical, administrative and technological protections.
[...] Why you need a social media policy, even if you aren’t on Facebook [...]