Social Media & Cyber Liability Andrew C.S. Efaw Kara Rosenthal Ellen Herzog

Why Do I Care? 1.Control 2.HIPAA/Fines 3.Jail Time 4.Job/Reputation/Discipline 5.Ethical Obligations 6.Civil Lawsuits

Why Do I Care? Control Facebook T & C: “You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid worldwide license with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers)....” Gmail T & C: “By submitting, posting or displaying the content you g ive Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content....”

#trouble

Why Do I Care? HIPAA

HIPAA Privacy Rule Information that: (1) is created or received by the healthcare provider (2) as related to past, present or future physical or mental health, the provision of healthcare, or the payment re: healthcare, and which (3) identifies the individual or, with respect to which there is a reasonable basis to believe the information can be used to identify the individual. 45 CFR §

HIPAA Privacy Rule

MYTH: You’re Ok If You Avoid Names

Why Do I Care? Unknown disclosures: Fines of $100 per disclosure, up to $25,000 per year Reasonable Cause: $1,000 per violation, up to $100,000 per year Willful neglect: $50,000 per violation, up to $1.5 million per year HIPAA Fines

Why Do I Care? Jail HIPAA: Fines up to $250,000 and/or 10 years imprisonment for knowingly misusing individually identifiable personal health information

Theft of medical records (ex: Colorado) – Unauthorized copying of medical record – Medical record includes x-rays – Copying includes taking a photograph – Felony Personal invasion of privacy (ex: Oregon) – Photographing nudity without consent when the person has a reasonable expectation of privacy – Misdemeanor Official misconduct/disorderly conduct (ex: New York) Why Do I Care? Jail

Why Do I Care? Job, Reputation & Discipline

MYTH: You’re Ok If You Avoid Names

Why Do I Care? Ethical Obligations

Tort of invasion of privacy – No private right of action for patient under HIPAA, but privacy rule used as negligence per se Outrageous conduct or emotional distress Defamation Negligence (breach of confidentiality/fiduciary duty) The number of published cases involving social media evidence from 2010 through the first half of 2012 was 1009 Why Do I Care? Lawsuits

Facebook Post: “My dear client ms 1 is cracking up at my post, I don’t know if shes (sic) laughing at me, with me or at her voices.” Terminated because post was not recovery-oriented, used illness for personal amusement, and raised confidentiality concerns National Labor Relations Board sided with employer: “the employee was not seeking to induce or prepare for group action, and her activity was not an outgrowth of the employees’ collective concerns” Taking Action Against Employees

Consult attorney before taking disciplinary action Protected Activities (NLRB) Concerted activities – group griping about working conditions, pay, schedules, safety conditions Unprotected Activities Comments made solely by and behalf of employee himself Individual griping or personal contempt Disclosure of confidential information Harassment, discrimination, or threats Attributing post to company

Prohibits terminating an employee for lawful off-duty conduct unless the conduct: is reasonably and rationally related to the employment activities and responsibilities of a particular employee involves a conflict of interest with responsibilities to the employer Colorado’s Lawful Activities Statute “Smoker’s Right” C.R.S

Policy should not be overbroad. Does the policy explicitly or implicitly reasonably chill or restrict collective bargaining activities? Ex: prohibiting disrespectful commentary = too broad Policy should provide examples. Consequences should be clear. “Inappropriate postings will not be tolerated and may subject you to discipline, including termination.” Purpose should be stated up front. Creating a Better Social Media Policy

Accessing social media is off limits from work computers. Ban social media access from personal phones and devices during work hours. Prohibit the use of camera phones at work. Do not mix professional and personal identities. “Do not use work address to register for social networks, blogs, or other online tools.” “Do not represent yourself as a spokesperson for the hospital.” Creating a Better Social Media Policy

Creating a Better Social Media Policy: Not So Black and White Acceptable Policy Be respectful of fellow employees, business partners, competitors, partners, and customers Expectation to represent the company in a positive and ethical manner Maintain confidentiality Refrain from representing your posting as that of the company Overbroad Policy Prohibiting disrespectful conduct or negative conversations Refrain from name calling or behavior that will reflect negatively on company Communicate in professional tone and avoid objectionable topics Avoid unprofessional communication that could negatively impact hospital reputation Prohibiting derogatory attacks on hospital representatives, physicians, fellow employees and patients Prohibiting posting of pictures of employee in uniform

HIPAA applies even when off duty. Don’t talk about patients, even in general terms. You wouldn’t take a copy of an x-ray home, why would you take a picture? Off-duty postings can affect employment and subject you to termination. Discourage response by healthcare workers to social media or new stories. Anonymity is red flag. Educating Employees

U se Common Sense