Social Media & Cyber Liability

Andrew C.S. EfawKara Rosenthal

Ellen Herzog

Why Do I Care?

1. Control2. HIPAA/Fines3. Jail Time4. Job/Reputation/Discipline5. Ethical Obligations6. Civil Lawsuits

Why Do I Care?Control

Facebook T & C: “You hereby grant Facebook an irrevocable, perpetual, non-exclusive, transferable, fully paid worldwide license with the right to sublicense) to (a) use, copy, publish, stream, store, retain, publicly perform or display, transmit, scan, reformat, modify, edit, frame, translate, excerpt, adapt, create derivative works and distribute (through multiple tiers). . . .” Gmail T & C: “By submitting, posting or displaying the content you give Google a perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license to reproduce, adapt, modify, translate, publish, publicly perform, publicly display and distribute any Content. . . .”

#trouble

Why Do I Care?HIPAA

HIPAA Privacy RuleInformation that:

(1) is created or received by the healthcare provider(2) as related to past, present or future physical or mental health, the provision of healthcare, or the payment re: healthcare, and which (3) identifies the individual or, with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

45 CFR § 160.103

HIPAA Privacy Rule

MYTH: You’re Ok If You Avoid Names

Why Do I Care?

Unknown disclosures: Fines of $100 per disclosure, up to $25,000 per yearReasonable Cause: $1,000 per violation, up to $100,000 per yearWillful neglect: $50,000 per violation, up to $1.5 million per year

HIPAA Fines

Why Do I Care? Jail

HIPAA: Fines up to $250,000 and/or 10 years imprisonment for knowingly misusing individually identifiable personal health information

• Theft of medical records (ex: Colorado)

– Unauthorized copying of medical record– Medical record includes x-rays– Copying includes taking a photograph– Felony

• Personal invasion of privacy (ex: Oregon)

– Photographing nudity without consent when the person has a reasonable expectation of privacy

– Misdemeanor• Official misconduct/disorderly conduct (ex: New York)

Why Do I Care? Jail

Why Do I Care?Job, Reputation &

Discipline

MYTH: You’re Ok If You Avoid Names

Why Do I Care?Ethical Obligations

• Tort of invasion of privacy – No private right of action for patient under HIPAA, but privacy rule

used as negligence per se• Outrageous conduct or emotional distress• Defamation• Negligence (breach of confidentiality/fiduciary duty)• The number of published cases involving social media

evidence from 2010 through the first half of 2012 was

1009

Why Do I Care?Lawsuits

• Facebook Post: “My dear client ms 1 is cracking up at my post, I don’t know if shes (sic) laughing at me, with me or at her voices.”

• Terminated because post was not recovery-oriented, used illness for personal amusement, and raised confidentiality concerns

• National Labor Relations Board sided with employer:“the employee was not seeking to induce or prepare for group action, and her activity was not an outgrowth of the employees’ collective concerns”

Taking Action Against Employees

Taking Action Against Employees• Consult attorney before taking disciplinary action• Protected Activities (NLRB)• Concerted activities – group griping about working conditions,

pay, schedules, safety conditions• Unprotected Activities• Comments made solely by and behalf of employee himself• Individual griping or personal contempt• Disclosure of confidential information• Harassment, discrimination, or threats• Attributing post to company

• Prohibits terminating an employee for lawful off-duty conduct unless the conduct:• is reasonably and rationally related to the

employment activities and responsibilities of a particular employee• involves a conflict of interest with

responsibilities to the employer

Colorado’s Lawful Activities Statute“Smoker’s Right”

C.R.S. 24-34-402.5

• Policy should not be overbroad.• Does the policy explicitly or implicitly reasonably chill or

restrict collective bargaining activities?• Ex: prohibiting disrespectful commentary = too broad

• Policy should provide examples.• Consequences should be clear.• “Inappropriate postings will not be tolerated and

may subject you to discipline, including termination.”

• Purpose should be stated up front.

Creating a Better Social Media Policy

• Accessing social media is off limits from work computers.

• Ban social media access from personal phones and devices during work hours.

• Prohibit the use of camera phones at work.• Do not mix professional and personal identities.• “Do not use work email address to register for

social networks, blogs, or other online tools.”• “Do not represent yourself as a spokesperson for

the hospital.”

Creating a Better Social Media Policy

Creating a Better Social Media Policy: Not So Black and White

Acceptable Policy• Be respectful of fellow

employees, business partners, competitors, partners, and customers

• Expectation to represent the company in a positive and ethical manner

• Maintain confidentiality• Refrain from representing your

posting as that of the company

Overbroad Policy• Prohibiting disrespectful conduct or

negative conversations• Refrain from name calling or behavior

that will reflect negatively on company• Communicate in professional tone and

avoid objectionable topics• Avoid unprofessional communication

that could negatively impact hospital reputation

• Prohibiting derogatory attacks on hospital representatives, physicians, fellow employees and patients

• Prohibiting posting of pictures of employee in uniform

• HIPAA applies even when off duty.• Don’t talk about patients, even in general terms.• You wouldn’t take a copy of an x-ray home, why

would you take a picture?• Off-duty postings can affect employment and subject

you to termination.• Discourage response by healthcare workers to social

media or new stories.• Anonymity is red flag.

Educating Employees

Use Common Sense