Facebook, and other Social Media including Twitter, Google+, LinkedIn, and others are a reality of mainstream society. Employers in general, including HIPAA covered entities, are grappling with this new reality.
On the one hand, social media have been proven to be a powerful vehicle to advance the aims of the organization. Social media are being used to increase the visibility of the organization, promote products and services, enhance fundraising, increase public support and to recruit employees.
Similarly, the same media provide visibility to disgruntled customers, patients and employees and can mar the reputations of even powerful organizations.
Employee productivity is another dimension. Do employees waste time while on the job by spending hours on Facebook instead of working? And, do employers have the right to regulate employee behavior while they are off the job, on their personal time?
Covered entities must consider all of these factors, along with compliance with laws and regulations. The National Labor Relations Board (NLRB) has been weighing in recently to protect certain employee rights to use Facebook when discussing compensation and working conditions, and to prohibit certain employer policies. Regarding the HIPAA regulations, covered entities should have at least two policies:
Acceptable Use of Computers. As part of HIPAA security regulations, covered entities should have an acceptable computer use policy. Good practice will address what employees may and may not do on company-supplied equipment. This includes what websites employees may access. Some organizations enforce these legitimate policies with firewall rules to prevent access to disallowed sites. Other organizations will place time limits on an employee’s use of the organization’s equipment for personal use (such as online shopping, personal use of Facebook, instant messaging and email) without banning it.
Facebook and Social Networking Policy. Organizations should have a policy governing acceptable use of Facebook and other Social Networking sites both on and off the job. This policy should address non-HIPAA and HIPAA issues. Regarding HIPAA, the following issues apply:
- No Protected Health Information (PHI) may be posted. HIPAA privacy clearly specifies allowed disclosures of PHI, and Facebook posts are not on the list. This applies whether the employee posts while on the job or on his or her own time.
- Friending. Organizations should evaluate their unique circumstances and render an opinion regarding whether it is acceptable for an employee to “friend” a patient. Issues of confidentiality and professional ethics may apply.
- Instant Messaging. Social Media sites include the capability to send private messages to friends. In general, this form of electronic communications does not meet the security requirements imposed by HIPAA and must not be used for communications with patients.
