Specific Issues you should consider addressing in your policy—all employees.
1. Communicate your company’s stance on employee use of social media during work time. Philosophies on this run the gamut from blocking and prohibiting the use of all social media sites at work, to actively encouraging employees to use social media on the theory that they will be “brand ambassadors.” You need to consider what your company’s position is on this issue and communicate it to your employees. Often the issue can be addressed with reference to existing company policies which prohibit non-work activities on company time.
2. Identify who can speak on behalf of the company. Let employees know who is authorized by the company to officially speak on behalf of the company in social media space. Often this will just be designated employees in your public relations department. Be clear that employees must refrain from making at appear that they are speaking on behalf of the company, or communicating your official position on issues if they are not authorized to do so.
3. Address the blurring issue head-on. This is a challenging issue. Many states (including Minnesota*) regulate employers’ attempts to discipline lawful off-duty conduct of its employees, so you may not be able to tell your employees that they can’t discuss their drinking exploits or strip club visit on their Facebook page. However, you can remind your employees that if they are going to engage in activities on their social media site which are incompatible with your company’s brand or public image, they should not identify themselves as employees of your company. Along the same lines, you should consider requiring employees to add a disclaimer to their social media posts or sites indicating that they are speaking on their own behalf, not your company’s behalf. (*Minn. Stat. § 181.938, subd. 2 (1996) prohibits employers form discharging employees for using lawful consumable products).
4. Stress the importance of maintaining patient privacy and dignity. This is an obvious one; however its importance cannot be overstated. The speed and ease with which people can make social media posts (it takes seconds to send a tweet), and the lifecasting mentality combine to make this a very dangerous area. There have been numerous cases in the media over the last few years of healthcare employees posting pictures and other PHI of patients to the social media profiles. Some of these have been for nefarious purposes that would not be prevented by policies, but other have been through inattention to the rules or reflect a fundamental misunderstanding of the law applies in the social media space.
It is important that your policy clearly and unequivocally communicate that employees are expected to maintain patient privacy and business confidentiality just as they would on-site or in any other non-virtual venue. Perhaps more importantly, your policy should contain examples of the kinds of behavior which violate the policy, especially the non-obvious situations. For example, the employee may think that because they have removed the patient’s name from their blog post about a baby they delivered, there is not HIPAA violation. However, have they really removed all information that might make the patient identifiable under HIPAA? Especially in small communities, or with respect to unique medical conditions, there just might be enough identifiers to make the information identifiable. Separate and apart from the issue of whether discussion of non-identified patients online constitutes a HIPAA violation, you should address the issue of patient dignity and appropriate professional behavior. Is it ever appropriate for providers to be discussing their de-identified patient interactions online, particularly if the tone is negative or critical? I am reminded of a tweet I read that was sent by a physician who spoke derisively of an overweight diabetic patient who refused to change his eating habits. While the information was completely de-identified, and therefore did not violate any privacy laws, it was unprofessional and cast him and his employer in a negative light. Consider reminding your employees that patient dignity and professionalism are just as important as legal privacy requirements.
5. Stress the importance of maintaining business confidentiality. Again, the lifecasting mentality can make this a challenge. Remind your employees that they must maintain the confidentiality of your trade secrets and other confidential business information and should not be discussing such information online.
6. Prohibit your employees from speaking anonymously or pseudonymously about your company. There are several reasons for this. This is considered dishonest and unethical behavior in the social media space, and if it is discovered, will lead to negative publicity for your company. It can also lead to legal liability for your company, as the FTC considers the employment relationship to be a “material connection” that must be disclosed by anyone who is endorsing or recommending a product or service (see more detailed discussion of the FTC guides below). Thus if your employees send a tweet to all their followers recommending your company’s products or services, and do not disclose that they work for your company, you could be subject to an FTC enforcement action. It is important to specifically address this issue in your policy because the FTC has stated on a number of occasions that if there is a violation, they will deal less harshly with those companies which have policies in place and inform their employees of the requirements.
7. The FTC Endorsement and testimonial guidelines (PDF). 16 CFR 255. These have been around forever and generally prohibit deceptive advertising practices in connection with endorsements and testimonials. The guidelines were significantly revamped in October 2009 and now specifically address social media. You should review these guidelines and address them in your policy. Among the important restrictions are:
8. Restrictions on lobbying and political activity. If your company is tax-exempt, you should make sure your policy addresses the restrictions on lobbying and political activity. IRS regulations prohibit tax-exempt organizations from supporting candidates in campaigns and broadly restrict most other political activity by exempt organizations. Make sure your policies address this issue and that those who are participating in the social media space on behalf of your company –or in ways that could be imputed to your company, understand the rules of the road.
9. Harassment of other employees. Employees invariably talk to and about each other in social media spaces. Remind them to be civil and to comply with your existing policies about treatment of colleagues, non-harassment, and respect in the workplace.
10. Intellectual property. Make sure your social media team understands that they can and can’t do with the intellectual property of others. If your employees post or repost information of other without permission, this can lead to infringement claims against your company.
11. False advertising. Make sure your social media team understands the rules regarding false advertising and what they can-and cannot-say about your own products and services, and about the products and services of your competitors. This seems obvious, but the informality of the medium and the ease and speed with which people can make social media posts can lead to disparaging posts about competitors or unsubstantiated claims about your own company, which could lead to a false advertising claim.