Patient Concerns Make Social Media Even Trickier for Healthcare Employers

by Constangy, Brooks, Smith & Prophete, LLP

By now, everyone is probably familiar with Dawnmarie Souza's dispute with American Medical Response, where the National Labor Relations Board sided with an emergency medical technician's right to bad-mouth her supervisor on Facebook (the case eventually settled), as well as the three memoranda issued by the NLRB's Acting General Counsel on social media issues. (Available here, here, and here.) All employers have had difficulty placing appropriate controls on employees' use of social media while trying not to run afoul of the NLRB, but the situation is even more complicated for healthcare employers, who must be concerned about medical malpractice, patient confidentiality, and the complex regulatory environment in which they operate.

A case in point, from 2010: Nursing student Doyle Byrnes attended an on-site lab course at the Olathe (Kansas) Medical Center. During the course of that class, the students had an opportunity to examine and study a human placenta. Ms. Byrnes thought it would be funny if she and three of her friends posed with the placenta. She asked her instructor for permission to put the photo on Facebook, which garnered a "oh, you girls" in response – but no specific instructions to not post the photo. Even though the photo remained on the student's Facebook page for only three hours and there was no identifiable information about the patient, the picture created a problem for both the college and hospital. All four of the students were expelled for unprofessional behavior. After a legal battle, all four students were readmitted to the school in 2011.

Social Media and Healthcare


When it comes to use of social media in the workplace, the NLRB has been particularly aggressive (and "anti-employer"). The most recent Acting General Counsel Memorandum, issued in May 2012, discussed a case that involved the social media policy of a health care services billing company. The policy contained a clear statement requiring employees to "respect privacy":

If during the course of your work you create, receive or become aware of personal information about [employer's] employees, contingent workers, customers, customer's patients, providers, business partners or third parties, don't disclose that information in any way via social media or other online activities.

This policy seems perfectly reasonable and is addressing the employer's need to protect sensitive personal patient information. But the NLRB found that a blanket prohibition against the public discussion of personal information was unlawful. According to the Board, the policy unlawfully prevented employees from discussing the hours and wages they may work with co-workers – and may prevent them from organizing. On the other hand, the NLRB did not have a problem with confidentiality provisions that protected confidential patient information from disclosure.

The policy also asked employees to "adopt a friendly tone when engaging online." Employees were asked to avoid "inflammatory" subjects such as "politics and religion" and to refrain from personal attacks and insults. Again, this seems like a good policy – preventing potential incidents of harassment and abuse online. The NLRB, however, found this provision unlawful because it prevented employees from discussing potentially heated or controversial topics like unionism or working conditions.


The American Medical Association has released a policy to guide members in online patient communications. Specifically, physicians should set appropriate boundaries with patients, and recognize that online actions could negatively affect their (or the hospital's) professional reputation.

But more importantly, what is posted to an open-format website, such as a Facebook wall, becomes public domain. Exchanges on social media websites between doctors and their "friends" from the general public can take on the appearance of a provider-patient relationship. Once that relationship is established, the doctor has a legal duty to the patient and is open to malpractice claims for the advice freely given. Also, these communications create a permanent written record that may be subject to discovery in a later malpractice lawsuit.

Doctors, nurses, and other healthcare employees may post about the events of the workday, just like countless other employees on the internet. However, these posts can take on a different meaning in the malpractice context. A seemingly funny story about a grumpy patient and the comedy of errors that ensues may find its way into the courtroom. Imagine trying to defend your institution's professional reputation and integrity when the jury hears a factually similar story that was told for just for the laughs.

Social media can also create licensing issues for physicians and nurses. For example, if a doctor dispenses advice through a social media forum to a "friend" who lives in a different state, has the doctor practiced medicine without the correct state license? To avoid these situations, doctors and nurses who interact with the general public online should include clear disclaimers that the information is not intended to create a professional relationship and that the person should consult a local doctor in person for treatment and advice.

Preventing Harassment and Discrimination

During the hiring process, employers frequently use social media to get the "real story" about an applicant. However, the Equal Employment Opportunity Commission warns that managers should be careful because information like religion, disabilities, pregnancy, or other "EEO" information may be inadvertently discovered. An employer cannot be liable for discriminating based on information that it doesn't know about, but if an employer refuses to hire an applicant after having that information, it will be more difficult for the employer to prove that its decision wasn't discriminatory.

One possible solution is to divide the work – allow one HR employee to conduct the internet search and share only the information that is pertinent to the hiring decision, and to allow a different employee (who has access only to the "sanitized" information) to make the decision. An even better solution is for the employer to limit itself to viewing profiles on professional networking sites, like LinkedIn, because people do not usually include any but the most basic personal information on these sites.

As previously discussed, the NLRB has ruled that a healthcare employer's prohibition on discussing "inflammatory" subjects was unlawful. On the other hand, the Board seems to approve prohibitions on discriminatory or harassing social media behavior.

HIPAA Concerns

One last unanticipated effect of social media concerns the impact on the most important individual in the healthcare industry – the patient. The Health Insurance Portability and Accountability Act specifically prohibits the release of individually identifiable information that relates to the individual's past, present, or future medical treatment.

Most healthcare employers are, of course, "covered entities" under the HIPAA regulations, and so they also face liability in the event of a release of protected health information by their employees. Penalties range from $100 to $50,000 per violation. Although HIPAA does not provide for a private cause of action against violators (in other words, individuals cannot sue covered entities under HIPAA for the disclosure of information), many plaintiffs are now using HIPAA violations as the basis for claims of invasion of privacy under state law.

No doubt employees in the healthcare industry know that patient information is private and confidential. However, they may need to be reminded that this includes any social media postings about their "day at the office." Employees in healthcare should understand that release of any information that could permit identification of a patient is prohibited and ground for termination of employment.

What Can You Do?

• Train your workforce on the consequences of using social media. In the healthcare industry, place special emphasis on issues related to patient confidentiality, the physician-patient relationship, and the unauthorized practice of medicine, as well as online harassment and discrimination.

• Direct employees to make it clear that their personal opinions are not endorsed or supported by you, the healthcare employer.

• Emphasize good judgment and responsibility when online. Encourage civil discussion, but be aware that the NLRB's position is that you cannot "require" civil discussion.

• Require compliance with all applicable laws.

• Require compliance with rules of the applicable social media sites.

Be consistent when disciplining employees who violate your policy except as required to meet any reasonable accommodation obligations that might apply.

If you need assistance in developing or applying a social media policy, please contact any member of Constangy's Labor Relations or Litigation practice groups, or the Constangy attorney of your choice.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Constangy, Brooks, Smith & Prophete, LLP | Attorney Advertising

Written by:

Constangy, Brooks, Smith & Prophete, LLP

Constangy, Brooks, Smith & Prophete, LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.