Social Media and the Workplace

Every company, office, and factory is filled with employees who use social media on a daily basis. With 700 billion minutes a month being spent on Facebook and 340 million tweets going out every day, employers must decide how they are going to handle the relationship between social media and their employees. Workers are taking to the net to vent their work-related frustrations, often attacking coworkers or management. How should this be handled? There are different angles that must be examined. This is tricky territory, and the landscape is very new. Employers must be careful when handling these issues to avoid wrongful termination and legal trouble. 

The National Labor Relations Board (NLRB) defines social media as “all means of communicating or posting information or content of any sort on the Internet, including to your own or someone else’s web log or blog, journal or diary, personal web site, social networking or affinity web site, web bulletin board or a chat room, whether or not associated or affiliated with [Employer], as well as any other form of electronic communication.” When an employer discovers that an employee has used a site like Facebook as a soapbox for grumblings about his or her  job, a coworker or a supervisor, the knee-jerk reaction is instant termination. This is a mistake. It is ill advised to fire someone, without first consulting at attorney, over a comment made on the internet. The laws surrounding social media in the workplace are murky at best. 

Several cases have been reviewed by the NLRB, and while some employer’s decisions have been upheld, others were found to be unlawful. The complexity lies in the Wagner Act, which states that workers have “the right to self-organization, to form, join, or assist labor organizations, to bargain collectively through representatives of their own choosing, and to engage in concerted activities for the purpose of collective bargaining or other mutual aid and protection.” In 1935 President Franklin Roosevelt could never have imagined the world of the internet and social media when he signed the Wagner Act, also known as the National Labor Relations Act (NLRA). The tricky part when it comes to remarks made on social media is that any employee behavior that is considered protected by the NLRA is not behavior that can be cause for termination. A paramedic in Connecticut called her supervisor a “scumbag” during a Facebook discussion with other employees. The name calling was the result of her being questioned by her supervisor about a customer complaint and then being denied union representation. Her remark was considered protected conversation for the purpose of “group action to improve working conditions” because fellow employees made follow up comments of support. The NLRB ruled that the company had violated the paramedic’s rights. 

At first glance it seems that anything goes when it comes to employee behavior on social media. However, there are instances where it is unprotected. Complaining about the job or management in general is not covered by the NLRA. Comments must be made to a group in intention or result to be considered “concerted activity.” If the initial comment is not supported by additional comments from other employees, then it may be considered bad-tempered ranting and not “concerted activity.” A Wal-Mart employee in Oklahoma complained about management on Facebook. While others made remarks of the “hang in there” variety, no agreement was expressed. The NLRB dismissed the terminated employee’s complaint as “mere griping.”  Also, verbal or physical threats against the company, a coworker, or manager can be considered unprotected, but the context in which they are used is very important. 

Unfortunately, all cases are not cut and dry. There is still a huge amount of gray area when it comes to the NLRB policies on social networks and the workplace.  Complaints are reviewed and decided on a case-by-case basis. Previously, there was no formal example of a social media policy to cite. Companies were creating social media policies, but those policies were not always holding up when it came to terminations. They were often either too broad or deemed unlawful.  In May of this year, the NLRB issued a report which included an example policy that can be referenced. With this in place, it will be easier for attorneys and HR representatives to create policies that correctly reflect what is and is not permitted. Employers can also take steps to avoid disgruntled employees taking their frustrations to social media. Encourage open door policies, mediation and open discussion to diffuse situations before they get splashed all over the internet. 

Sources:

Report of the Acting General Concerning Social Media Cases, May 2012

nlrb.com

Digitalbuzzblog.com

Twitter.com

How To Handle a HIPAA Breach

According to the website for Health and Human Services: A breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. 

In plain English, a breach happens when protected health information (PHI) is disclosed or used in a way that is outside of the scope of what the HIPAA privacy rules allow and has not been authorized in writing by the patient. There are several different groups of people that are liable for HIPAA violations. Health care providers, employees of health care providers like managers and office staff, and any third party who “cause, aid or abet, counsel, command, induce, procure, or conspire” with someone in the health care industry to violate HIPAA.

In 2010, 5.4 million individuals were affected by large breaches. The top five types of breaches were theft, loss of electronic or paper records containing PHI, unauthorized access to use or disclosure of PHI, human error, and improper disposal of paper records. In 2010, small breaches affected 50,000 individuals and the most common cause was “misdirected communication” that affected only one individual.

The rules for handling a breach are dependent on the number of people affected. Health care entities are required by law to inform patients when a breach has been made. Acceptable forms of communication are first class mail or email, if the patient has signed the appropriate consent forms. If ten or more individuals have outdated or insufficient contact information, then a blanket notice must be put on the homepage of the entity’s website or in local print or broadcast media for 90 days with a toll free number to contact the office that must be active for 90 days. Anytime PHI of more than 500 individuals is breached, the media must also be notified within 60 days.

Besides the patient, the proper government agencies must be informed. Forms must be submitted, with a separate form for every breach. If there are more than 500 affected individuals, there is a 60 day deadline for alerting the Depart of Health and Human Services and The Office of Civil Rights. For less than 500 affected, then notice of breaches must be given annually. The law states that the report must be made within 60 days of the end of the calendar year the breach was made in.

The time clock to take action starts as soon as a breach is discovered. In order to execute a quick investigation and meet the deadlines set forth by the HHS, every office should have a compliance plan. Having a protocol for all types of breaches will ensure that if something does happen then it can be dealt with in a swift and timely fashion. Consult with a health care attorney to develop a plan for different scenarios, as different types of breaches call for slightly different steps. Giving staff the proper tools to identify a breach is imperative, as is ensuring everyone understands the protocol in the case of a breach. Education helps everyone in the office understand what constitutes a breach and therefore what behaviors and actions should be avoided.

Sources:

Annual Report to Congress on Breaches of Unsecured PHI for Calendar Years 2009 and 2010

www.hhs.gov

Before You Hire: References and Background Checks

Once you have finished interviews and decided on the right person for the job, there are still a few more steps that must be completed before you formally offer the candidate the job. Every resume either lists references or indicates that they are available upon request. How often do employers actually check references and perform background checks? Not often enough. When you take into consideration that up to 40% of the information provided on resumes is misrepresented, it stands to reason that digging further into potential employees is not only extremely important, but vital to protecting the company. 

A company’s hiring policy should include several stages of fact checking on any possible new hire. The first step is to contact the references listed on the resume. Employers often believe that references provided will not be truthful. Applicants choose their own references, and it is hard to believe that they will be honest about any problems or performance issues with their former employee. Therefore, business owners take the “why bother?” stance. But asking the right questions is the best way to get to the bottom of the employee’s performance. Avoid asking ‘yes’ or ‘no’ questions and questions that are vague. Focus on facts. While you may want to know the reference’s opinion, it is not reliable information. What is reliable is asking about particular facts and examples the person provided during their interview. Also, questions about percentages and numbers may help. For example, don’t ask if the employee missed much work. Ask what percentage of the time he was late or called in. Don’t ask if they were a leader in the office. Ask how many projects she lead from start to finish. This type of question gives much more useable information. 

The second step of vesting a possible employee is performing background checks. The type of position being filled will dictate exactly what checks need to be performed. For positions that involve driving company vehicles, it is wise to check driving records. Applicants that will hold jobs like accountant or treasurer may require a credit check. The most common type of background check is a criminal one. Make sure when you are reviewing the record of a new hire that you look at convictions, years since the crime, and seriousness of the crime. Also, take into consideration if the employee disclosed this during their interview or on their application. Keep in mind that before any background checks are run, the applicant must sign a release form. This form should be kept on file and must be separate from the application. Also keep in mind the law takes measures to protect the employee’s privacy and the checks run are indicated by the type of job that will be performed. This will be a protection against future legal trouble involving breaches of privacy or discrimination.

Last, before you make the formal offer, check up on certifications, licenses, and degrees. If a resume lists a masters degree in business administration and you are hiring someone for a high level management position, it stands to reason that double checking they actually hold that degree makes good sense. When hiring a licensed speech therapist, contact the appropriate state agency to insure that licenses are up to date. If you require a childcare worker in your daycare to be certified in infant and child CPR, it is better to know before an emergency that they did complete the proper courses. It may seem tedious to check on these types of things, but it will alleviate future stresses. If the information was embellished or falsified on the resume, then that is not type of person you want on your team. 

It should be a policy to perform checks on references and backgrounds for every new hire. If it is only being done occasionally or depending on the interview, then you are opening up your company to future discrimination lawsuits. Consulting an attorney to determine what is appropriate is the best way to avoid future legal trouble. Checking on everyone, whether they are being hired to be CEO or a stock clerk, ensures that you are above reproach in your hiring practices. Up to 30% of information on applications is false and 72% of negligent hiring suits are lost by the employer. Setting up and maintaining consistent processes for vesting employees will ensure that all new hires are high quality and there is no legal recourse by someone who does not meet your company’s high standards.

source: http://www.americandatabank.com/statistics.htm

Personal Computer Use at Work

Companies today conduct the majority of their business on computers.  Employees should not be using company time and computers to surf the web, send personal emails, and use social networking. They should be doing what they are paid to do: work. Even when warned that it is against policy to use their computers for anything that is not work related, employees still do it. It is so easy to skirt the rules and do a little bit here and a little bit there. However, that all adds up to lots of time wasted.

“Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate,” wrote Judge Alex Kozinski. Most employees are very good at putting off work if there are more fun things available to them. It is much more enjoyable to shop for shoes or follow the game than it is to put together reports and crunch numbers. Sure employers want their employees to be doing the latter, but how do employers crack down and enforce their computer usage policy? Laws exist that allow employers to monitor all computer usage at the workplace. When the company owns the computers, servers and networks, they have the rights to monitor them as they see fit.

There are several problems that result from personal time spent on the internet. At the least, productivity is hampered. At the very worst, proprietary information, company secrets, or protected information can be leaked. Falling somewhere in the middle is inadvertently allowing in viruses and malware that corrupt computers and sometimes whole networks. The best way for a business owner to avoid these problems all together is to use software or off site IT companies that monitor computer usage company wide. Websites visited and even for how long can be recorded.  Inappropriate use of company computers can be flagged and reported, providing employers with valuable information.

It is wise for business owners to not only have a policy in place prohibiting personal computer use at work, but to make it known to employees that they are being monitored.  Inform staff that embezzling company time is not tolerated. Explain that it is being done not only protect the company, but to insure a high level of productivity. In a perfect world, educating them should help eradicate some superfluous activity. However, saying it is not enough. Following through and actually setting up a service or software to act as watchdog is very important. Don’t you want to know who is cruising dating sights and watching videos? Not to mention who is looking for a new job or updating their resume.

Unfortunately, sitting in front of a computer gives employees a feeling of security to conduct personal business. It is simple to switch back to work if the boss is coming, people are not often sharing computers with coworkers, and employees do not feel that bosses will enforce the rules. By putting a system in place to keep tabs on employees, the integrity of the company and its computer systems can be maintained, as well as a high level of productivity. Don’t pay workers to spend their day enjoying all the internet has to offer. Pay them for working hard and getting their job done. 

Email Patients with Confidence

It is very important for doctors and patients to maintain open lines of communication. In today’s atmosphere, using the phone seems unnecessary for many situations. It has become our natural inclination to email first and telephone second. Email is fast, efficient, allows for quick response and can be done from virtually anywhere there is a phone or computer. However, there are several issues that must be addressed before doctors and patients use e-mail as their correspondence of choice. First and foremost, privacy and HIPAA must be taken into account and email should always be encrypted.

Protected Health Information (PHI) is information that is protected by the rules and regulations of HIPAA. It is permissible to email such information, but there must be safeguards in place. The first step in protecting the practice is displaying disclaimer notices both in the office and on the website. It should read plainly that there are potential risks using non-secure Internet channels. Also indicate that steps are being taken to ensure security, but there is always a possibility that an email can be intercepted by a third party. Therefore, limit the identifying information (date of birth, social security number, etc) included in any messages. 

The second step to protecting the practice is to have patient’s sign a consent to receive emails. Most electronic medical record (EMR) systems now have a field for email. Many can also send appointment reminders and other patient correspondence via email. It is important for patients to understand what their email will be used for if an address is provided. The signed consent should be scanned in the chart and kept in the same manner as NPP and HIPAA forms are kept. It is also a good idea to provide the patient with a copy for their records.

If a patient initiates communication via email, it is reasonable for the provider to assume that it is an acceptable form of communication unless they have specifically indicated otherwise. However, if there is concern that the patient does not understand the risks involved with sending PHI via the Internet and on email, then it is in the physician's best interest to educate the patient. After being alerted to possible risks, the patient can then decide if they would like to continue using email. 

Precautions should be implemented to prevent a breach through email. There are both simple things and more complex things that can be done. An easy option is to send a “test” email to the provided address to confirm that the recipient is indeed the patient. Once the correct address is confirmed, emails can then be sent encrypted. Today, many EMR systems offer a secure portal for patients to contact their doctor’s office. Encouraging patients to use that for questions and concerns cuts out any concern about unsecured email. Also available on the market are third party email applications that are HIPAA compliant. These require that the email address be entered into their system. For most offices the task of entering all email addresses into a separate system would be overwhelming. Some of these systems work in tandem with the existing EMR system, pulling the addresses out without any extra work on the practice’s part. The last choice is to manually encrypt every email before it goes out, which is often offered by different email providers and is done on an email-by-email basis.

Contact your EMR system, email provider, and health care attorney to best determine the appropriate route for your office. The better you communicate with your patients, the more secure and impressed they will be with level of health care they are receiving. Being smart about sending PHI and educating both yourself and your staff to avoid breaches is vital to protecting your patients and your practice.