No announcement yet.

Policies on Employee Online Communication?

This topic is closed.
  • Filter
  • Time
  • Show
Clear All
new posts

  • Policies on Employee Online Communication?

    First, I tried to search to see if there are previous threads on this, and I remembered how I hate the LLT search function (but that's for another thread).

    Does anyone have a written policy on employees communicating online, outside of work, such as blogging or using social networking sites?

    We've previously discussed not allowing access to Facebook, Myspace, etc, while at work. We've also discussed how it is perfectly legal to term someone who posts inappropriate things online, outside of work.

    But I just got an article today about employees in healthcare settings violating client/patient confidentiality in their posts on social networking sites. The case presented was an employee who cared for people with disabilities. She posted pictures of the clients in order to make fun of them and to complain about the "nasty" people she had to work with.

    The article vaguely advises that employers need to have policies on this, and I'm big on writing policies, but I'm stumped.

    How do you enforce such a policy? Do you actually regularly browse these sites? That doesn't seem like a good use of time. And even if we had the time, people who use those sites (I'm on Facebook myself) set their privacy setting so that only "friends" can see what they post.

    So how do employers catch employees posting inappropriate things, or heaven forbid, breaching the privacy of patients/clients?

    I suppose we could have a policy saying "in case it is discovered...."
    Is that what most companies are doing? That way if a co-worker is an employee's "friend" and the co-worker reports the employee's inappropriate post or breach of privacy to management, then we could take action.

    I was just wondering what others have done. We do a pretty comprehensive confidentiality training every year, and I have included how it also applied to newer technology, like online networking, camera phones, etc. But we have put off writing a specific policy on what people put online, since we had no idea how to enforce it.

    The two times we have learned about inappropriate posts, we could not take corrective action. In one case, no one here was the employee's "friend" so no one here could see the post. In the other case, a co-worker who was on the "friends" list reported the inappropriate post and invited the manager to see it under her ID, but by then the poster had taken down what he had posted.

    Fortunately, neither of these involved client confidentiality, but since I now see that it could happen, I'm getting more concerned.

    I keep hearing about companies checking the online postings of job candidates before making hiring decisions. But how do these companies see the person's posts without being on their "friend" list?

    How do you handle this at your organization?

  • #2
    I am also in the healthcare industry.

    As with many healthcare facilities, our employees must annually sign a confidentiality agreement, which would cover any employee/patient information within the HIPAA rules. This covers at work and away from work.


    • #3
      According to the HIPPA laws, any breach of client information is forbidden.

      My company has monthly meetings where such things are discussed, and everyone signs off on the meeting notes. I believe that is also required under the laws regarding training.

      The wording is obvious to me.

      Any violation of clients privacy, and / or HIPPA laws is grounds for immediate termination. (Vague enough, and clear enough to cover all possibilities.)

      You can ask for permission and clearance to all social networking sites as a condition of employment. I see that among my friends where the company they work for is listed as a "friend." It keeps people professional off the job.
      Last edited by GotSmart; 09-30-2009, 02:07 PM. Reason: Forgot detail.


      • #4
        I'm very well-versed in HIPAA (not HIPPA). And our employees do receive regular HIPAA training and sign agreements to adhere to all of our privacy policies. And those policies do mention communication about PHI via "all forms of media."

        What I am asking, (sorry if I wasn't clear), is how you can ENFORCE such policies with regard to social networking sites. If a company writes a policy saying that XYZ is prohibited, but then there is no way to monitor or enforce it, then the policy is a meaningless piece of paper. Some companies think that just having the policy will protect them from liability, but that's largely untrue. If you have a policy prohibiting something and no way of monitoring or enforcing it, you are basically admitting to negligence, by acknowledging a risk area and then not attending to it. In that case, the risk mgr part of me would say it's best to not even have a policy on use of social networking sites.

        You did mention that you know people who have their employer listed as a "friend" on their social networking page, and that some companies require employees to make the employer their "friend." My follow-up question then is, who on earth has time to peruse people's facebook pages to make sure they aren't posting inappropriate stuff? We are a non-profit organization and can't afford to have someone in mgmt check out the facebook and myspace pages of 700 employees.

        That's why I was asking, if you do have such a policy, is it worded in terms of "if it should be discovered..." so that the policy is at least enforceable if someone makes a complaint or report of inappropriate posting?

        I'm not just referring to breaches of client confidentiality, but also employees who might trash the company or management on networking sites, or who might makes inflammatory/insulting statements about our clientele, even if they do not include identifying info.

        I'm thinking that the company can only address such things if we receive a report from someone who does have access to it.


        • #5
          There are companies that send out bots to scan the web looking for key words and phrases. The government is using them for one. In moderating, I have seen several different web browsers that come from Virginia, as well as Seattle searching for who knows what.

          (I search the ISP of unknowns that are on the board)

          If you are willing to go that far, and hire robotic spy's, you can find companies that are willing to do the research.

          I did not keep the names of the companies I have found. I made sure to remove any company names on the posts under my watch. (I deleted the posts, and sent a private chewing out) They were all privately owned sites, and not a P2P site like FB or MySpace.

          In my opinion, freedom of speech only goes so far. You do not have the right to spread rumors or trash someones reputation on a opinion.

          Here is something I found on a quick search.


          • #6
            Good questions TS.

            We have only fired one employee for what they posted on FaceBook. She threatened her manager after she was disciplined for cause. I couldn't see the threat because I am not her "friend". However, the management employee gave me her password so I could access and print out the page. The password was changed and the subordinate employee terminated for threatening the manager.

            In this situation--it worked. But you are right--how can you see their comments if you are blocked?

            Here is what our approach is:

            1. Employees have to sign the annual "I will remain professional at all times..." agreement that covers ethical behavior, e-comm, passwords and all that other stuff. Its about 3 pages long.
            2. When we discover a possible violation, we open an investigation. If we can substantiate the allegations, we move forward with discipline. If not, we have the supervisor take a shot at it and see if we can get the employee to admit to their behavior. If all of that fails, we document our investigation and consider the matter closed.
            3. No way we can troll the web and see if people are engaging in unprofessional conduct. When we can we take appropriate action.

            I think your idea of a memo that says "if and when we discover xyz, we will conduct a thorugh investigation and take appropriate action"

            We have had other investigations revolve around MySpace and FaceBook, but without being on their friend list, we often wind up stymied. If anyone has further suggestions, I would welcome them.