M. Robin Repass, Esq., is a member of the Labor and Employment Law Practice Group of Jackson Kelly PLLC in Denver, CO.

With the popularity of social media as a source of communication in today's workplace, it is essential to construct sound policies to balance an employer's right to know versus an employee's right to privacy. This is particularly true in medical offices, where patient privacy considerations are of paramount concern. Care should be taken in drafting acceptable use policies concerning online posting and internet usage in keeping with the rapidly evolving law in this area. The topics discussed below are presented to guide considerations in creating social media policy content.


Screening Applicants and Employees Through Social Media. The Internet has become an important tool for screening job applicants. It is important for medical office practice managers and human resource professionals to know and understand the pitfalls that one could encounter if the hiring manager has access to an employee's or applicant's social media information.

In order to prevent the hiring manager from viewing potentially unlawful categories of information, the best practices recommendation is that the task of reviewing social media should be delegated to a non-hiring individual, with instructions to view and report only on defined categories of information that are related to the business necessities of the position at issue.

Viewing a candidate's Facebook page will likely provide the hiring manager with information on the applicant's race, religion, gender, sexual preference, age, nationality, marital status, or disability. If these topics are off limits during an employment interview, privacy advocates argue that employers should, likewise, be prohibited from using social networking applications as pre-screening tools to discover otherwise off-limits information. By shielding the hiring manager from this information and reporting only any information with a direct bearing on the applicant's ability to perform the position at issue, the hiring manager is shielded from receiving potentially inappropriate information.

Restricting Employer's Access to Social Media Passwords. Numerous states have now passed legislation protecting an employee's social media passwords. These laws prohibit employers from asking employees and applicants to disclose their login details, demanding changes in employees' privacy settings, or requiring employees to add other employees as friends or contacts. Employers are also prohibited from discharging employees or refusing to hire applicants who exercise their social media privacy rights under this law.

Reaction of the NLRB to Overbroad Social Networking Policies.

Employers should also be cautious of potential issues regarding “concerted activity” that could be triggered under the National Labor Relations Act (“NLRA”). Under the NLRA, employees may confer with one another about their wages and other terms and conditions of employment. Employees may also take “concerted” action in an effort to improve their working conditions. Employees (but not managers) are protected by Section 7 of the NLRA, whether or not they are members of a union.

Employers are increasingly finding that employees are relying on Section 7 to challenge company policies that address social media use and the confidentiality of complaint investigations. According to recent decisions by the NLRB, employers should avoid policies that place unnecessary unnecessary restrictions regarding what employees may post on social networking websites. The NLRB Acting General Counsel Lafe Solomon issued a report summarizing conduct that the NLRB has viewed as constituting protected activity, even though it took place online:

  • Conversations among co-workers regarding job performance and staffing levels that implicated working conditions;
  • Discussing supervisory actions with co-workers;
  • Posting photos and comments reflective of coworkers' concerns regarding terms and conditions of employment; and
  • Shared concerns about terms and conditions of employment.1
  • The NLRB has, however, held that individual employee gripes are not protected activity. Likewise, social media policies have been upheld as lawful where they are aimed at preventing inappropriate postings, such as discriminatory remarks and threats of violence.


HIPAA and HITECH. The use of social media in the health care setting presents challenges regarding patient privacy, particularly under the Health Insurance Portability and Accountability Act (“HIPAA”). The basic HIPAA rule is that “protected health information” (‘PHI') may not be used or disclosed except as permitted under the HIPAA privacy rule.2 The rules also impose limitations on the use of patient data for marketing purposes, and have been significantly tightened by the Health Information Technology for Economic and Clinical Health Act (“HITECH”).3

Employees should be trained on these provisions, including admonishments against posting patient details in social media, as disclosure of patient PSI can trigger notification requirements. Under the final HITECH regulations issued in January 2013, impermissible uses and disclosures of PHI are presumed to be privacy breaches, unless an exception applies, or the covered entity can rebut the presumption.4 Patients may also sue under state law, alleging that their private medical information was not properly guarded, and was wrongfully disclosed.

Health care employers should also note that the Federation of State Medical Boards (“FSMB”) recently adopted model policy guidelines for the use of social media in a medical practice.5 The FSMB reported that the growing online connection between doctors and patients through friend requests and similar social media uses require doctors and employees to enact policies to ensure compliance with professional, legal, and ethical standards. The guidelines also point to model social media policies that have been published by the American Medical Association, the Cleveland Clinic,6 and the Mayo Clinic.7

The FDA and the Pharmaceutical Industry. In January 2012, the FDA issued Draft Guidance on the use of social media by pharmaceutical companies. The guidance addresses how pharmaceutical companies should respond to unsolicited requests for off-label information about prescription drugs and medical devices.8 In addressing the FDA's concerns, the guidance recommends responding privately to public requests for off-label use made on a social media website.


A reasonable social media policy should contain the following minimum components:

  • Remind employees that they are not to divulge private patient information, trade secrets, or other confidential or proprietary information. Provide examples of policy violations
  • Inform employees that discriminatory statements or sexual innuendo about co-workers, patients, or vendors will not be tolerated and will subject the employee to discipline
  • State that employees may be held accountable for the content they post on the Internet, whether the posting is done in the office, at home, or on the employee's own time. This is particularly true if the employee posts or shares something that violates company policies
  • Discuss the consequences and potential disciplinary ramifications for violations of the social media rules
  • Require signed employee acknowledgement for receipt of the social media policies.


The key practice-pointer from the evolving law on electronic communication is that employers should create well-defined written policies explaining when and how electronic communication may be used by employees. Employers should also narrowly focus their electronic monitoring policies to legitimate business interests, such as avoiding the distribution of inappropriate and/or sexually offensive email content. In creating such policies, employees should also retain caution against becoming too overzealous in their approach to monitoring employees and pre-screening employees such that the employer's usage of social networking websites infringes on the employee's NLRA Section 7 concerted activity rights. Employers should also stay abreast of the latest developments in social media as new issues are emerging frequently in this rapidly evolving area of law.

  1. Acting General Counsel releases report on social media cases, National Labor Relations Board, (Aug. 8, 2011), http://www.nlrb.gov/news-outreach/news-releases/acting-general-counsel-releases-report-social-media-cases.
  2. 45 CFR §164.502.
  3. 45 CFR §164.508 and 514.
  4. 45 CFR §164.402.
  5. Federation of State Medical Boards, Model Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice, available at http://www.fsmb.org/pdf/pub-social-media-guidelines.pdf
  6. Cleveland Clinic, Social Media Policy, http://my.clevelandclinic.org/about-cleveland-clinic/about-this-website/social-media-policy.aspx (last visited May 22, 2014).
  7. May Clinic, Sharing Mayo Clinic, http://sharing.mayoclinic.org/guidelines/for-mayo-clinic-employees (last visited May 22, 2014).
  8. Responding to Unsolicited Requests for Off-Label Information About Prescription Drugs and Medical Devices, FDA Draft Guidance (Dec. 2011), available at http://www.fda.gov/downloads/drugs/guidancecompliance_regulatoryinformation/guidances/ucm285145.pdf .