Educating Staff on Social Media RisksInsights on Developing a Social Media Policy
"People are treating social media as a unique form of communication. But it's not terribly different," Snell stresses in an interview with HealthcareInfoSecurity's Howard Anderson (transcript below). Thus, all staff members need to be trained about rules that apply to all forms of communication. For example, in healthcare, clinicians need to know it's a violation of HIPAA to use social media to discuss patients, he notes.
A recent survey showed that 42 percent of organizations in various industries had disciplined an employee for their behavior on social media, up from 24 percent three years earlier, Snell notes.
The survey of nearly 500 compliance and ethics professionals was conducted by the Society of Corporate Compliance and Ethics and its subgroup, the Health Care Compliance Association. Snell is CEO of both.
In the interview, Snell:
- Notes that the survey found only about a third of organizations have a policy addressing employee use of social media outside the workplace.
- Calls for having the social media policy clearly endorsed by the CEO, executive committee or other senior leadership group. "Then, when you have a problem and somebody says, 'Who says I can't do this? Who made this policy?' ... you can cite the leadership of the organization as being behind it," he says.
- Endorses instructing compliance officers to find a way to regularly update all staff members about infractions of social media policy and disciplinary action taken.
As CEO of the Health Care Compliance Association and the Society of Corporate Compliance and Ethics, which together have more than 9,000 members, Snell has developed numerous partnerships with government, industry and other professional associations. He has facilitated collaboration between the compliance and ethics profession and the enforcement community. He is a Certified Compliance and Ethics Professional. Snell formerly was an administrator at Mayo Clinic, a consultant and a compliance officer.
HOWARD ANDERSON: You recently conducted a survey of nearly 500 compliance and ethics professionals across all industries regarding social media issues. In that survey, only about a third reported their organization has policies addressing employees use of social media outside of the workplace. Did that result surprise you? And why is such a policy important, especially as it pertains to protecting privacy?
ROY SNELL: It doesn't surprise me too much at all. I found this whole thing to be pretty fascinating. Let's look at this in a different light. Let's look at this like if we were talking about people giving speeches, going to conferences, writing articles or even sending e-mails. Nobody wants employees to give away trade secrets when they write, speak or e-mail. Nobody should be surprised at this philosophy and that it should be applicable to social media.
People are treating social media as a unique form of communication, but it's not terribly different. It's communication. It's just another form of communication. And ... what amazes me is that people think it should be treated differently.
Every company expects every employee not to write or speak publicly about how terrible their company is. The fact that some people believe that they can trash their company on social media is just flawed thinking. Every employee of a defense contractor knows that the information they have cannot be shared in any form. Healthcare employees are extremely well trained about the need for privacy of patient data. And they, for the most part, are doing an excellent job of translating old policies about articles, speaking or e-mails. Most of them are making a leap to social media. Some, because it's a new form of communication, don't connect it as the same as writing an article. They're making some comment about a patient that they think is innocuous and it turns out creating a HIPAA violation and causes great difficulty for them.
What's happening is people are doing a little better of a job in healthcare organizations of training and making clear policy for these sorts of things. It's going to take us a little while to get over the hump here in terms of learning a little bit more, despite many people thinking that social media is somehow different than other forms of communication for all intents and purposes. ...
Disciplinary ActionANDERSON: The survey said 42 percent reported their organization had disciplined an employee for their behavior on social media sites. That's up from 24 percent in a similar survey just three years earlier. Why do you think we're seeing a rise in disciplinary action?
SNELL: I think it took some companies a little [time] to realize this is no different than a speech or an article ... People are publicly making announcements, in this case a written format, and some of it is okay. Some of it isn't okay and they're starting to rise to the occasion and saying, "Holy cow. This is really no different than writing an article. We've got to stop it." It's also, of course, [due to] a rise in the use of social media and this ... flawed thinking that you can say anything you want on social media and not have any consequences. It's the increase in the number of young graduates who think that trashing your company or talking about patients is going to work for them.
It boils down to the flawed idea that many people have that you should be able to say anything you want in social media. These people who do this intentionally, thinking that because it's social media they should have some privacy rights, need to understand it's no different than speaking or writing. Just because it's a unique form of communication doesn't mean it's okay to do this.
Social Media MonitoringANDERSON: The survey also showed most organizations do not have a formal method in place for monitoring employees' use of social media. Should social media activity both during work hours and after work be monitored? And what's the best way to do that without violating employee's rights?
SNELL: This is an excellent question. There really are two separate questions here. One is at work and the other is in their private lives, if you will. Let me just take it this way: e-mail versus social media. Obviously, and it depends on the laws in each state and that sort of thing, there are certain expectations about the use of e-mail. Companies have policies about ... if you should be spending personal time on the Internet while at work. Those policies are pretty much established and just need to be applied in each of these companies to social media. The monitoring of social media shouldn't be a whole lot different than what they've been doing in e-mail or other sorts of communication that we've had in the past.
I think the interesting one is monitoring the use of social media after hours. ... Each company has to have a policy and a set of expectations of their employees with regard to what they say and do. Obviously, a company that has a lot of intellectual property needs to make it clear that just because you're on social media in your own private little space at night doesn't mean you can give up intellectual property. A release there is just like releasing it to people talking to them. You're likely to get into a fair amount of trouble.
What we've got to try and understand is that we already have rules in place for legal restrictions with regard to what we can do as employees. The real tricky part is this idea of people going on social media at night on their own private account and saying or doing inappropriate things - whatever that company defines as inappropriate. ...
If somebody goes on social media and does something that someone with common sense would say is inappropriate, I'm going to hear about it very soon. Someone will see it. If they don't share it with me, they'll tell others because it's so outrageous. Eventually it'll get to me. I would bet you that in 90 percent of any kind of inappropriate actions in someone's private social media session, I'm going to hear about it faster than I would had I audited it.
I'm very comfortable personally with just dealing with it on an exception basis when I hear about it. I'll address it, and obviously if you're a good manager you're going to check with legal counsel or HR before you act and make sure that what you're doing ... with regard to the accusation of inappropriate behavior is handled professionally and legally.
Social Media PolicyANDERSON: Please describe the key elements of a social media policy that govern employee activity at the workplace, especially in a healthcare setting. And what role should compliance officers play in carrying out that policy?
SNELL: Compliance officers should develop the policy, and my advice to anybody would be to go get copies of other policies. Ironically, one of the best ways to get this is on social media. For example, we offer social media for compliance officers in all industries, something called SCCEnet. There is a library of documents you can search. If you don't find what you want, you can type in a question and say to all the people in the group, "Please send me a copy of your social media policy."
We have another [social media] site for healthcare called HCCAnet. There is a library. There is an opportunity to post questions. People can respond with an e-mail and an attachment of their social media policy. It's really great to get other people's policies because, collectively, everybody tends to think of everything. Those who have the most comprehensive policy will have looked at the most samples. Then it's always important to have legal counsel [review policy]. I would try and find a specialist in this area because it's new and there are few of them. Generalists might have a difficult time with this. ...
You asked how the policy will help prevent violations. It will do so because of a couple of things. It will be clearer to those who might break the policy what the expectations are. It also helps those who are enforcing the policy to know what it is they can and cannot allow. I think this is a perfect role for compliance officers because that's what the job is all about. Compliance officers help organizations develop systems and procedures to prevent, find and fix problems just like this.
Social Media Education
ANDERSON: Finally, what's the best way to educate staff about the social media policy as well as the risks involved in using social media?
SNELL: Unfortunately our list gets longer and longer every year with things people need to know to stay out of trouble with the regulations. But I would make social media part of the annual compliance training. Every organization should have at least an hour or so [of training offered], depending on the number of risk areas. I would also teach it to all new employees during employee orientation. It's particularly important because this is something new. A lot of things people already know not to do because they come from some other company that has taught them not to do that. Because this is new, nobody is really coming from anywhere that did this very well. We're starting from scratch.
I'd take a little more time on this than some of the other stuff they probably already know pretty well. I would also put something in the code of conduct that summarizes some of the more important, bigger and higher risks ... that they should be paying attention to. And then, something that only the finest compliance and ethics officers do, find a way to share the infractions that occur throughout the course of the year. There is a woman who works in the ethics department of Best Buy that lists a number of examples of real infractions - the names have been left out of it - to let employees know a couple of things. One is, here's an example of something that shouldn't be done. The other thing is that we're not looking the other way on these things. If you do this and we find out about it, this is what's going to happen. It shares what discipline was taken.