Social Media & the Workplace

By: Kara M. Maciel and Matthew Sorensen

Social media has become an increasingly important tool for businesses to market their products and services.  As the use of social media in business continues to grow, companies will face new challenges with respect to the protection of their confidential information and business goodwill, as several recent federal district court decisions demonstrate.   

Christou v. Beatport, LLC (D. Colo. 2012),  Ardis Health, LLC v. Nankivell (S.D. N.Y. 2011), and PhoneDog v. Kravitz (N.D. Cal. 2011) each involved former employees who took the login credentials for their employers’ business social media accounts when they left their employment.  In each case, the companies alleged that the removal of the login credentials for their social media accounts by their former employees had significant negative consequences on their ability to effectively compete and market their products and services.

Earlier this year, the U.S. District Court for the District of Colorado addressed whether a nightclub owner’s MySpace page and its connections could constitute a protectable trade secret.  In Christou v. Beatport, LLC, Bradley Roulier, a former partner in a business that ran two Denver nightclubs kept the login credentials for the clubs’ MySpace pages when he left the partnership to start his own competing nightclub.  According to the complaint, the nightclubs’ MySpace pages each had over 10,000 “friends.”  After leaving to start his own competing club, Mr. Roulier used the login credentials that he had taken to post updates to his former partner’s MySpace pages promoting his new night club.  His former partner then sued him for misappropriation of its trade secrets – namely the login credentials for its MySpace pages and the “friend” connections for those pages.  On Mr. Roulier’s motion to dismiss, the court found that the MySpace login credentials and the “friend” connections could constitute protectable trade secrets.  The court concluded that the MySpace pages were password protected, that the “friend” connections for the clubs’ MySpace pages were more than just lists of potential customers, they also provided personal information about the “friends” and their preferences, and the clubs’ lists of “friends” could not be duplicated without a substantial amount of effort and expense.

In a similar case, Ardis Health a former employee effectively froze her former employer out of its business social media websites by taking the login credentials for the accounts and refusing to return them to the former employer.  The employee had formerly been responsible for creating and updating the company’s social media websites and was in sole possession of the login credentials for those websites at the time her employment was terminated.  Accordingly, when she refused to return the login credentials after her termination, the employer could no longer access or update its websites.  The employer was ultimately able to obtain a preliminary injunction requiring the former employee to return the login credentials for its social media websites based on the theory that the former employee’s unauthorized retention of that information constituted conversion.  In finding that the company owned the rights to the login credentials for its social media sites, the court noted that the former employee had entered an agreement in which she had agreed that any work she created or developed during her employment would be the property of the company.

Finally, in PhoneDog, a former employee who had been responsible for establishing and operating a Twitter account for his employer that was designed to increase traffic to his employer’s website kept the login credentials for the account after he terminated his employment with the company, renamed the account, and kept its Twitter following.  PhoneDog alleged its Twitter following was the equivalent of a proprietary customer list.  PhoneDog also alleged that, by taking the account, the employee effectively decreased the number of visitors to the company’s website and thereby reduced the number of advertisers who were willing to purchase space on its website.  On the former employee’s motion to dismiss, the U.S. District Court for the Northern District of California held that the Twitter account, its login credentials, and its followers could potentially constitute protectable trade secrets and that the unauthorized taking of the account and its login credentials constituted misappropriation. 

It should be noted that the courts in both PhoneDog and Christou did not find that the plaintiffs had established that their social media accounts were trade secrets.  Rather, the courts simply held that they had alleged sufficient facts to state a claim that those accounts were trade secrets.  The question of whether the employers will be able to prove the facts necessary to prevail on their claims was left open and both plaintiffs may very well encounter difficulties in proving the facts necessary to prevail on their trade secrets claims later in their respective cases.

These cases demonstrate the importance of careful planning to protect a company’s social media presence and its business connections.  Employers should ensure that they maintain a log of their social media account login credentials and that the log is appropriately updated.  Further, companies are well advised to require employees who establish and maintain such accounts on behalf of the company to enter agreements that provide that the accounts and their login credentials are the sole property of the company.  Departing employees should also be interviewed in connection with their exit to ensure that all company social media login credentials to which they had access have been returned.  Finally, in the event that an employee takes the login credentials for the employer’s social media accounts when he or she leaves the company, it is essential for the employer to take prompt action to recover the information.  Delay can result in the loss of legal protections for the accounts and any connections that they hold.

It is readily apparent that electronic media and the internet are making it much easier to collect, organize and maintain data regarding individuals in our society. This is as true with respect to health care employees, and physicians in particular, as it is of anyone else. Information about physicians’ conduct, publications, and interactions with industry, as well as their regulatory, investigatory, and disciplinary history, is increasingly available through public sources. Information about practice patterns and quality of clinical performance can be readily analyzed, as data gathering tools begin to proliferate, and “analytics” is a rapidly growing field. Perhaps by September 30, 2013 (under the current regulatory timetable), even more information will become available, as the public reporting provisions of the Physician Payment Sunshine aspect of the Patient Protection and Affordable Care Act  become operational.  Various state counterparts are already in effect.  These trends coincide with the development of new paradigms for care delivery, which will require hospitals, health plans, and other providers to learn about the quality and productivity of their medical staff members and, perhaps more importantly, prospective members of the medical staff.  New payment methodologies also drive the need for comprehensive information about clinicians and their practice patterns.

As businesses begin to take advantage of these developments, collecting, organizing and analyzing such data to sell to end users in the healthcare industry, the applicability of the Fair Credit Reporting Act (FCRA) can easily be overlooked. The FCRA, better known for its application in the credit arena, regulates the collection, dissemination and use of “consumer information” for employment purposes as well, and provides various protections for individuals related to the use and accuracy of this information. “Employment” for the purposes of the FCRA is very broadly defined, and likely includes deciding whether to engage physicians in various capacities, as well as whether to initiate, restrict or terminate clinical privileges or membership on the medical staff.

Requirements of FCRA in these circumstances include:

• Individuals must consent to the report being given to the employer;

• Individuals must be informed of information used against them, and be advised of the identity of the entity providing the information;

• Individuals must have the right to dispute incomplete or inaccurate information; and

• Individuals have the right to obtain all of the information concerning them that is in the Credit Reporting Agency’s files.

Many states have consumer protection and reporting laws as well, with analogous, albeit differing, requirements.

In this age of free flowing information, hospitals, health plans, other providers, and suppliers of information to them should (i) develop an understanding of how technology and the law interact to increase the amount of information about them that is available; and (ii) be cognizant of requirements beyond the healthcare environment, such as those found in the Fair Credit Reporting Act, that apply to and may limit the manner in which the information is gathered and used.

You may also be interested in our recent blog entitled FTC Warns That Background Searches via Mobile App May Violate the Fair Credit Reporting Act.

by Pamela D. Tyner

Social media have become de rigueur globally.  Today, millions maintain connections with their friends, relatives and business acquaintances via Facebook, Twitter, LinkedIn, blogs and YouTube.  Recent studies indicate that social media popularity even predicts polling popularity and the stock market.  Translated to the healthcare arena, healthcare facilities and organizations are now trained to promote their business by communicating effectively via social media.  In addition, patients, physicians and employees of healthcare facilities and organizations frequently communicate and discuss patient status via cell phones, Facebook, YouTube and other social media.  However, many people do not realize that use of these media may compromise health information privacy unless certain protections are implemented to safeguard them.

Invasion of Health Information Privacy

Under the confines of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), Health Information Technology for Economic and Clinical Health (“HITECH”) and state privacy laws, certain protections of protected health information (commonly known as “PHI”) are mandated.  The increased usage of social media to reference patient whereabouts, ailments and treatment plans continues to leave healthcare employers scrambling to implement new forms of encryption, other IT protection and disciplinary actions.

Examples of Social Media and IT Breaching Confidentiality of PHI

From the trenches, here are some recent examples of social media and IT affecting the privacy of PHI:

  • A day in the life of a patient posted on YouTube, posted without consent of other patients and employees of a hospital system.  The Hospital asked for the individual to immediately remove the content from YouTube.  In addition, the Hospital conducted a thorough investigation and notified the patients affected about the breach of their PHI.
  • A patient updates his/her status via Facebook and later discovers the status update informs her Facebook friends that s/he is in the hospital.  The patient complains to the Hospital’s compliance department about a breach of her PHI.  Afterwards, the Hospital investigates the incident and discovers the patient updating the status inadvertently notified Facebook of the individual’s whereabouts.  The facility is in the process of revising its Patient Handbook to include information about updating an individual’s “location update” status while a patient as potentially identifying the individual’s hospital stay.
  • Doctors, nurses and medical students  revealing patient information on Facebook.  Facilities are implementing social media training to medical staff, employees and allied health professionals about the potential breach of confidentiality and/or disciplinary actions that might result from their Facebook updates about patients.
  • A health care institution realizes that its computer encryption system has a loophole through the usage of USB ports.  The institution must scramble to protect its system information while waiting for the software company to fix the loophole.
  • Articles and blogs inform consumers how to mine PHI about others.

Government Action

The National Relations Board has become very active in addressing social media’s impact on the workplace.   In future, it is anticipated that additional government agencies and the court system will jump on the band-wagon and scrutinize social media as it relates to the healthcare environment and patient confidentiality.

Office of Civil Rights Solicits Comments on Mobile Devices and Confidentiality

In early March 2012, the Office of Civil Rights and the ONC Office of the Chief Privacy Officer (OCPO) invited members of the public to provide input on mobile devices’ uses along with comments on current and emerging privacy and security best practices regarding protecting and securing health information while using mobile devices. Public commentary will help inform the OCR and OCPO for future development of an effective and practical way to bring awareness and understanding to those in the clinical sector regarding protecting and securing health information while using mobile devices.  Popular health information technology remains a hot topic for the OCR; a roundtable discussion on mobile devices and safeguarding health information is planned for mid-March.

Lessons Learned and How Healthcare Employers Should React

Healthcare facilities and organizations must act quickly to assess each usage of social media to gauge whether patient confidentiality may be vulnerable to compromise.  Due to the rapid evolution of social media technology, healthcare facilities and organizations’ social media and employee disciplinary policies must be scrutinized frequently for uniformity within their corporate compliance program.  In addition, these entities must analyze and implement clear guidelines outlining how its physicians and allied health professionals may be constructively redirected and/or advised on the proper usage of social media to facilitate efficient communication concerning patients without compromising PHI confidentiality.



 by Jeffrey M. Landes, Susan Gross Sholinsky, Steven M. Swirsky, and Jennifer A. Goldman

On January 25, 2012, the Federal Trade Commission (“FTC”) sent warning letters to three companies that market, in total, six mobile phone applications (“Apps”) that provide users with background check reports. In the warning letters, the FTC states that the Apps may violate the Fair Credit Reporting Act (“FCRA”). According to a press release issued by the FTC on February 7, 2012, the FTC cautioned the Apps’ marketers that, if they have reason to believe that the background reports provided will be used for employment screening, housing, credit, or other similar purposes, both the users of the Apps and the marketers of the Apps must comply with the FCRA.

 Read the full advisory online

Written By:  Ana S. Salper

Social media has revolutionized how we communicate with one another. From Facebook to Twitter, YouTube to blogs, social networking sites have permeated the workplace in ways that have significant implications for all employers.

Social media is both a source for marketing and promoting companies and products as well as an enterprise risk factor if not used appropriately or in a compliant way. In the health care industry, with the Health Insurance Portability and Accountability Act (“HIPAA”) and other privacy laws at stake, employers must have a heightened sensitivity to ensuring that confidential health information is protected, while simultaneously being mindful of the precise contours of what restrictions on social media usage are permissible and lawful. Also, for pharmaceutical and device firms, where promotion is highly regulated by the federal Food and Drug Administration (“FDA”), there are likely even greater compliance concerns.

To date, no governmental body – not even the court system – has been more active in addressing social media’s impact on the workplace generally than the National Labor Relations Board (“Board”). The Board’s reach has extended to non-unionized employers and to those that are unionized. In what has now become the famous “first Facebook case,” the first social media complaint issued by the Board was, in fact, against an employer in the health care industry, a leading medical transportation company. That October 2010 case, involving the discipline of an employee for posting derogatory comments about her supervisor on Facebook from her home personal computer, established the foundation for the Board’s two areas of scrutiny: employer discipline of employees’ social media site usage, and the appropriate scope and breadth of employer social media policies.

Read the full advisory online



A monthly breakfast law briefing and networking series specifically  designed for health care and wellness company executives and human resources professionals.  This informative series will address labor and employment issues during these challenging times and offer solutions.

For additional information and to register,  contact Carla Llarena or by tel: (404) 869-5363.

February 8, 2012 
Today’s OSHA: What Healthcare Companies and Practices Need to Know

March 14, 2012
It Can Hurt to Ask: TMI in the Digital Age
(Focusing on Social Media & Background Checks)

April 11, 2012
Best Practices to Avoid Wage and Hour Liability

May 9, 2012
What You Need to Know About the Americans with Disabilities Act,
and How Your Managers are Likely Getting it Wrong

June 13, 2012
E-Verify and Complying with Federal and State Immigration Law

July 11, 2012
Selling a Physician’s Practice

August 8, 2012
Employee Handbooks: How to Draft Them to best Protect Your Company and Communicate to Your Employees

September 12, 2012
Alternate Dispute Resolution: Is Mediation and/or Arbitration Preferable to Litigation for Healthcare Employers?

October 10, 2012
The 2012 Presidential Election and How it Will Impact You as an Employer

November 14, 2012
Doctor and Executive Compensation and Benefits

December 12, 2012
The Top 10 Biggest Mistakes that Health Care Employers Make
and How to Avoid Them

Epstein Becker Green
Resurgens Plaza
945 East Paces Ferry Road, Suite 2700
Atlanta, GA 30326-1380

8:30 a.m. – 9:00 a.m. Registration, Breakfast, and Networking
9:00 a.m. – 10:00 a.m. Program, Including Q&A Session

by Pamela D. Tyner

Physicians and healthcare workers devote years to improving the quality of their patients’ lives.  Despite the Hippocratic code and compulsory non-retaliation policies, incidents of disruptive behavior from physicians and healthcare workers, though largely shielded from the general public, continue to frequently surface internally at healthcare environments.  Amidst recent jarring headlines of workplace violence and bullying, news media have discovered this same trend is also on the rise as healthcare facilities across the nation struggle to effectively resolve these alarming concerns.  

Reasons for Under-Reporting of Disruptive Behavior

Most healthcare organizations will not readily admit there are under-reported and unresolved disruptive behavioral problems from its physicians and healthcare workers due to a number of factors.  First, there is an underlying history and culture of tolerance and indifference to intimidating and disruptive behaviors in health care.  Turning the other cheek becomes easier if the verbally abusive physician is one of the facility’s top physicians.    In addition, physicians serving on professional activity or peer review committees fear retribution, ostracization and even liability from their participation in attempting to resolve such incidents.

For example, in a nationally publicized case, Poliner v. Texas Health Systems, a Texas jury awarded Dr. Lawrence Poliner $366 million in damages against a hospital and several physicians for malicious peer review after his privileges were terminated.   In July 2008, the United States Court of Appeals for the Fifth Circuit reversed the ruling and entered judgment in favor of the defendants based on application of immunity for the hospital and three physicians under the Federal Health Care Quality Improvement Act (“HCQIA”).  This legal battle highlights both the fear of retribution for service on a peer review committee and the cost of lengthy litigation.

Joint Commission Redefines “Disruptive Behavior”

In July 2008, the Joint Commission published a sentinel event alert regarding intimidating and disruptive behavior that highlighted the following potential negative outcomes:

  • fosters medical errors;
  • contributes to poor patient satisfaction;
  • causes preventable adverse outcomes;
  • increases the cost of healthcare; and
  • increases rate of turn-over of qualified clinicians, administrators and managers.

As a result, the Joint Commission issued a disruptive behavior standard (LD.03.01.01) to include mandatory policies, training, code of conduct and reporting structures for any inappropriate outbursts.  In its November 9, 2011 newsletter, the Joint Commission revised its definition of “disruptive behavior” to a more refined interpretation of “behavior or behaviors that undermine a culture of safety”  after it received complaints that the term “disruptive behavior” was both ambiguous and not always viewed favorably.  For example, some argued that advocating for patient care  improvement might be incorrectly labeled as “disruptive behavior.”  The revised definition becomes effective in 2012 . 

Lessons Learned – A Balanced Healthcare Environment

From verbal abuse by physicians and healthcare workers causing fear to serve on hospital committees, potential patient safety issues and high turn-over rates, healthcare facilities and organizations must quickly strengthen  existing human resources policies and reporting lines to incorporate the revised definition of “disruptive physician” and to avoid becoming the latest headlines.  Above all, the historical tolerance for disruptive behavior must instead more highly value the promotion of patient safety and respect in the medical workplace.



On August 30, 2011, the National Labor Relations Board (the “Board”) issued a highly controversial and very pro-labor rule requiring employers to post notices informing employees of their right to join or form a union.  The rule was originally supposed to go into effect in November, but was subsequently pushed back to January 31, 2012 as a result of mounting criticism against the rule.  Indeed, several lawsuits have been filed by business groups alleging that the Board overstepped its discretion in imposing the rule on employers.  A federal judge in one of the cases recently asked the Board to further postpone the posting requirement so that the legal challenges could be heard, and the Board agreed, this time postponing the rule’s implementation to April 30, 2012.  

If the rule is implemented, employees will be required to post it in all locations at which the company traditionally posts notices, such as wage and hour and discrimination posters.  If greater than 20% of the workforce speaks a foreign language, the employer shall have to post the notice in that language too. 

Under the rule, employer notices would be required to contain a long list of employee rights under Section 7 of the National Labor Relations Act.  Some of the more prominent examples include an employee’s right to:

  • Organize a union to negotiate with their employer concerning wages, hours, and other terms and conditions of employment;
  • Form, join or assist a union;
  • Bargain collectively through a union;
  • Strike an picket;
  • Discuss wages, benefits, and other terms and conditions of employment;
  • Take action with one or more co-workers to improve working conditions by raising complaints with their employer, a government agency, or a union;
  • Choose not to do any of these activities, including not joining a union.

In addition to these rights, the notice also informs employees of actions that an employer may not take against employees, such as interrogating employees about their union support; firing or disciplining employees because of their support for the union; and prohibiting employees from wearing union paraphernalia except under special circumstances.  The notice also lists certain activities that are unlawful for unions, such as threatening or coercing employees, refusing to process a grievance, and discriminating against employees who do not support the union.

As a result of the notice, employees may ask their managers questions about the union, and the notice could even serve as a catalyst to a union orgainizing campaign or internal or external complaints of violations of employees’ labor law rights.  It is, therefore, crucial that  supervisors and managers are appropriately trained so that they know how to respond to employee questions or complaints without committing an unfair labor practice.