Social media: protecting patient confidentiality
The sensitive nature of healthcare makes it all the more important to be aware of inappropriate social network conduct and the damage it can do to an organisation’s reputation. By Martin Cheyne and Laura Newcombe
Social media involves interaction of people within “virtual” networks. It is ubiquitous now, and as a consequence organisations and users need to consider how to best adopt the benefits that social media provides. Undoubtedly there are great benefits but an awareness of the guidance available can help minimise a few of the pitfalls.
‘All employees owe a duty of confidentiality to their employers, even if this is not expressly stated in the contract of employment’
In our previous article we considered the implication of inappropriate “work related” comments on social networking websites. Reputation and confidentiality are important considerations for most companies but are particularly essential for healthcare organisations, especially patient confidentiality. The case of Flexman v BG Group raises the issue of what happens when confidential information is disclosed by an employee on a website.
It is the consequence of social media that necessitates organisational policies and the increasing amount of guidance issued by regulators, professional bodies and unions.
In the case of Flexman v BG Group, Mr Flexman was an HR professional who, like hundreds of thousands of people around the UK, had a LinkedIn profile. Mr Flexman was accused of putting confidential company employment attrition figures on his profile for which the company took disciplinary action against him.
While the employment tribunal did not prescribe what company information is acceptable on LinkedIn (as it focused on the delay in BG dealing with the disciplinary process that lead to Mr Flexman’s resignation), it has opened the debate on how employers can and should deal with confidential information included in social media.
All employees owe a duty of confidentiality to their employers. Even if this is not expressly stated in the contract of employment, there is an implied duty to keep certain information obtained during the course of their working there confidential. For organisations and professionals providing healthcare, this will certainly include patient details.
‘Even if a patient is not identified specifically there remains a risk of identification’
Patient confidentiality is of paramount importance. A breach of this duty can lead to reputational damage and have significant financial consequences. In addition to potential difficulties with commissioners, lost revenues and profits, the information commissioner can take enforcement action and fine organisations for breaches of confidentiality.
Any breach of the duty of confidentiality by an employee will be a disciplinary issue and may lead to dismissal for misconduct.
‘The risk to the organisation’s reputation, however, must be real rather than just fanciful; there must be evidence to show the risk’
The main healthcare professional and regulatory bodies have issued guidance on social media and in particular on the duty of confidentiality owed to all patients. These guides provide a reminder of the ethical and legal duties not to disclose information on patients, including online. Even if a patient is not identified specifically there remains a risk of identification.
“Privacy” settings may not provide protection and professionals should not assume anonymity if discussing patients, even in a non-derogatory way. Professional and regulatory guidance goes further, reminding professionals not to contact patients through social media and suggests rejecting any contact from patients, such as refusing friend requests on Facebook.
Damage to reputation
Undoubtedly there is the potential for activity on social media and professional networking sites to damage an organisation’s reputation. Where proven, this can justify the dismissal of staff involved. The risk to the organisation’s reputation, however, must be real rather than just fanciful; there must be evidence to show the risk.
‘Reputational damage will be subjective and evidence will need to be obtained to confirm the damage or a risk of it’
This was illustrated in the case of Taylor v Somerfield Stores when a manager posted a video on YouTube showing a person dressed in store uniform being struck on the head with a plastic bag. He was dismissed for this. The employment tribunal considered that the clip had been online for three days and had only been viewed eight times, which included views by management as part of the disciplinary investigation. As a result the tribunal found that it could not have caused reputational damage or loss to the company.
In contrast, it was agreed that there was reputational damage in the case of Gosden v Lifeline Project. Mr Gosden worked for a charity that provided support to drug users in prisons and he was assigned to work at a prison.
Mr Gosden contacted an employee of HM Prison Service, via their home email addresses, sending an email with offensive content and a statement that the email should be passed on. The email was forwarded to a prison service email address and after it entered the HMPS computer system the matter was investigated.
It was concluded that Mr Gosden had breached HMPS’s policy on diversity and professional standards by sending the email to a prison service employee, which resulted in him being excluded from working in their prisons in Yorkshire and Humberside. Due to this Mr Gosden was dismissed from Lifeline Project for gross misconduct in damaging its reputation.
‘Social media is important to staff and organisations alike − we should take heed of the guidance readily available’
The employment tribunal agreed that an employee sending an offensive email to an employee of their biggest client when they appeared to hold views that were incompatible with that of the prison service would cause reputational damage.
Whether there has been reputational damage will be subjective and evidence will need to be obtained to confirm the damage or a risk of it. However, breaching confidentiality by discussing patients online or posting photographs, as has been reported, is very likely to damage a healthcare organisation’s reputation.
If there has been a complaint by a member of the public or friends and family of a patient then there is likely to be clear adverse public opinion and reaction.
Social media is important to staff and organisations alike − we should all take heed of the guidance that is readily available.
Martin Cheyne is employment partner at Hempsons, Laura Newcombe is solicitor in the Hempsons Employment Team