​Providers may rely on existing privacy policies and related training programs to protect them in the Web 2.0 age, but experts say they may not go far enough.

“One of the challenges we faced [was] our staff who are from the millennium generation, the younger staff, they have their cell phones with them all the time,” says Vicki Loucks, vice president of quality services for Redstone Highlands Senior Living Communities, a Pittsburgh-area continuing care retirement community. “They would take photos of residents and put them on their Facebook pages. They didn’t mean that in a negative way; [social media is] what they do with their lives. So we had to educate our staff on the appropriate use of social media,” she says, “and then we made that part of our employment policy.”

A number of news stories, some that went national, have featured front-line staff taking photos of residents and posting them on their social networking pages, says attorney Purtell. “I had a client that got wind that one of the staff members had snapped a photo with a camera phone. The resident had food on her face, and [the staff member] posted it with ‘Aren’t I a good feeder?’” as the caption. “We don’t want this to continue. We’re asking all providers to become more versed as to these risks and to enhance privacy training to incorporate present realities,” says Purtell.

Frankly, if you haven’t updated [your policies] in the last three years, you should conduct a review,” Purtell says. “Much privacy and confidentiality training was designed long before everyone carried a cell phone that doubles as a camera and everyone was on Facebook, Twitter, etc. You would be foolish to try to tell your employees ‘Don’t use social media;’ rather, you need to adjust your message along the lines of, ‘Here’s something important: the same restrictions that we’ve instilled in you [regarding resident privacy] apply on the Internet.”
Consider specific policies to address hand-held devices. “It’s not unreasonable to indicate that unless there’s a specific reason and specific authorization, no one should be carrying a phone in their pocket at work,” says Purtell. “Also, you’re paying them to work, not to text their friends.”

Not having a good policy that includes social media, or not thoroughly training staff on it so that the above-mentioned violations occur, could result in criminal or civil liability, violate the Health Insurance Portability and Accountability Act of 1996, and may constitute caregiver misconduct, according to guidelines issued by Wisconsin’s Department of Health.

These guidelines recommend that providers’ policies include the following elements:

• Specify that cell phones, personal digital assistants, cameras, and other personal devices are never to be used to record images of residents. If the provider needs a photo of a resident for the purpose of care or training, only authorized people using equipment specified in the policy should take the photo.
• Make clear that photos of residents taken by authorized individuals are the property of the facility or company and that distributing them without written authorization is prohibited.
• State where in the facility, and under what circumstances, personal cell phones and other personal devices can be used, such as on breaks or outside.
• Tell residents, family members, and visitors about privacy issues and that taking a photo of the resident and posting it online would be a violation of privacy.
• Make clear what the consequences are for failing to abide by the policy.
• Train all staff, including temporary staff and volunteers, on the policy.

Cruickshank’s firm has developed a social media policy that would be useful to a company looking to develop its own or incorporate elements of one into its existing policies. Cruickshank says he would be happy to provide the sample policy at no charge to Provider’s readers. To obtain a copy, call Cruickshank at (281) 833-2200 or e-mail him at jcruickshank@alaniz-schraeder.com.