Social media usage by business owners and physicians is at an all-time high, but it brings new risks with it. Part two of our look at social media risks examines defamation lawsuits, employer liability, and the prevention and risk management basics every business needs.
We covered the legal definition of defamation, provided examples of defamatory statements and explained the main defenses to a defamation claim in a previous discussion.
Those basics will help you avoid making those mistakes yourself, but both the business’ liability and your liability as a business owner or executive may extend beyond your own actions to the actions of your employees and subordinates.
You have vicarious liability for the statements of your employees if they are made within the scope of their employment and this liability may include not only their own statements but their repeating or rebroadcast the defamatory statements of others, like a “re-tweet” or a post share. This liability extends to all forms of social media, including third-party review sites and covers actions involving the use of false personas and/or creating fake or defamatory negative reviews on sites such as Yelp and similar sites.
In addition to this vicarious liability to third parties, the practice also has a potential internal exposure to its own employees if it makes statements about an employee, their performance, their termination or “over-discloses” on an employment reference call. Make sure owners and managers are aware of the very limited amount of employment related information they can disclose and have a specific info set that they limit their comments to.
Managing all these risks requires multiple layers, including controls to avoid the risk in the first place.
Do you have a social media policy?
You can’t legally ban your employees from social media use; they have a right to certain forms of speech related to their employment that’s well established in labor law.
As such, you should have a formal social media policy that includes specific guidelines and for all material posted in any of the practice’s official social media accounts like Twitter, Facebook, Snapchat and Instagram. As always, the policy is only worth the actual training, monitoring and enforcement that’s put behind it—merely adding it to your written employment manual isn’t enough. You need to devote some time and effort to cover the basics with your employees.
The policy should provide all employees and owners clear guidance and reasonable prohibitions on what they should omit regarding their employment on their own personal social media accounts and the potential liability it can create with both defamation and HIPAA-related claims. As attorney Michael Sacopoulos, JD, explained in his earlier article for Physicians Practice, there are reasonable limits you can enforce:
Employees who discuss salaries and working hours online are engaging in protected speech, while a lone wolf who constantly belittles co-workers with malicious, derogatory remarks can and should be subjected to appropriate disciplinary measures. Such measures also apply to employees who use social media to intentionally post PHI, masquerade as someone else, proffer unqualified medical opinions, engage in racist or abusive language, or threaten others.
Michael’s follow-up article provides specific details on what a medical practice social media policy should include and how it should be implemented. It’s a great starting point if you don’t have a social media policy and a good review and checklist to compare your own policy to if you do.
Are you adequately insured?
I always advise that businesses work with experienced, multi-line commercial insurance brokers that can help provide adequate coverage in terms of both the scope of the coverage and the dollar limits involved. There are at least four overlapping forms of insurance that may help protect you in the event of a practice-related defamation claim.
- High limits of general liability insurance,
- A “rider” on your medical malpractice policy that provides some limited coverage,
- High-limit cyber liability insurance that includes both HIPAA breaches, data breaches and third-party claims such as defamation, and
- Directors and Officers Coverage (D&O) for your role as an owner or officer.
Do not simply rely on low-limit “riders” added to your medical malpractice policy or other professional liability insurance that often also share limits with the base med-mal policy itself. You should have coverage limits that are adequate to cover both the worst-case result (a lawsuit judgment) and the defense of a defamation claim—defense costs alone can easily reach six figures.