Central Columbia Hospital Upon initial review of the events that transpired, this appears to be a simple policy issue. Social media misuse should be factored into an overall disciplinary system based on the severity of the violation. The way to factor in the use or misuse of social media would be to create and establish a policy and procedure. The challenges employers face when addressing the use of social media through the creation of policies include addressing all possible scenarios, allowing for flexibility for future updates, and maintaining legal standards. The policy should be specific and separate for social media, code of conduct, all electronic communications, confidentiality, and other employee expectations. Violations of these policies would then be tied to a separate progressive disciplinary system. The above recommendation would address the initial, surface-level issues presented in the case; however, upon deeper analysis, many other issues are revealed and presented below. Major and Minor Problems Although multiple issues have presented themselves within Central Columbia Hospital (CCH), a few concerns have reached a critical level that need to be addressed immediately. The major issues are that (1) there is no current disciplinary structure around social media, (2) the recent HIPAA violation involving seven hospital employees, and (3) the knowledge and proactive leadership at the highest level in the human resources function. The minor issues that have surfaced along with those are (1) low employee morale, (2) the lower than preferred patient satisfaction scores and (3) lack of follow-up training and reiteration of mandatory education. Causes of the Problems CCH has not been proactive in executing an updated version of the current electronic media policy, despite the obvious evolution of social media within the last several years, as well as other advances involving electronic communication. At the time of original policy creation, there was no correlation between social media policy violations and any type of disciplinary action. This was due to the fact that social media did not have as dominant of a presence in the workplace or the world at that time. The most recent event, the HIPAA violation of seven employees, has brought the gaps in the policies to CCH’s attention. “The HIPAA (Health Insurance Portability and Accountability Act) Privacy Rule protects most ‘individually identifiable health information’ held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral.”1 It is clear that this incident is a violation of the previously mentioned HIPAA event because the information provided on the social media site was enough to allow others to reveal the patient’s identity. The lack of knowledge at the leadership level in the human resources function is evident based on interviews with Anita Green and statements from Frank Scott and Gary Willis. They amplify the leadership concerns revolving around the lack of knowledge on HIPAA and its implications. Various Alternatives The first alternative for the events that have occurred is to take no immediate action at this time. Although this is the simplest and easiest course of action to follow, it puts CCH at extremely high risk for future breaches, violations, and litigations. Given that an employee brought the 1 http://www.nolo.com/legal-encyclopedia/do-labor-laws-protect-employee-posts-social-media.html information forward in good faith, it is not an option to take no immediate action. The second alternative is to create one comprehensive policy on all electronic communications and initiate broad discipline. This plan of action will create one policy, including code of conduct, social media, all electronic communications, confidentiality, and other employee expectations. This policy will contain the phrase “violations of any of these policies will warrant disciplinary action up to and including termination”, but will not outline specific consequences for specific violations. The positive aspect of this action is that there would be a policy stating the general expectations of each employee. While this is an improvement from the current state, it leaves situations open to interpretation and could still leave the company at risk for litigation. The third alternative is to create a multitude of distinct policies that are specific to code of conduct, social media, all electronic communications, confidentiality, and other employee expectations. Each policy will outline the expectations of each individual, as well as the consequences to violations. The disciplinary process will be progressive in nature, which will be determined through administration and human resources depending on the severity of the action. This alternative offers the most protection for CCH as a company, employees, and patients. There will be new enforcement and education surrounding the existing HIPAA policy. All of the above alternatives address the immediate need at CCH. We also recommend more long-term solutions that can aid in some of the other major issues identified. Selected Alternative and Implementation The alternative that should be selected is the third alternative. This offers the most detailed approach to clarify to all stakeholders the expectations CCH holds on each identifiable issue. These individual policies eliminate any ambiguity and provide guidelines on how to handle situations as they arise to each of the respective policies’ subject matter. These policies will be tied into a progressive discipline system. A grid will be created to help provide guidance based on the severity of each offense and how to proceed. Things to consider include aggravating or mitigating factors, personal gain, malicious intent, the outcome of the incident, if the employee was working, and the employee’s past disciplinary offenses. In regards to the education on HIPAA, a plan will be established in order to reassess and reinforce the critical nature of HIPAA compliance in a more effective training environment than the one currently in place. The implementation of the above alternative should be immediate. Then the other issues can be addressed in the longer term and in a more strategic way. The first step is to address the seven employees involved in the HIPAA incident through coaching and re-education. The second step starts with a collaborative meeting among legal, compliance, and human resources in creating the new policies. The timeline for creating these policies is three months. After the creation of the policies, the discipline grid will be developed, taking many potential scenarios into consideration. This portion will also take three months. The final review and communication plan will take place over the course of two months, which consists of disseminating the information through mass email. In-person training for leaders will ensure consistent enforcement of the newly implemented policies. This will address the obvious leadership gaps in HIPAA knowledge amongst leaders. This will then be followed by a mandatory online training for all employees. These long term strategic changes will have a top-down impact to improve patient satisfaction, employee morale, talent and performance management, employee opinion survey results, and HR restructuring. Using these long term strategies to address the major issues will lead to solving the minor issues.