Central Columbia Hospital Upon initial review of the events that

advertisement
Central Columbia Hospital
Upon initial review of the events that transpired, this appears to be a simple policy issue. Social
media misuse should be factored into an overall disciplinary system based on the severity of the
violation. The way to factor in the use or misuse of social media would be to create and establish
a policy and procedure.
The challenges employers face when addressing the use of social media through the creation of
policies include addressing all possible scenarios, allowing for flexibility for future updates, and
maintaining legal standards. The policy should be specific and separate for social media, code of
conduct, all electronic communications, confidentiality, and other employee expectations.
Violations of these policies would then be tied to a separate progressive disciplinary system. The
above recommendation would address the initial, surface-level issues presented in the case;
however, upon deeper analysis, many other issues are revealed and presented below.
Major and Minor Problems
Although multiple issues have presented themselves within Central Columbia Hospital (CCH), a
few concerns have reached a critical level that need to be addressed immediately. The major
issues are that (1) there is no current disciplinary structure around social media, (2) the recent
HIPAA violation involving seven hospital employees, and (3) the knowledge and proactive
leadership at the highest level in the human resources function. The minor issues that have
surfaced along with those are (1) low employee morale, (2) the lower than preferred patient
satisfaction scores and (3) lack of follow-up training and reiteration of mandatory education.
Causes of the Problems
CCH has not been proactive in executing an updated version of the current electronic media
policy, despite the obvious evolution of social media within the last several years, as well as
other advances involving electronic communication. At the time of original policy creation, there
was no correlation between social media policy violations and any type of disciplinary action.
This was due to the fact that social media did not have as dominant of a presence in the
workplace or the world at that time.
The most recent event, the HIPAA violation of seven employees, has brought the gaps in the
policies to CCH’s attention. “The HIPAA (Health Insurance Portability and Accountability Act)
Privacy Rule protects most ‘individually identifiable health information’ held or transmitted by a
covered entity or its business associate, in any form or medium, whether electronic, on paper, or
oral.”1 It is clear that this incident is a violation of the previously mentioned HIPAA event
because the information provided on the social media site was enough to allow others to reveal
the patient’s identity.
The lack of knowledge at the leadership level in the human resources function is evident based
on interviews with Anita Green and statements from Frank Scott and Gary Willis. They amplify
the leadership concerns revolving around the lack of knowledge on HIPAA and its implications.
Various Alternatives
The first alternative for the events that have occurred is to take no immediate action at this time.
Although this is the simplest and easiest course of action to follow, it puts CCH at extremely
high risk for future breaches, violations, and litigations. Given that an employee brought the
1
http://www.nolo.com/legal-encyclopedia/do-labor-laws-protect-employee-posts-social-media.html
information forward in good faith, it is not an option to take no immediate action.
The second alternative is to create one comprehensive policy on all electronic communications
and initiate broad discipline. This plan of action will create one policy, including code of
conduct, social media, all electronic communications, confidentiality, and other employee
expectations. This policy will contain the phrase “violations of any of these policies will warrant
disciplinary action up to and including termination”, but will not outline specific consequences
for specific violations. The positive aspect of this action is that there would be a policy stating
the general expectations of each employee. While this is an improvement from the current state,
it leaves situations open to interpretation and could still leave the company at risk for litigation.
The third alternative is to create a multitude of distinct policies that are specific to code of
conduct, social media, all electronic communications, confidentiality, and other employee
expectations. Each policy will outline the expectations of each individual, as well as the
consequences to violations. The disciplinary process will be progressive in nature, which will be
determined through administration and human resources depending on the severity of the action.
This alternative offers the most protection for CCH as a company, employees, and patients.
There will be new enforcement and education surrounding the existing HIPAA policy. All of the
above alternatives address the immediate need at CCH. We also recommend more long-term
solutions that can aid in some of the other major issues identified.
Selected Alternative and Implementation
The alternative that should be selected is the third alternative. This offers the most detailed
approach to clarify to all stakeholders the expectations CCH holds on each identifiable issue.
These individual policies eliminate any ambiguity and provide guidelines on how to handle
situations as they arise to each of the respective policies’ subject matter. These policies will be
tied into a progressive discipline system. A grid will be created to help provide guidance based
on the severity of each offense and how to proceed. Things to consider include aggravating or
mitigating factors, personal gain, malicious intent, the outcome of the incident, if the employee
was working, and the employee’s past disciplinary offenses. In regards to the education on
HIPAA, a plan will be established in order to reassess and reinforce the critical nature of HIPAA
compliance in a more effective training environment than the one currently in place.
The implementation of the above alternative should be immediate. Then the other issues can be
addressed in the longer term and in a more strategic way. The first step is to address the seven
employees involved in the HIPAA incident through coaching and re-education. The second step
starts with a collaborative meeting among legal, compliance, and human resources in creating the
new policies. The timeline for creating these policies is three months. After the creation of the
policies, the discipline grid will be developed, taking many potential scenarios into
consideration. This portion will also take three months. The final review and communication
plan will take place over the course of two months, which consists of disseminating the
information through mass email. In-person training for leaders will ensure consistent
enforcement of the newly implemented policies. This will address the obvious leadership gaps in
HIPAA knowledge amongst leaders. This will then be followed by a mandatory online training
for all employees. These long term strategic changes will have a top-down impact to improve
patient satisfaction, employee morale, talent and performance management, employee opinion
survey results, and HR restructuring. Using these long term strategies to address the major issues
will lead to solving the minor issues.
Download