TO:
FROM:
DATE:
RE:

AHCA/NCAL Membership
AHCA Legal Operations Subcommittee, Long Term Care
Consortium (LLC), Sarah Swale and Craig Day (Lane Powell PC),
AHCA/NCAL Public Affairs
June 10, 2016
Social Media Guidance for Nursing Care Centers and Assisted
Living Communities

Social media are web-based communication tools that enable people to
interact with each other by both sharing and consuming information.1 Social
media usage has exploded over the last decade, with 65 percent of all adults
and greater than 90 percent of young adults now using social networking
sites.2 There are a range of websites and applications including Twitter,
Facebook, Snapchat, YouTube and Instagram, to name just a few.3 These tools
can be used effectively in healthcare to improve or enhance professional
networking and education, organizational promotion, and resident care,
education and public health programs. Unfortunately, these tools also
introduce potential risks to residents, employees and providers, and can
result in the distribution of poor quality information, damage to care center
and professional images, breaches of resident privacy, violation of personalprofessional boundaries and licensing and legal issues.4
Since 2012, there have been numerous instances where nursing care centers
and assisted living communities (collectively, care centers) employees have
posted information, photos, or videos on social media in violation of resident
privacy protections. American Health Care Association/National Center for
Assisted Living (AHCA/NCAL), National Association of Health Care Assistants
(NAHCA) and lawmakers in Washington, D.C. are concerned about instances
where residents are harmed by the inappropriate use of social media.
AHCA/NCAL members have asked the Association for critical information and
suggestions to help them better protect vulnerable and elderly residents.
Although it is extremely difficult for a care center to ensure that employees
use social media appropriately 100 percent of the time, it is critical that
providers develop and implement social media policies, adequately train
employees and initiate internal investigations, as appropriate, whenever it is
1 See http://webtrends.about.com/od/web20/a/social-media.htm
2 See http://www.pewinternet.org/2015/10/08/social-networking-usage-2005-2015/
3 See http://www.socialmediatoday.com/social-networks/2015-04-13/worlds-21most-important-social-media-sites-and-apps-2015
4 See http://www.ncbi.nlm.nih.gov/pmc/articles/PMC4103576/
1

 determined that there is a potential problem. AHCA/NCAL has developed this
guidance to help care centers better focus on this important issue.
UNDERSTAND SOCIAL MEDIA:
Care center employees are using social media, both at work and at home,
according to a recent poll of AHCA/NCAL member compliance officers. Most
commonly, employees are using:
BLOG is an online personal journal or diary that is typically updated daily.
FACEBOOK is an online site that connects individuals, and allows them to
keep in touch with friends, post photos, share links and exchange other
information.
FACETIME is a video telephone service that allows an individual to conduct
one-on-one video calls between iPhone, iPad, iPod touch and Mac
notebooks and desktops. Similar to Skype and Google Hangouts.
FOURSQUARE is a service that allows an individual to search local
businesses or attractions on an iPhone, BlackBerry, Android-powered, or
otherwise “smart” phone.
GOOGLE+ is an online site that delivers functionality and features similar
to Facebook including "Posts" for posting status updates, "Circles" for
sharing information with different groups, "Sparks" for offering videos and
articles, and "Hangouts" and "Huddles" for video chatting with a friend or
group of friends.
FORUM is an online discussion group that allows individuals to post
messages.
INSTAGRAM is an online photo sharing service that allows individuals to
share pictures and videos instantly on other social networking sites
including Flicrk, Facebook, Tumblr, Twitter or Foursquare.
KIK MESSENGER is an instant messenger service that allows an individual
to share photos, files and greeting cards between “smart” phones.
LINKEDIN is a professional, business-oriented online site that allows
individuals to create a resume and connect with colleagues and business
contacts.
YELP is an online site that allows individuals to post reviews and rate
businesses.
PINTEREST is an online site that allows individuals to share photos and
videos using a system of “boards.”
SKYPE is a telephone service that allows individuals to make free calls, as
well as file transfers, texting, video chat and videoconferencing.
SNAPCHAT is a service that allows an individual to share photos or video
clips for a matter of seconds. NOTE: Snapchat photos can easily be
saved.
TWITTER is an instant messenger service that allows an individual to stay
connected through brief text message updates up to 140 characters in
length.
2

 YOUTUBE is an online site that allows an individual to upload and share
video clips online.
REVIEW SOCIAL MEDIA POLICIES:
Care centers are encouraged to have a social media policy that protects not
only the residents; but also the employees and the care center. The policy
should define what employees can or cannot do on social media, and should
operate as a “code of conduct” or guide that clearly defines what the care
center expects from its employees when it comes to online behavior. The
social media policy should be included with other center policies governing
employee conduct, and employees should sign an acknowledgement form
and receive training on the policy. If/when employees violate the social
media policy, employees should understand that they will be subject to
discipline, up to and including termination. Lastly, centers should implement
a process to periodically review the social media policy. The social media
landscape is changing rapidly, with new technologies and tools emerging all
the time, and it is important to ensure that the social media policy is not only
effective but also legally comprehensive and consistent with new
technologies and trends.
Some simple “tips,” for either creating or improving a social media policy
could include:5
Don’t Ban Access Completely: Restrictive policies do not change the
fact that most employees can connect to the internet from their smart
phone. The best approach for employers is to proactively educate staff
in acceptable practices.
Learn from the Best: A simple Google search using the term “social
media policy” will provide a wealth of information. Use this as a
starting point, and pay attention to how other health care companies
address issues related to confidentiality, inappropriate online behavior,
etc.
Involve Staff: Include staff in the development of a social media policy.
There is always better “buy in” from staff if they are involved from the
very beginning.
Keep it Simple: Keep the policy as simple as possible while still
including critical information.
Take it Off the Page: Make social media training part of on-going
professional development and/or orientation for care center
employees.
Before a care center drafts or modifies its social media policy, it should
carefully consider the National Labor Relations Board (NLRB) guidance. In
5 See Monster.com; Social Media at Work: Developing a Social Media Policy for
Employees, by Emily Bennington.
3

 2011-12, NLRB released three reports that highlight specific examples of
unlawful social media policies. Although the NLRB guidance on social media
has not necessarily always been consistent, the three reports provide a good
starting place for understanding the NLRB’s concerns with respect to social
media policies. In those reports, NLRB makes clear that, whether union or
not, employees generally have the right to discuss work-related issues and
share information about pay, benefits and working conditions on social
media, without fear of discipline or criminal prosecution. The NLRB
emphasizes that an employer’s social media policy should be clearly written,
and where prohibitions are listed, employers should clarify with examples.
Specifically, NLRB provides the following guidance:6
Friending: Employees have the right to communicate with each other,
so a statement in the policy encouraging employees to “think carefully
about ‘friending’ co-workers” is considered illegal.
Posting: Employees have the right to criticize the company, so a policy
that unqualifiedly states that employees must refrain from criticizing
the business is illegal.
Talking About Co-Workers: Employees have the right to discuss wages
and conditions of employment with each other, so a blanket prohibition
concerning talking about co-workers is illegal.
Indecent Talking: Employees have the right to criticize their employers’
labor policies and treatment of employees, so a provision warning
employees to “avoid harming the image and integrity of the company”
is unlawful.
Inflammatory Topics: Employees have the right to talk in a “robust”
manner about working conditions, so statements encouraging
employees to “adopt a friendly tone” in online discussions is illegal.
Besides ensuring compliance with the NLRB guidance, the care center’s
social media policy (or related policies in the employee handbook) should
include definitions, standards, disciplinary guidelines and enforcement
actions. The policy also should clearly address the appropriate use of care
center-owned technology and the use of the internet during working hours.
AHCA/NCAL has developed its own social media policy template for the
general membership. This social media policy template should not be
construed as legal advice. This policy also should be individualized and
modified to fit the care center’s particular organization and culture, and legal
counsel should be consulted before the implementation of any social media
policy
Lastly, although this is not the focus of this guidance, if a care center is
planning to use a social media strategy to market its qualifications and
6 See Adage.com; Eight Ways Your Employee Social-Media Policy May Violate
Federal Law, by Brian Heidelberger.
4

 services, the Federal Trade Commission (FTC) has published Endorsement
Guidelines, requiring that marketing information is truthful, fair and has
adequate evidence to back up its claims. For more information see The FTC’s
Endorsement Guides: What People are Asking.
CONDUCT SOCIAL MEDIA TRAINING:
Care centers should not only train new employees during orientation; but
also should retrain existing employees periodically about its privacy (e.g.,
Health Insurance and Portability Accountability Act [HIPAA]) and social media
policies. Training should clearly articulate the care center’s process for
monitoring and/or taking corrective action against individuals who
inappropriately use social media. In fact, it is a good idea for employers to
ask employees to sign an attestation form, agreeing formally and in writing
that they will comply with the center’s social media policy. Lastly, care
centers should prominently post the center’s social media policy for
residents, families and staff.
A simple checklist that care centers could share with employees during
social media training to ensure HIPAA compliance/privacy for the residents
may include:7
 Keep personal social media accounts separate from care center
accounts.
 Avoid “friending” residents or families.
 Recognize that even a deleted post text message or picture can still
exist in cyberspace.
 Understand that posts on a private page can still be accessed by users
other than friends or followers.
 Understand that HIPAA personal identifiers (e.g., pictures,
neighborhoods, birth dates, etc.) must remain private.
 Know that even if a resident posts information, staff should not share
in any form this information on their personal pages.
 Be aware that commenting on a resident’s social media page may go
to other friends and individuals.
 Avoid taking any unauthorized photos of a resident (written
authorization is required).
 Avoid transmitting any electronic media image or recording of a
resident.
 Recognize that any privacy or confidentiality breach must immediately
be reported to center management.

7 See Law 360, A Checklist for Avoid HIPAA Violations on Social Media, by Kyna
Veatch.
5

 




Refrain from posting any protected information about the care center
on social media – in particular, do not use the center logo or
trademark.
During parties or events, ensure that all resident files or other
confidential items are put away before a group photo is taken. Don’t
forget to cover the white boards; and obtain the appropriate consent
form from the resident and/or family to post the photo.
If the resident, his/her family or staff members have any questions
about social media, they should be directed to the care center’s
management staff.

Further, the National Council of State Boards of Nursing (NCSBN) has
published a white paper, A Nurse’s Guide to the Use of Social Media, which
describes “myths and misunderstandings” that may be factors in potential
social media abuses, and that could be helpful in reviewing with staff during
training, including the mistaken beliefs that:
 the post is private and accessible only to the intended recipient(s);
 the contents of a post that have been deleted from a site are no longer
accessible;
 the post is harmless if private information about the resident is
disclosed and accessed only by the intended recipient;
 it is acceptable to discuss or refer to a resident if they are not
identified by name; but instead referred only by a nickname, room
number, diagnosis or condition; and
 it is acceptable to post information that a resident has disclosed about
him/herself.
AHCA/NCAL also has developed a power point presentation, #Winning at
Social Media, that can be used as the center develops or revises its own
social media training materials.
INVESTIGATE SOCIAL MEDIA ABUSES:
In most instances, care centers learn about inappropriate photos and posts
from their staff. Some care centers monitor social media regularly to find
photos and posts that violate residents’ privacy or are offensive to both the
residents and the care center. However, it is difficult (even with full-time or
outside vendor help) to discover every inappropriate photo or post. There
are hundreds of social media sites (each with its own complexities), and with
changes occurring daily, there is no magic bullet for uncovering all the
potential problems. Despite the limitations, care centers should consider
scheduling regular website reviews by an appropriate member of
management (preferably one who is insulated from any employmentrelated-decisions) to scan for and identify social media misuse or abuse. A
care center cannot effectively accomplish that task unless it understands
how individuals in its building interact, get attention, post,
6

 like/heart/retweet, friend, etc., on social media. This is key to uncovering
serious problems.
If/or when a care center uncovers an inappropriate photo or post, it should
immediately take action and initiate an investigation. A thorough
investigation should be launched to ensure that any harm to the resident
(e.g., exposure of resident’s confidential information or loss of dignity, etc.)
or center is limited. Further, the investigation should attempt to discover the
source of the inappropriate post, when it occurred, remedies, and possible
revisions to care center processes and policies that could help deter future
social media violations. If the care center determines that an employee has
violated its social media policy, the care center should administer the proper
discipline, including in some cases, termination.
FEDERAL GOVERNMENT ENFORCEMENT:
Under the Health Insurance Portability and Accountability Act of 1996
(HIPAA), the U.S. Department of Health and Human Services (HHS), Office
for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and
Security Rules, including the improper disclosure of resident protected
health information (PHI) that sometimes occurs with inappropriate social
media photos or posts. The Health Information Technology for Economic and
Clinical Health (HITECH) Act signed into law in 2009, amended the HIPAA
Privacy and Security Rules. Under the HIPAA Breach Notification Rule,
covered entities (e.g., all nursing care centers and some assisted living
communities) and their business associates must provide notification to OCR
following a
reportable breach of even one resident’s PHI.
A breach is the acquisition, access, use or disclosure of PHI in a manner not
permitted under the privacy rule. Whether or not a breach is reportable
depends on the outcome of an assessment by the covered entity.
Specifically, the HIPAA breach notification rules require a covered entity that
discovers a breach to presume that the event is reportable unless the
covered entity determines that there is a low probability that the PHI has
been compromised based on a risk assessment. The risk assessment must
consider the nature and extent of the PHI involved, including the types of
identifiers and the likelihood of re-identification; the unauthorized person
who used the PHI or to whom it was disclosed; whether the PHI was actually
acquired or viewed; and the extent to which the risk to the PHI has been
mitigated.
If a breach affects fewer than 500 individuals (which is usually the case
when individuals post resident PHI inappropriately), a covered entity must
notify the affected individuals no later than 60-days following the discovery
of the breach; must notify the HHS Secretary of the entire breach within at
least 60 days of the end of the calendar year in which the breach was
7

 discovered (but may also report immediately); and must complete a
separate notice for each breach incident. The covered entity must submit
the notice electronically.
HIPAA enforcement is primarily complaint-driven. When a formal complaint
is filed, OCR first attempts to resolve the matter informally; but if this is not
possible, civil money penalties (CMPs) are possible and could include: $100$50,000 for an unintentional violation (capped at $1,500,000); $1,000$50,000 for a violation that is not “willfully negligent” (capped at
$1,500,000); $10,000-$50,000 for a willfully negligent but corrected
violation (capped at $1,500,000); and $50,000 or more for a willfully
negligent, uncorrected violation (capped at $1,500,000). Criminal CMPs also
are possible and range from $50,000 to $250,000, and up to 10 years in
prison.
Over the last several years, OCR has increased both its enforcement and the
amount of fines related to HIPAA violations, and with Congress’ interest in
social media abuses, we will continue to see enforcement increase.
Under the Omnibus Reconciliation Act of 1987 (OBRA ‘87) (i.e., its Medicare
provision and Medicaid provision), the Centers for Medicare & Medicaid
Services (CMS) is responsible for enforcing the nursing care center
regulations, including those regulations specifically written to protect the
resident from any type of abuse and neglect (e.g., social media abuses or
otherwise). Under 42 CFR §483.13, CMS clearly delineates its expectations,
including both reporting and investigation requirements for nursing care
centers. Further, in F223, F224, and F226 in the State Operations Manual,
Guidance to Surveyors, CMS describes the nursing care center requirements
for reporting to the state either as soon as possible or not later than 24
hours after the discovery of an incident.
Each year, state-assigned and federally-trained surveyors enter care centers
unannounced and conduct a rigorous examination of all facets of caregiving,
food preparation, facility fire and life safety, resident quality of care and
quality of life, safety systems impacting resident care, medication
management, and more. If a deficiency is found, citations can result, as well
as remedies imposed. CMS and state surveyors have many tools at their
disposal to encourage care centers to achieve and maintain compliance with
all requirements of participation. Specifically, under 42 CFR §488.406, CMS
can impose any of the following remedies: 1) Termination of the provider
agreement; 2) Temporary management; 3) Denial of payment for all
Medicare and/or Medicaid individuals by CMS; 4) Denial of payment for all
new Medicare and/or Medicaid admissions; 5) CMPs; 6) State monitoring; 7)
Transfer of residents; 8) Transfer of residents with closure of facility; 9)

8

 Directed plan of correction; 10) Directed in-service training; and 11)
Alternative or additional State remedies approved by CMS.
Lastly, under the Affordable Care Act (ACA), §1150B, CMS is responsible for
enforcing the Elder Justice Act (EJA) in nursing care centers. This EJA requires
any nursing center owner, operator, employee, manager, agent, or
contractor (e.g., individuals) that receive at least $10,000 in federal funds
during the preceding year, to report any “reasonable suspicion” of a crime
against any individual who is a resident of, or receiving care from a nursing
center to the HHS Secretary and one or more law enforcement entities. CMS
has released a memorandum to implement the EJA. Under §1150B
CMS can impose CMPs up to $200,000 per individual or the HHS Secretary
can exclude the individual from participation in a federal health care
programs.
REAL-LIFE AND EGREGIOUS SOCIAL MEDIA ABUSES
Unfortunately, in the following examples, care center staff were involved in
activities that caused significant harm to the involved residents. Although
these instances rarely occur, the care center’s leadership must be alert and
immediately responsive to any similar instances of social media abuse. Staff
typically see and report such instances to their administrator or supervisor
directly. When this occurs, the care center should make every effort to delete
the offensive photo, video or post as soon as possible, and to alert the
resident’s family. Further, any staff involved in these activities, should be
suspended during an investigation, and reported to the appropriate federal
agency and the local law enforcement. Anytime even one such instance
occurs in a care center, staff should be informed and reminded of the care
center’s social media policy. Egregious examples include where a staff
member posts a:
 photo of a nude or partially-dressed resident (including lewd markings
attached to the photo or covered by fecal matter)
 photo of a nude resident that a friend subsequently posts
 video of a resident being harassed or taunted by other staff or visitors
(including abusive words, such as “jerk”)
 video of a resident vomiting or being assisted with a bowel obstruction
procedure
 photo of a resident while the resident is on the toilet
 photo of a resident in the bathtub or shower
 photo of staff mistreating resident (e.g., dancing in sexually explicit
ways, carrying resident over his/her shoulder while partially dressed,
treating a deceased resident inappropriately, etc.)
 photo of a resident being changed on the bathroom floor
 photo of two residents posted in a sexually explicit way

9

 RESPONDING TO REAL-LIFE EXAMPLES:
The social media issues and tips that follow are “real-life” care center
examples, with suggested center responses:
FACEBOOK – RESIDENT HARM
Issue:
Staff member posts inappropriate
photo or video of a resident















10

Action:
Work with the resident, family
member, and Facebook to take
down the picture immediately
Facebook has a process for
harmed individuals to report
inappropriate or abusive items on
its website. This process includes
reporting anything in violation of
the Facebook’s Community
Standards (e.g., nudity, hate
speech, violence) on the Report
link near the offensive post,
photo or comment
If the resident or family member
is ill or incapacitated; then the
legal guardian or representative
can report the abuse
Facebook encourages the
resident, family member or legal
guardian to contact local law
enforcement if relevant
Suspend involved staff, pending
investigation, and take
appropriate employment action
once the investigation is
complete
Investigate thoroughly
Report to the appropriate federal
agency and the local law
enforcement, as well as any
applicable state regulatory
agency and/or licensing agency
Inform and reeducate staff using
the social media policy

 Staff member posts a photo of
resident, or any other resident PHI
(e.g., name, condition, diagnosis,
etc.) without permission









Family member or other individual
posts a photo or video of a resident
medical procedure



Work with the resident, family
member, and Facebook to take
down the picture immediately
(see above)
Suspend involved staff, pending
investigation, and take
appropriate employment action
once the investigation is
complete
Investigate thoroughly
Report to the appropriate federal
agency and the local law
enforcement, as well as any
applicable state regulatory
agency and/or licensing agency
Inform and reeducate staff using
the social media policy
Discourage family members from
recording resident medical
procedures via photos or video,
and remind them of both the
family’s and the center’s dual
responsibility to ensure patient
dignity

FACEBOOK – CENTER HARM
Issue:
Family member or other individual
post comment or picture with a
“tag” of a center (both complaints
and/or praise), and Facebook
automatically starts a “rogue” page

Family member or other individual
post information on Facebook (both
complaints and/or praise) about the
center online







11

Action:
Establish an official page, and
request that Facebook take down
the other “unofficial pages”
Consider creating official
Facebook pages for each
individual center in a large
company to avoid rouge pages
Consider having staff monitor and
find both online praise and
complaints
Where it is impossible for staff to
monitor online posts; consider
contracting with an outside

 





vendor to help with a social
media management system
(SMMS)
If there is a complaint, follow-up
as soon as possible, making
personal contact with the person
who posted the review
If the follow-up is on-line, do not
“debate,” but leave a positive
message welcoming further
discussion offline
To promote positive public
reviews and decrease negative
remarks, encourage patients and
families to review their
experience

YELP – CENTER HARM
Issue:
Family members or other individuals
post Yelp reviews (both complaints
and/or praise) about the center
online.8




Complaint:
“The elderly man in the wheelchair
next to my grandfather soiled
himself because no one came to
help him out of the chair for almost

half an hour. The food was terrible.
They misplaced my grandfather’s
wound dressing, and it was only
after my cousin, who is a police

officer, went to visit my
grandfather…did the employees
change their tune. Shame on them! I
plan to go to the [newspaper] with

my opinion and my grandfather’s
experience. Don’t take your loved
ones to this care home. It will break

Action:
Consider having staff monitor and
find both online praise and
complaints
Where it is impossible to use staff
to monitor online posts; consider
contracting with an outside
vendor to help with a social
media management system
(SMMS)
If there is a complaint, follow-up
as soon as possible, making
personal contact with the person
who posted the review
If the follow-up is on-line, do not
“debate,” but leave a positive
message welcoming further
discussion offline
To promote positive public
reviews and decrease negative
remarks, encourage patients and
families to review their

8 See Provider Magazine, Managing Online Reviews, by Cassie M. Chew,

February 2016.
12

 your heart.”

experience.

Praise:
“Garden City was our favorite of the
five we have experienced…The
management is very efficient,
nursing is spot-on in their
attentiveness and care, and their
rehab is by far the best as to facility,
equipment, and rehab therapists…”
Family members or other individuals
use the center’s trademark in
posting a comment or picture.





13

Send a message to the individual
who posted the content, and see
if the issue can be resolved
without YELP involvement.
If the trademark is not taken
down, then consider whether or
not the review violates any of
Yelp's terms of service and
contact the YELP support team.