How far can you go in regulating workplace conduct | aad.org
How far can you go in regulating workplace conduct?

Legally Speaking

Rob Portman

Rob Portman is a health care attorney with Powers Pyles Sutter & Verville in Washington, D.C., and serves as General Counsel for the AAD and AADA.

Bookmark and Share

Dermatology groups, like other employers, have a strong interest in establishing a professional, productive, healthy, and safe workplace. The question is, how far can employers go in monitoring and restricting the conduct of workers, both in and outside the workplace? The answer is pretty far, as long as the conduct that is being regulated is reasonably related to the employee’s work performance and the rules are established and applied in a fair and nondiscriminatory fashion. The following discussion covers some of the more common workplace behaviors that dermatology groups may want to control. It is not intended to cover all workplace conduct.

General principles

As private entities, medical groups are not subject to constitutional restrictions. However, they must comply with federal non-discrimination statutes such as Title VII, the Americans with Disabilities Act (ADA), the Age Discrimination in Employment Act (ADEA), and the Equal Pay Act. Private employers that meet the employee thresholds must also comply with the Family and Medical Leave Act. There is no federal workplace privacy law, but there are some state statutory privacy laws, and every state has common law privacy rules. However, as a general rule, private sector workers have reduced expectations of privacy in the workplace.[pagebreak]

Electronic communications, Internet access, other use of PCs

Private employers own their telephone and computer networks and equipment, and generally have the right to monitor and regulate employee telephone calls, email activity, and Internet conduct. Employers should (and in some cases state law requires them to) inform workers in advance about these policies so the employees can adjust their conduct accordingly. So, for example, if workers know that their calls and emails may be monitored and recorded, they can make sure their telephone and email conduct (both internal and external) is professional and courteous, which is the point of having the policy in the first place. They can also avoid having too many (or any) personal calls, sending personal emails, or surfing the Web for personal reasons.

Employers can also restrict their employees’ use of cell phones, PDAs, and laptop computers for non-work-related purposes. At a minimum, medical groups need to have strict policies for ensuring the security of PDAs and laptops that can be taken out of the office. For instance, access to all patient identifiers should be password-protected and the data should be encrypted. This will provide the practice with substantial protection under the HIPAA breach notification rules. In addition, employees should receive training on how to ensure compliance with these HIPAA rules, including what do to if a laptop or other device containing patient identifiers is stolen.

Email policies should also include rules for routine destruction of emails, as well as procedures for suspending such rules for emails that may be the subject of pending or threatened litigation. More generally, employees should be strongly counseled against discussing the outcomes of specific patient cases via email, whether with patients, insurers, or other providers. While such information must be documented in patient medical records, putting these discussions in email or discussing them on listservs is not advisable as they are generally discoverable by, and can create a road map for, malpractice plaintiffs’ attorneys.[pagebreak]

Social networking

As more and more medical practices seek to expand their use of social networking services, such as Facebook, Twitter, blogging, and the like, they should adopt policies for regulating their workers’ use of such activities. Social networking policies should be consistent with the practice’s other employment policies, procedures, and business principles. The key elements of a social networking policy include:

  • distinguishing between official and personal use,
  • prohibiting or restricting personal use during working hours, and
  • establishing guidelines for official use, such as marketing or patient education.
  • The guidelines should ensure that employees acting on behalf of their practice are not posting inappropriate material or comments. For instance, they should not post:
  • defamatory, obscene, or off-color materials or comments,
  • material that infringes the copyright or trademark rights of other parties,
  • protected health information (PHI) or other confidential information (any PHI received via social media must be protected),
  • anticompetitive information, such as prices, salaries, etc., or
  • information that promotes an employee’s personal interests.


Employees should be cautioned that their personal social networking communications should avoid references to the practice and/or the employee’s role with the practice. Where the employee’s role with the practice is known to the audience, the employee should make it clear that s/he is speaking for herself or himself and not the practice.[pagebreak]

Anti-smoking/drugs and alcohol policies

Medical groups have even wider discretion than non-medical employers in prohibiting or limiting smoking in or around the workplace. They can not only prevent smoking in the office suite, they may also preclude smoking anywhere on the building grounds.

More and more employers are also refusing to hire smokers or are terminating employees who smoke and do not quit within a reasonable time. The justification is that smokers drive up the practice’s health insurance rates and lead to greater absenteeism (because smokers tend to be less healthy than non-smokers). Medical groups or their insurers can also require smokers to pay higher premiums and/or give premium discounts to non-smokers. The boundaries of non-smoking policies are still being tested in court, so employers should be careful to consult with legal counsel before adopting unconventional policies.

In terms of drugs and alcohol, employers can prohibit drinking during office hours, even if off-site. They can also discipline employees who have been drinking or taking drugs on the job. Employers can ask an employee who the employer has reason to believe has a drinking or drug problem to get professional help, but ultimately, the employer cannot take disciplinary action against the employee based on his or her alcoholism or drug addiction; only on the employee’s work-related drinking or drug use.

Employers can adopt drug and alcohol testing policies as long as there is a work-related purpose, which would clearly be the case for any medical practice. An effective drug and alcohol testing policy, including any potential disciplinary actions, should be in writing and circulated in advance to all employees. It should offer employees education and an employee assistance program option. Most importantly, the program should be administered in a consistent, nondiscriminatory fashion.

Practices should maintain information obtained through drug and alcohol policies in a confidential manner consistent with HIPAA privacy policies. In addition, the practice should be careful about taking action against prescription drug use as this may violate the ADA, as the underlying condition may be a covered disability. Likewise, the practice should not require routine disclosure of prescription drug use. Rather, any such disclosure requirement must be job-related and consistent with business necessity.[pagebreak]

Dress and grooming code

Employers generally can adopt dress and grooming codes that are reasonably related to legitimate business purposes. For instance, employers have wide discretion in setting hair length policies for men, as long as reasonable accommodations are made for religious practices. It is not considered to be gender discrimination to apply hair-length policies just to men.

But, discriminatory hiring or employment policies based on appearance may not be justified unless linked to a legitimate business purposes. For instance, Hooters is justified in only hiring attractive young women as waitresses, but Southwest Airlines cannot have the same policy for hiring flight attendants.

Dress codes generally must be equally applied to all workers. So, employers can’t require women to wear uniforms, but let men wear “appropriate business attire.” The practice can ban jewelry, baggy clothes, etc. for workplace safety purposes or other legitimate business reasons.

Employers can require wardrobe consistent with business needs and nature of service. So, it is perfectly acceptable to require physicians and nurses to wear appropriate medical attire — e.g., scrubs or lab coats — but allow front desk personnel to wear regular clothing.

The U.S. Supreme Court has held that employers need not accommodate religious beliefs in their dress or grooming codes if doing so would create more than de minimis cost to the employer. But more recent cases suggest a dress or grooming code must be related to legitimate business purpose to infringe on religious beliefs.

Sexual harassment

Sexual harassment involves unwelcome sexual advances, requests for sexual favors, and other verbal or physical conduct of a sexual nature when this conduct explicitly or implicitly affects an individual’s employment, unreasonably interferes with an individual’s work performance, or creates an intimidating, hostile, or offensive work environment. It is important to note that federal law forbids a hostile work environment related to sexual harassment. It does not address hostile work environments based on intimidating or aggressive behavior that is not sexually related.

An effective sexual harassment policy must be in writing condemning sexual harassment or a sexually-related hostile work environment. The employer should provide training and education for all employees, develop a system for filing complaints/grievances, assure employees that there will be no retaliation for reporting in good faith, investigate complaints immediately, take disciplinary action against those who violate the policy, and report to complainants on the results of the employer’s investigation.

In general, dermatology practices have considerable discretion in setting and enforcing policies to regulate and control workplace conduct. Such policies should be fair and nondiscriminatory in both their reach and enforcement. They should be communicated to all employees when they start working and periodically thereafter. Training and education about the policies and related support should also be provided on a regular basis. 



Robert M. Portman, JD, MPP, is a health care attorney and principal with the Washington, D.C. law firm of Powers Pyles Sutter & Verville PC. He is also general counsel for AAD and AADA. A previous version of this article appeared in Administrative Eyecare, a publication of the American Society of Cataract and Refractive Surgery and the American Society of Ophthalmic Administrators.