The ethical challenges of the 21st Century, with its myriad of technological advances, are daunting, especially for those of us trained before the millennium. My personal modus operandi has been avoidance and minimization.
However, two recent events forced me to take a serious look at my security practices. I received a letter from my insurance company stating that they had been hacked and my Protected Health Information (PHI) had been compromised. A few weeks earlier, I received notification that my personal email had been hacked.
These events forced me to face the fact that my private practice data might not be as secure as it could (and should) be. My computer was not encrypted, and clients sometimes emailed me on my (unencrypted) work email and texted me to make and change appointments. Then there’s the fact that I was using electronic billing, which repeatedly sends patient PHI through the Internet.
What is an independent practitioner with limited time, money and energy supposed to do to ethically incorporate these technological changes into their practice (striking a healthy balance between excessive rigidity and denial)? To answer this question, I combed the Internet and spoke to Ed Zuckerman, Ph.D., author of The Paper Office, and to a number of my colleagues to get a sense of how practitioners handle communication to, from and about clients in the 21st Century.
First, what kind of official standards and guidelines do we have? The APA Ethical Principles for Psychologists and Code of Conduct states:
4.01 Maintaining Confidentiality
Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium, recognizing that the extent and limits of confidentiality may be regulated by law or established by institutional rules or professional or scientific relationship.
4.02c Discussing the Limits of Confidentiality
Psychologists who offer services, products or information via electronic transmission inform clients/patients of the risks to privacy and limits of confidentiality.
The more recent APA Guidelines for the Practice of Telepsychology recommend that psychologists become knowledgeable and competent “…in the use of the telecommunication technologies being utilized…” and make sure that client/patients are made aware of “… the increased risks to loss of security and confidentiality when using telecommunication technologies.”
In other words, we need to understand limits to security and confidentiality that using these technologies may incur, and we must inform our patients of these limitations. Zuckerman, in a personal communication, suggests using a free program like BitLocker (2010) that encrypts all files on the hard drive.
He went on to state that, encryption of “data at rest” is crucial because it is particularly at risk of a cyber attack – it’s a “sitting duck.”
He also supports the use of Electronic Health Record (EHR) software in which the client Case Notes and PHI are kept on a secure server. These software programs generally offer secure, encrypted email as well. They can also securely dispose of inactive client records (i.e., more than five to seven years old). There are many programs (including at least one that is free) to choose from with a variety of features. It goes without saying that the program must be HIPAA compliant.
In addition to understanding security threats, the Guidelines for the Practice of Telepsychology also directs us to inform patients that using these technologies (i.e., email and texting) can compromise confidentiality; this includes a statement on your website about confidentiality issues with email, in your Consent to Treatment Form, and perhaps in all email with clients and other professionals.
Ken Pope, Ph.D., has written extensively about informed consent both on his website and in his book, Ethics in Psychotherapy and Counseling: A Practical Guide. In addition, clients should be told to refrain from emailing you urgent, time sensitive material (e.g., thoughts about suicide).
Regarding text messaging, Zuckerman believes if it’s done for purely scheduling purposes (thus no PHI is released), the security threat is minimal so such a disclaimer isn’t as important.
However, if you do use text messaging with patients, you still might want to include mention of privacy concerns in your consent to treatment forms. Individuals under the age of 40 often use text messaging for in-depth (and often emotionally laden) conversations and out of habit, may slip back into revealing personal information in texts to practitioners.
How about electronic billing and EHR software programs? How secure are they really? Zuckerman suggests that they’re quite secure because attacks on data “in transit” (meaning the data was moving from one computer to another at a remote location) are extremely rare. Of course I still have my doubts after getting my umpteenth “we regret to inform you that our computer security has been compromised” letter from an insurance company. Zuckerman would say that this data breach was probably with “data at rest,” not “data in transit.”
This topic may provoke anxiety in many practitioners (including me), but must be addressed if we use newer technology in our work. We can minimize risks to confidentiality fairly inexpensively and with relatively little trouble. In doing so, we can find middle ground between rigid, excessively fear-inducing language on client paperwork and the opposite extreme, denial.
That middle ground for me means adding a disclaimer on my website, in consent to treatment forms and in all professional emails as to the confidentiality risks from using email. With regard to texting, I inform clients that I sometimes use texting to confirm or change appointments but there are potential risks to confidentiality in doing so.
I have also put a password on my phone and only list clients by first name and last initial under my contacts on my phone. In addition, I easily downloaded and installed encryption software for my work computer which has not been particularly onerous. As with any unpleasant task, facing it head on makes it more manageable and decreases anxiety.
As Amelia Earhart once said, “Fears are paper tigers.”
References available from author
Susan D. Rego, Ph.D., is a licensed psychologist in private practice in Bethlehem, Pa. She specializes in treating adults with depression, anxiety and eating disorders and offers clinical consultation to mental health professionals. Her email is: firstname.lastname@example.org.