The American Counseling Association approved its 2014 Code of Ethics at the ACA Annual Conference and Expo on Tuesday, March 25th, 2014. The ACA has historically been a trendsetter on inclusion of technology-related items in its Code. This article is the first in a series on the impact of the 2014 Code on the use of technology in counseling – and potentially other psychotherapeutic – practice.

Envelope with ACA 2014 Written Over It

Have you ever had a prospective client contact you by email asking for consultation or an appointment, leaving no phone number or other methods of contacting them besides simply replying to their email? Of course you have. We all know that email is not a secure means of communication, and many of us worry about emailing prospective clients with no previous opportunity to discuss risks of email with them or to obtain written consent to send them emails. I call this “The Initial Contact Problem.” The 2014 ACA ethics code has added a new wrinkle to this sometimes gnarly issue: a requirement for the “respect for privacy” and “respect for confidentiality” with both current and prospective clients.

To wit, from the shiny new 2014 ACA Code of Ethics:

B.1.b. Respect for Privacy
Counselors respect the privacy of prospective and current clients. Counselors request private information from clients only when it is beneficial to the counseling process.

B.1.c. Respect for Confidentiality
Counselors protect the confidential information of prospective and current clients. Counselors disclose information only with appropriate consent or with sound legal or ethical justification.

(American Counseling Association, 2014) emphasis mine

As of the 2014 Code’s approval, counselors now have a mandate to extend the principals of protecting confidentiality to prospective clients in the same manner as we would with current clients. The Code is also clear that the principles described in it apply to all mediums, including electronic communications such as email. It is safe to say that counselors now have an ethical responsibility to apply security principles to initial contact with prospective clients.

Doesn’t HIPAA Require This Already Anyways?

Not necessarily. The health information of a prospective client with whom you do not yet possess a clinician-client relationship is not, technically speaking, your “protected health information,” or “PHI.” This is a rather loophole-ish way of looking at the issue, and loopholes don’t always work out in professional ethics and law, but it’s important to remember these things:

  1. When a prospective client emails you out of the blue, they a) want you to respond and b) have given you no opportunity to discuss the risks of email with them before responding.
  2. HIPAA has a relatively low threshold for informing clients of confidentiality risks and determining if a client wants you to send them sensitive information by email. The ACA 2014 Ethics Code task force made it clear that they intended for the new code to set a much higher bar for counselors to make sure clients fully understand the ramifications of decisions they make about confidentiality risks.

How Do I Respond to Clients Who Email Me, Then?

There are two parts to dealing with the Initial Contact problem:

  1. Set up your initial contact system to avoid the problem
  2. If that fails, try to funnel prospective clients into more acceptable methods of communication

On my practice website, I make visitors have to click through a couple of different pages to find my email address. However, they can get to my secure contact form in one click. The secure contact form is a simple page on my website that requires clients to enter a name and phone number and then write a message to me. What’s more, the message is sent directly to my Hushmail encrypted email account via a secure connection. The message is secured and I can reply by phone.

That doesn’t always work, however. Maybe someone gets my email address from elsewhere or enters a false phone number but supplies me with a genuine email address (this does happen.) What’s more, some therapists choose not to use this scheme for fear that they may lose prospective clients who are looking for an ordinary email address.

If a prospective client sends an email, it is neither sensible nor (in my opinion) ethical to ignore the message simply because there is no secure way to respond. I believe this is in the spirit of the ACA 2014 Code, even though it is not the wording of the code (more on that in a later article.) I suggest the following steps when you find yourself in this situation. Other workable methods may exist, but this is what I know to do:

  1. Reply to the email.
  2. Delete the prospective client’s original message from your reply. This way you’re minimizing the amount of sensitive information being exposed through a second email transmission.
  3. Apply the “minimum necessary” rule to your message while welcoming the prospective client and guiding them towards a phone conversation (or other more “acceptable” means of communication than email.) Where possible, I would avoid explicit mention of anything else from their original email.
  4. If the client refuses or avoids moving to other communication methods, keep applying the “minimum necessary” rule to your conversation and keep deleting their messages from your replies. Work to get them in your office, on the phone, or on your secure distance therapy system with a minimum of sensitive information getting out. This step of the process has highly varying success rates, but do your best. I would be careful of invalidating the potential client through excessive attention to security concerns, however. If you feel it’s clinically relevant to document your efforts, do so.

What Is The Purpose of the New Rule in the ACA Code?

The ethics code task force explained that this rule is part of an overall spirit of the code wherein counselors take on an affirmative responsibility for the confidentiality and privacy of the people with whom we come in professional contact. This concept of affirmative responsibility for safeguarding client welfare will come up again and again as we examine the code further.

The task force’s non-technical example of this rule in action was to state that when a prospective client makes an appointment with us, we cannot confirm or refute that an appointment was made when asked about it by third parties, even if that third party is an authority such as a school principal.

We will continue our analysis of the new code and keep our readers updated. We also post many updates to our newsletter, and place small-yet-important updates in our LinkedIn group and on our Facebook page.

In the coming weeks, we will also update the clinical and HIPAA compliance forms that we make available for free to our newsletter subscribers so that they better match the new ACA Code of Ethics.


  • American Counseling Association. (2014). ACA Code of Ethics. Alexandria, VA: Author.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss