The American Counseling Association approved its 2014 Code of Ethics at the ACA Annual Conference and Expo on Tuesday, March 25th, 2014. The ACA has historically been a trendsetter on inclusion of technology-related items in its Code. This article is the second in a series on the impact of the 2014 Code on the use of technology in Counseling – and potentially other psychotherapeutic – practice.
The 2014 ACA Code of Ethics, released at the ACA Conference in March, made sweeping changes to ethical mandates around trading emails, text messages and other electronic transmissions with clients. The code sets up a new standard of care that demands higher responsibilities than HIPAA does and is likely to set a bar for all of mental health. I had the good fortune to attend the Ethics Revision Task Force’s town hall meeting at the conference. A member of the task force, Michelle Wade, was kind enough to offer some clarifications of the new code for this article.
In short, Counselors now must:
- Make “reasonable efforts” to make transmissions, such as email and texting, secure.
- Help clients fully understand the ramifications of decisions they make to allow their Counselor to send them unsecured emails, texts, and other unsecured electronic transmissions.
- I have created a new sample questionnaire for my free newsletter subscribers to help Counselors and other mental health pros discuss the risks and ramifications of using email and texting with clients. You can subscribe to the newsletter, and then download the questionnaire, by clicking here. Current subscribers will get the link to download the questionnaire in the next newsletter.
- Making sure clients fully understand the risks and benefits of networked technology is a threshold that must be met before we can say our clients have been informed of the risks of these transmission technologies. After that, it appears that clients are still allowed the autonomy to accept those risks and request that we send them emails, text messages, etc. in accordance with all applicable laws, including HIPAA/HITECH and your state laws.
- It is important that you understand the nuances of this informed consent process before using it with clients. If you haven’t read it, please see our article Clients Have the Right to Receive Unencrypted Emails Under HIPAA.
- Our free newsletter subscribers also have access to our sample forms for documenting client consent to use non-secure communications tech.
- There are more new issues in the 2014 code, such as the requirement to disclose to clients if and how you keep electronic records. We will cover those topics in future articles.
New Responsibilities and Standard of Care
First, this article does not discuss the new rules around distance counseling. Distance counseling and telehealth in general are a different beast, and I think it is important to avoid conflating telehealth practice with the general use of digital and networked technology in professional practice, supervision, education of professionals, and etc. As such, be careful of crossing the line into telehealth with clients when using email, texting, video, etc. Many states and licensing boards have their own rules, in addition to the ethics code and guidelines, where crossing into telehealth territory changes the rules under which you are playing.
The 2014 code expands on the old 2005 code’s rule around confidentiality in transmissions:
B.3.e. Transmitting Confidential Information
Counselors take precautions to ensure the confidentiality of all information transmitted through the use of any medium.
(American Counseling Association, 2014) emphasis mine
This expands on the old 2005 code’s statement about confidentiality in tech to “any medium.” This is part of an overall effort to infuse coverage of digital and networked technology use throughout the code. The task force stated at the annual conference that this was a conscious intention in the 2014 code’s design.
An important issue in the use of digital and networked tech in professional practice is one of informing clients of risks and benefits of that technology. The old 2005 code followed the general standard of HIPAA and other ethics codes and simply required that we inform clients of those risks and benefits. It didn’t say much about what is considered sufficient information. The 2014 code takes it further:
H.2.b. Confidentiality Maintained by the Counselor
Counselors acknowledge the limitations of maintaining the confidentiality of electronic records and transmissions. They inform clients that individuals might have authorized or unauthorized access to such records or transmissions (e.g., colleagues, supervisors, employees, information technologists).
(American Counseling Association, 2014) emphasis mine
H.2.c. Acknowledgment of Limitations
Counselors inform clients about the inherent limits of confidentiality when using technology. Counselors urge clients to be aware of authorized and/ or unauthorized access to information disclosed using this medium in the counseling process.
(American Counseling Association, 2014) emphasis mine
The standard of “urge clients to be aware” is beyond any I have seen. However, it does not seem unduly burdensome in my opinion. In the last two years of doing regular trainings on technology in practice, I have often polled clinicians on their opinions around HIPAA’s threshold for informing clients of risks in networked communications tech – HIPAA only requires us to tell clients that third parties may be able to access their communications and considers that to be sufficient information (Huggins, 2013). Clinicians have consistently stated the opinion that HIPAA’s threshold is too low. The threshold defined by the 2014 ACA Code may be more appropriate to professional sensibilities.
Note: I have created an Email and Texting Risk Questionnaire to help Counselors and other therapists with the task of fully informing clients of the risks of email and texting. The questionnaire is available to subscribers of our free newsletter, which you can subscribe to by clicking here.
Much more controversially, in my opinion, the 2014 code also plunges a little deeper into the world of security:
H.2.d. Security
Counselors use current encryption standards within their websites and/or technology-based communications that meet applicable legal requirements. Counselors take reasonable precautions to ensure the confidentiality of information transmitted through any electronic means.
(American Counseling Association, 2014)
The first sentence refers to using current “encryption standards.” This text is confusing, in that it appears that the intention is to require that Counselors use current security standards – specifically technical security standards that involve software and hardware security measures, including encryption. If my analysis is correct, however, the language of subsection H.2.d muddles this interpretation significantly.
This may be the only time in my teaching and consulting career that I ever downplay the importance of encryption, as it is extremely important for managing a wide variety of security risks. My concern with this passage is that it only calls for encryption and specifically calls for encryption. I am concerned that with this kind of language, Counselors may be lulled into believing that a given tool is sufficiently secure because it uses encryption in some way or another, unaware of the need for a variety of measures – including encryption, authentication, policies, procedures, risk analysis, etc. – to make any information technology system secure. I am also concerned that viable, expert-validated, and HIPAA-compliant security solutions that do not employ encryption could be argued to be unethical in a hostile environment such as a malpractice case.
The second sentence is reminiscent, for me, of the Transmission Security standard from the HIPAA Security Rule. It appears that subsection H.2.d has an overall intention to urge Counselors to use technical security measures, with encryption being specifically named, when using transmission tech such as email, text messaging, video, etc. While this intention is, in my opinion, both appropriate and called for at this time in history, I am concerned about the possibility that subsection H.2.d’s language may have more restrictive effects than were intended by the task force.
Interpreting Our Responsibilities, and Does Client Autonomy Still Exist Around Communications?
As stated above, section H.2.d can easily be read as requiring that Counselors always use encryption and other security measures when communicating with clients, regardless of whether or not encryption is a relevant measure and whether or not clients wish for their Counselors to use non-secure methods of communication. Fortunately, Michelle Wade of the 2014 ACA Ethics Revision Task Force was willing to clarify this issue for us. She stated in an email to me:
When using digital media/technology, nothing is ever 100% safe and for the most part, I imagine clients understand that. Clients have the autonomy to do what they wish to do and communicate the way they wish to communicate. Clients control the confidentiality aspect – for example, they decide how they introduce you/whether to acknowledge you in the grocery store, they decide whether to have their distance counseling session in a Starbucks, or they decide to sign a blanket release to their attorney. However, that autonomy does not negate our ethical responsibility to make sure the client is as informed as possible about the benefits/risks of such decisions. We have an ethical responsibility to say: “I’m not going to come up to you in public, I am not even going to acknowledge you before you do so” or “Your counseling session is your time, you need to be aware that if you conference with me from Starbucks others can hear what we are saying and therefore it is not private” or “I understand that you want me to communicate with your lawyer, but let’s talk about what we specifically should share because giving him complete access to your entire record may not be in your best interest”.…Counselors also have an ethical responsibility to talk with the clients within the informed consent process that email may not be the best way to communicate because of that lack of confidentiality and/or the expected response time.
(M. Wade, Personal Communication, April 7th, 2014)
Wade reiterates the point that Counselors have an affirmative responsibility to make sure clients recognize the potential risks to confidentiality in the digital and networked technology they use as well as how, where and when they use it. Importantly, she also acknowledges that clients still retain the autonomy to consent to the use of email or texting as they wish or need:
I do think counselors have an ethical responsibility to do all that they can to protect clients, but yes autonomy exists and if a client signs off on the risks, then the counselor has definitely taken reasonable precautions.
…[try] not to use something like yahoo, but a more secure email server… In other words, I am using a more secure system to send an email out than perhaps another service, so I am taking an extra precautionary step.
(M. Wade, Personal Communication, April 14th, 2014)
Wade reminds me that despite protecting client autonomy, the new ethics code does not excuse Counselors from the need to make their communications as secure as reasonably possible. This standard is not really different the HIPAA/HITECH standard, in my opinion. For example, since September of 2013, other mental health technology experts and I have been advising colleagues that we should have HIPAA Business Associate Agreements with our email providers (Not sure what that is? See our article, “What is a HIPAA Business Associate Agreement?”.) This does not do anything to make the emails we send impenetrable by bad guys, but it does make the email providers we use accountable for safeguarding the various client emails and contact information we store with them. Note that both Google and Microsoft now offer such contracts to the paying users of their email services:
- Google and HIPAA Compliance: Gmail, Drive and Calendar Now Accessible For Health Care Professionals
- HIPAA Omnibus and Microsoft Office 365
- Also see our semi-regularly updated list of secure email providers
As an aside, I want to urge readers to remember that sending an email from an encrypted email service like Hushmail does not confer any extra security to the email at all if you have not specifically chosen to make the email a secure one – that generally means checking a box that says something like, “encrypt this email.” Note that other people cannot read encrypted emails using their normal email services. If you send an email to a client and it arrives in the inbox of their classic email service without any hassle, then the email is in no way specially secured regardless of what service you used to send it. This is why we need to do an informed consent process with clients around sending emails.
Using a secure email system will likely add security to the emails you receive and store from clients, however, and that is worthwhile.
Counselors Have an Increased Responsibility to Understand the Tech We Use
The new code provides a number of reasons why we now have a heightened responsibility to understand the digital tech we use in practice and/or with clients. We need to be capable of discussing with clients the risks and benefits of digital and networked technology, we need to take precautions to make our own tech reasonably secure, and in the next article I will discuss the new requirement that we inform clients when we keep electronic records as well as how we secure those records.
At Person-Centered Tech, we have been working for several years to provide free articles and resources to clinicians to help achieve this goal. Most of our resources are free, but we also have some continuing education trainings that many colleagues have found useful to getting a better grip on their practice technology. A number of other experts in the integration of technology into mental health provide additional free educational resources:
CE Opportunities
- Our Digital Confidentiality LIVE webinar series
- Our Online, Self-Study CE Courses at the Zur Institute
Free Resources:
- Our free newsletter, with articles on current issues as well as access to our clinical and HIPAA-compliance forms
- Therapy Tech with Rob and Roy: Free videos on various therapy technology issues
- Tame Your Practice: Rob Reinhardt’s website, which contains many articles on therapy technology issues
- Dr Keely Kolmes’ articles for clinicians on social media and other technology use in professional practice.
We also provide important updates to clinicians in our LinkedIn group and via our Facebook Page.
References
- American Counseling Association. (2014). ACA Code of Ethics. Alexandria, VA: Author.
- Huggins, R. (2013, October). Clients Have the Right to Receive Unencrypted Emails Under HIPAA. Retrieved October 17, 2013, from Person-Centered Tech: https://personcenteredtech.com/2013/10/clients-have-the-right-to-receive-unencrypted-emails-under-hipaa/
Thank you for this information! I have followed you off and on for a few months. At first, you scared me. Then I found ways to incorporate your advice and information in my practice in a way that makes me much more comfortable and more protective. Keep up the good work!
Thanks for sharing that, Christy. It definitely is great to hear that these articles ended up being helpful!
Hello Roy. Can one be HIPAA compliant and use texting with a client if both phones are secure and the texts are encrypted via an app? Or would one need a BAA with the cellular company? Do you know if one can be HIPAA compliant and use a cell phone to talk to a client?
thank you very much.
My understanding from all of Roy’s good advice is to tell the client it is not a secure medium but they may choose to use it if they are ok. I’m thinking about posting a sign in my office that lists all the insecure ways to contact me and the one ‘more’ secure way–the encrypted client portal. Giving choices and information to make them is a big part of our job. We won’t be able to protect our clients from everything, but with information, they can decide their own risk level. Which seems to be central to most of the interventions we use.
Ooh, posting a sign — I hand’t thought of that. People are looking for ways to give their clients all this info without overwhelming them with intake paperwork. This could be a good solution for some folks.
Hi Ray,
The answers are complex, because HIPAA compliance is actually pretty circumstances-based. I can tell you that cellular phones have changed a lot in the last 10 years and I wouldn’t worry about using them with the vast majority of clients. For voice calls, you do not need a BAA with the phone company.
As for trading texts, your issue may have more to do with ethical standards around telehealth services than with HIPAA if you’re using good security.
This is a good time to note that I offer consulting services and that I have courses that talk about these issues: https://personcenteredtech.com/training/ce-program-offerings/heart-centered-hipaa-and-ethical-security-for-client-and-clinician-protection-level-i-ii/
Thanks so much for the information. It’s still a bit unclear to me, so I just wanted to clarify.
Based on what I’ve read here, I believe that as long as I have discussed the risks with clients and they have signed a consent form (similar to the one you provide to your subscribers)I am technically still allowed to use an unencrypted e-mail service–is that right? Thanks!
If you meet the legal and ethical requirements around informing clients of risks, then they generally have the autonomy to accept those risks. Remember that you would still need a BAA with your email provider and still need to assess and consider the risks of the emails you send.
Thank you for this informative information and accessibility of staying up to date with HIPPA information in the technology age.
You’re very welcome!