Imagine holding space for your most vulnerable clients while they work through difficult material. You need to make it safe to be emotionally open so they can perform the tough tasks involved in healing. Now, imagine trying to do that with your office door open and everyone in the waiting room watching the two of you work.
Some of us can roll with that. But for most of us, such an environment would create major barriers to what we’re trying to accomplish.
When we develop our clinical skills, we usually assume a private, intentionally-designed space for working in. We think about closed doors, noise machines, and all those things that measurably protect our clients’ ability to keep their story their own and hold them in a safe environment.
Part of what lets vulnerable clients know they can trust us with their stories is the knowledge that we regard those stories as sacred and private.
So that raises a question: how do we hold a safe, secure space when clients communicate with us by email, text, or phone?
It all starts with you… and your devices
You may be thinking that making a safe space for online communications is all about the services we choose: the right email service, the right texting service, etc. You’re definitely right about those things being vital. In fact, we spend a lot of time talking about service selection here at Person Centered Tech. But in this article, I want to highlight the importance of our devices (i.e. smartphones, computers, etc.)
Whatever services you use, appropriate or inappropriate, you still use your own devices to access and interact with those services. Using a secure texting app? Great — is your smartphone prepared to protect the messages you send and receive through that app? How about your emails?
The security of your services is largely the responsibility of the service provider — that’s why you need to be so careful in choosing appropriate providers for your practice. Your smartphone, computer, and other devices, however, are entirely in your own control. To hold a safe space for clients from end-to-end, you need to keep your devices well-secured, too. It all starts and ends with our devices, and we need to make them into places that are safe for our clients’ narratives and other information.
Does HIPAA actually require device security? Do our ethics codes require it?
In a nutshell: yes.
HIPAA has a number of security standards which impact the way you handle your devices. No surprises there.
Some ethics codes also explicitly call on us to secure devices, but all of them call on us to protect clients’ confidentiality and safeguard our relationships with them. Just imagine having to tell a client that you lost your computer and that now some stranger has copies of the emails you exchanged and the progress notes that you wrote about them. There’s a HIPAA security breach in there, yes. But there might also be a breach to the therapeutic alliance.
In other words, it’s not always immediately obvious how protecting our devices is a part of making a safe space for clients. Sometimes it doesn’t become apparent until the safety of that space is threatened (or breached, unfortunately.)
The situation is made especially difficult because we have to prepare for something that we can’t tangibly perceive. Ironically, mental health professionals are usually the best in the industry at working with intangible things! But in the case of information security, all of us (including your very techie author) need to intentionally keep in mind how our clients’ stories flow in and out of the devices we use. And we need to be just as intentional about keeping those devices as secure and safe as we do our office spaces.
I’ve written about keeping devices secure before, and I even wrote out a checklist of exactly what things need to done to “harden” a smartphone, computer, or tablet. Check it out here→. We also have a package of a 1-hour CE course + video tutorials for hardening all your devices easily and quickly.