[Transcript] Episode 513: Privacy On The Go: Safeguarding Client Information While Traveling

 

Evan Dumas  

You’re listening to Group Practice Tech, a podcast by Person Centered Tech, where we help mental health group practice owners ethically and effectively leverage tech to improve their practices. I’m your co-host, Evan Dumas.

 

Liath Dalton 

And I’m Liath Dalton, and we are Person Centered Tech.

 

Liath Dalton 

This episode is brought to you by Therapy Notes. Therapy Notes is a robust online practice management and electronic health record system to support you in growing your thriving practice. Therapy Notes is a complete practice management system with all the functionality you need to manage client records, meet with clients remotely, create rich documentation, schedule appointments and bill insurance all right at your fingertips. To get two free months of Therapy Notes as a new Therapy Notes user go to therapynotes.com and use promo code PCT.

 

Evan Dumas 

Hello and welcome to Episode 513: Privacy On the Go: Safeguarding Client Information While Traveling.

 

Liath Dalton 

Yes. This is a topic and consideration that has been increasingly popping up in terms of the sorts of questions and concerns that get raised by the folks in the PCT community related to how to best safeguard client info.

 

Liath Dalton 

So it’s both a timely and important consideration, and before I even get into the sort of originating question that that sparked this, I want to emphasize that this is not something that is fear mongering or paranoia. We would frame this as something that is really thoughtful risk management that’s grounded in and reflective of the ethics and the ethics standards that apply to compliance and to client care and safeguarding client care or client info as a vital part of client care.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So Evan, what was the excellent question that got posed to us last week in our Office Hours slash Group Practice Office hours session with Eric. And for those of you who aren’t fully in the fold, Eric is the teletherapy and HIPAA like therapist attorney. He’s both an attorney and a practicing clinician himself, who is a friend of PCT and co-facilitates our direct support and consultation sessions on a monthly basis.

 

Evan Dumas 

So here’s the question regarding the Customs and Border Patrol issue, which is reports of them searching people’s devices at the border. My question is, what should we do to protect our phone content from potential government authorized access? Some folks online are recommending not traveling with our usual phones or deleting some apps before we travel. What do you think?

 

Liath Dalton 

And, we, in response, had a very in depth discussion and exploration of what the concerns are, sort of, what the different factors to evaluate in terms of applying a risk analysis lens are, and then what the proactive steps that we can take to address this are.

 

Liath Dalton 

So we’re going to kind of rehash that discussion and the points that we made throughout it for each of you, so that you can be equipped with that, that knowledge and ability to navigate this aspect of things. So we’re going to start with talking about why travel raises these privacy and client info kind of security concerns.

 

Evan Dumas 

Yeah. So this is fun and tricky, because this goes outside the scope of HIPAA and sort of towards the more scope of okay, what are your rights in the federal government? Because, you know, the Fourth Amendment guarantees you protections against unlawful search and seizure, but it’s long been ruled that borders are kind of a gray area for this. So like, having searches at the border are more okay than having them internally. And because when you leave or exit or enter a border, you’re kind of in an exclusive federal jurisdiction. You’re not really, state confidentiality is kind of trumped by federal rules in that circumstance.

 

Liath Dalton 

Exactly. And airports are considered these border stations. Whether it’s a state border or a national border. So essentially, Customs and Border Patrol agents have the ability to search devices without a warrant, right?

 

Evan Dumas 

Yep, yeah.

 

Liath Dalton 

And so, of course, there are personal privacy considerations that are significant for some folks, and really significant for others. And what we’re going to be focusing on, though, are the concerns as it relates to client info. But I want to emphasize that the guidance we’re giving on how to safeguard client info also translates to safeguarding personal info.

 

Evan Dumas 

Oh, definitely, definitely. Yeah.

 

Liath Dalton 

Exactly. So this is the another instance of the PCT approach to two birds, one feeder.

 

Liath Dalton 

 

 

Liath Dalton 

So essentially, like as Evan said, the issue is that when you are in one of these designated border zones, you are subject to the federal jurisdiction and not necessarily to any of the more protective, in this instance, state laws. And so that means that, again, devices can be both searched and seized without a warrant, and that Customs and Border Patrol agents can compel device access through detainment as well.

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

And if you refuse to give access to devices, they can seize, seize the devices and copy the contents before returning them to you.

 

Liath Dalton 

Yes, this, this is like a major thing. And I want to emphasize we are not fear mongering here. We really aren’t. We are reporting what is existent, and what we have seen occur in numerous instances, and something that the Supreme Court has thus far avoided weighing in on,

 

Evan Dumas 

Yeah.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

as well, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

And given, given its current kind of demographic spread, I’m going to say they are unlikely to, to weigh in anytime soon. So what that means is that taking these proactive steps are all the the more important.

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

So in our discussion last week, a really great point was brought up by Eric. Which is, in this context of it being a federal law, and under federal auspices, that the sort of search and seizure can be done, that HIPAA is basically a minimum standard for protecting client info, it’s not the ceiling.

 

Evan Dumas 

No.

 

Liath Dalton 

Right?

 

Evan Dumas 

No.

 

Liath Dalton 

But HIPAA permits the disclosure of Protected Health Information,

 

Evan Dumas 

Yeah.

 

Liath Dalton 

to law enforcement and for national security purposes, or health purposes, even even more broadly.

 

Evan Dumas 

Yeah, broadly.

 

Liath Dalton 

So HIPAA is not a regulation that can safeguard client info from being disclosed or viewed under these circumstances. So unfortunately, if you are traveling and you have client info on your phone, and you get selected for this sort of examination where they want to view the contents of your phone, you can’t say, wait, hold up. I’m a HIPAA covered entity, you can’t look at this. Because HIPAA does not prevent them from being able to view this information. It, it permits it, right?

 

Evan Dumas 

Yeah, yeah. Broadly. Like, you can’t just be stopped on the street and be like, well, gotta get my info over.

 

Liath Dalton 

No.

 

Evan Dumas 

Like we’re we’re talking no special circumstances here.

 

Liath Dalton 

Yes, the very specific circumstances of when you are in a defined border zone.

 

Evan Dumas 

Yeah, exactly.

 

Liath Dalton 

Which, more generally, airports are, which provides for this. So the, the HIPAA card is not one that you can play, that is going to allow you to safeguard client info from being viewed.

 

Liath Dalton 

So again, going back to what Eric said about HIPAA being a minimum standard, but not the ceiling. We need to be considering this in in a sort of viewpoint that just because it is legally permissible under HIPAA for client info to be viewed and accessed in the circumstances, does not mean that it is not going to cause, cause client harm, right? And be significantly impactful, particularly for vulnerable clients.

 

Evan Dumas 

Oh, yeah, incredibly impactful.

 

Liath Dalton 

So, let’s get into that a little bit before we get into the what you can do about it. Let’s let’s talk about why this matters so much, particularly for certain clients. So why does this matter for some of your clients more than others?

 

Liath Dalton 

Well, if you have client information that has any identifying information related to immigration status, gender identity, reproductive health or other sensitive matters, you can sort of connect the dots as to why that information being disclosed, in this context, could lead to client harm.

 

Evan Dumas 

Oh, easily. Yeah.

 

Liath Dalton 

Right? So this is something that we’re wanting to emphasize is important, to be doing a risk analysis of your clients information’s potential impact if it gets disclosed in this context, so that you can then, based on that sort of risk analysis result, take the appropriate measures to prevent that from being exposed and being an issue.

 

Liath Dalton 

And I want to emphasize too, that in the context of immigration status, like this is something that is fairly fluid right now, in the sense that I would put any client in that more vulnerable category regarding immigration status, if they are not a natural born US citizen.

 

Liath Dalton 

So even naturalized US citizens are at risk here, and there are multiple instances of that having played out in recent weeks at the time of recording as well.

 

Evan Dumas 

Mhm. Yeah.

 

Evan Dumas 

Mhm, yeah. Yeah.

 

Liath Dalton 

So again, when looking at sort of immigration status risk, any client who is not a natural born US citizen needs to be put into that higher risk category. Okay?

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

So then going on to this sort of, what do we do about it, and the practical strategies for for how to mitigate risk. Of course, we already said that you’re going to be starting with that risk analysis. And Evan, this is absolutely your domain, because you’re the, he’s the PCT team member who who handles this aspect for for our folks. So please, run us through this.

 

Evan Dumas 

Yeah, sure. So just apply a little curiosity and ask yourself, so where is the client data stored? Is it on my phone? Is it on a cloud based service? Where is it on your computer, etc? What threats are reasonably anticipated? Threats, in this case, being like someone wanting to open your laptop or unlock your phone or dig through it or copy it or take it away, things like that. And what’s the the worst case scenario, if this device gets accessed, if it gets taken, if it gets copied? What, like, definitely think the absolute worst case scenario, of how this will impact your practice, how this will impact your clients, and sort of work work backwards from there.

 

Liath Dalton 

Exactly. So then this is something you want to be doing before you travel, or before any team member who has access to client info and has access to client info on devices that they may be traveling with.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, so what you want to be doing before you travel is identifying, again, like Evan said, what client info you have on your devices that you’re going to be traveling with, and basically removing any client info that is not absolutely necessary.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

Thankfully, in the typical practice context that we are working with, both solo practitioners and group practices alike, in the vast majority of client info that you are handling in any way, is contained in HIPAA friendly cloud based systems.

 

Evan Dumas 

Yeah, yeah.

 

Liath Dalton 

But then your devices have these apps.

 

Evan Dumas 

Yes.

 

Liath Dalton 

And local data storage where a certain amount of data from those cloud based services is synced locally to your device, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, Evan, how can we manage that? And this, this, this does go beyond just removing the apps themselves, because of that local data storage and syncing piece, right?

 

Evan Dumas 

Yeah. But, I mean, that’s the first step. Remove those local apps. Just because that’s something, you know, anything that connects to it. Google Drive, Gmail, EHR, secure messaging apps. Just remove them and know you can always reinstall them later, and they’ll access the cloud based services that you need, which is really great.

 

Evan Dumas 

Other things you can do are removing those saved passwords and browser logins. So this is a great reason why using a password manager to handle your passwords is great, because all you need to know is that one. And having auto fill is dangerous, because then anyone who has your device and has unlocked it can auto fill with your passwords.

 

Liath Dalton 

Exactly. So some of the like really security conscious experts and advisors are saying, don’t just remove apps, but also turn off your biometric login.

 

Evan Dumas 

Oh yeah, yeah.

 

Liath Dalton 

So normally we say, have those biometric logins enabled, because those facilitate making it easier to have complex and unique passwords for everything, right?

 

Evan Dumas 

Yeah.

 

Liath Dalton 

But, just for the purposes of when you’re going through these designated border zones where devices can be subject to the search and seizure, we want to remove that. Because that’s a point of easy access, and one that is hard to deny. Because the reality is that refusing to provide the login or unlock your device is something that can then result in longer detention or increased scrutiny, right? So we want to avoid that, yeah.

 

Evan Dumas 

Nothing like saying, “No, I don’t want to,” to make them go, “Oh, so you care about this? That means there’s something in here.”

 

Liath Dalton 

Right? So this is not an instance in which to say, I’m a HIPAA covered entity. You can, you can’t, you can’t look at this.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

We, we do not want folks doing that. Because, like Evan said, that’s going to raise suspicion, and may make it a more difficult process for you to navigate this aspect of things.

 

Evan Dumas 

Mhm, exactly.

 

Liath Dalton 

So, having, like the the best thing to do, actually, is going to be to make sure that you remove those those apps that access any client info, and ideally, to do a factory reset of your device.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So, so that it removes any of the the local data that’s synced. And this is part of the beauty of using HIPAA friendly apps and services for handling client info, is that the removal of the app from a specific device is not like deleting that data

 

Evan Dumas 

No.

 

Liath Dalton 

from existence.

 

Liath Dalton 

So in terms of HIPAA, what we’re always considering are the three types of kind of device or information security that needs to be in place, or what needs to be safeguarded. And that’s confidentiality, availability and integrity. And thankfully removing apps and what’s locally stored on your device, provided that it is backed up to a HIPAA friendly, cloud based service, is not going to compromise the ability to meet the availability standard.

 

Evan Dumas 

No, no.

 

Liath Dalton 

Right?

 

Evan Dumas 

Not at all, no.

 

Liath Dalton 

So that’s kind of just, make things be as pared down as is possible. And this is another instance of applying the minimum necessary standard, really.

 

Evan Dumas 

Mhm.

 

Liath Dalton 

And then after you go through border clearance, you can just reinstall those apps.

 

Evan Dumas 

Yeah, easily.

 

Liath Dalton 

and system access.

 

Evan Dumas 

Exactly.

 

Liath Dalton 

So, Evan, I actually want to go back to what you were saying about if you’re using a password manager, because I would say, I think we want folks to be removing the Password Manager app from the device as well.

 

Evan Dumas 

True. Yeah, yeah. That’s probably the easiest way. Because then they’d think, oh, password manager, secrecy. Secrecy is a red flag. So yeah, that might be a good thing.

 

Evan Dumas 

But so when you remove Password Manager, there’s usually print outs of like, oh, here’s your secret long code to reinstall your thing, or don’t lose this one special key. Then you have to ask yourself, Okay, how would I bring that with me, if I do need access to my password from afar? And that, you know that could just be a paper printout, in a bookmark or something like that. So there are ways to, like, discreetly keep these, like, password methods, somewhere on your, on your persons.

 

Liath Dalton 

Or, or to put it into a another system.

 

Evan Dumas 

Oh, yeah.

 

Liath Dalton 

Like if, let’s say, someone’s using 1Password as their password manager, and that’s PCT’s favorite password management program, you could put that recovery key into a Google Drive folder, right?

 

Evan Dumas 

Sure, yeah.

 

Liath Dalton 

That only you have access to, and then maybe the second password that you remember, in addition to your device’s passcode, is going to be the password or passphrase. This is where pass phrases get really helpful.

 

Evan Dumas 

Yeah.

 

Liath Dalton 

So have a passphrase instead of a password that has a bunch of wonky characters, and it’s more complicated to remember. Having a passphrase is easier to remember can but can be equally as complex and hard to break.

 

Liath Dalton 

So if you have a passphrase for your Google Drive or your Google Workspace account, then once you’ve gone through the border clearance process, you could just log in using that remembered passphrase to your Google Workspace and and then reinstall 1Password and be able to access all of the the apps. Or do a device reset from from a cloud, cloud backup, right?

 

Evan Dumas 

Totally, yeah.

 

Liath Dalton 

So we’re getting into, like, really, technical details.

 

Evan Dumas 

True.

 

Liath Dalton 

Part, part of why you’re probably going, oh, my goodness, this is so much information. So what, what do we want the key takeaways for folks to be Evan?

 

Liath Dalton 

Doing the risk analysis, of whether, if you or any team member that has client info is going to be traveling, evaluating if there could be potential risks that result in in harm to clients in the event that you or this team member are subject to the device search and seizure. And then, if that’s applicable, then we’re going to give you a checklist of some action steps, and also put together a little supportive workshop so that we can go over the hands-on specifics of each of these different pieces. Because I am realizing that this might be kind of one of the first points of information exposure that gets realized in our our current threat landscape, right?

 

Evan Dumas 

Oh, definitely, yeah.

 

Liath Dalton 

Folks are also bringing us questions concerned about just what goes into the client’s record in terms of, with their chart notes. And while that does have its own host of considerations, there are typically more kind of protections in place for that info. So that makes that a less likely point of risk exposure than than this issue does, actually. 

 

Evan Dumas 

Mhm, yeah.

 

Liath Dalton 

So stay tuned for the further resources we’re going to be providing to to all of you, and also don’t hesitate to to reach out and use, make use of Office Hours or Group Practice Office Hours, so we can support you through this process.

 

Evan Dumas 

Yeah, definitely.

 

Liath Dalton 

Well, thanks for joining us, everyone. Take good care and we’ll chat to you next week.

 

Evan Dumas 

Yeah, talk to you next week, everybody.

 

Liath Dalton 

This has been Group Practice Tech. You can find us at personcenteredtech.com. For more podcast episodes, you can go to personcenteredtech.com/podcast, or click podcast on the menu bar.