Q: How do I ensure that my clients’ privacy and confidentiality are protected if I lose my smartphone or laptop?
A: Like many of our most useful objects-think wallets, keys, or umbrellas-our smartphones, laptops, and other portable devices are easy to lose or misplace. In the United States, 113 mobile phones are lost per minute, as widely cited on the web. Every week, 1,200 laptops are lost, missing, or stolen at Los Angeles Airport, according to Airport Insecurity, a 2008 study conducted by the Ponemon Institute. In 2005, Perry Garfinkel of The New York Times reported on a study carried out by the Chicago-based mobile-data protection software company Pointsec Mobile Technologies. It included the number of mobile devices left in the taxis of a single Chicago cab company during the last six months of 2004: 387 mobile phones, 97 PDAs and pocket PCs, and 20 laptops. Extrapolating from those figures to all of Chicago’s 25,000 cabs means that approximately 85,619 mobile phones, 21,460 PDAs and Pocket PCs, and 4,425 laptops were left in the city’s taxis during those few months.
If you’re a psychotherapist who uses any portable device to communicate with or about patients, it’s vitally important to assess confidentiality risks and implement data security before a theft or loss occurs. Although no security is 100 percent foolproof, you can make reasonable and appropriate efforts to protect confidential data.
When I asked a group of therapists if they had passcode-protected smartphones, the majority didn’t know the option existed or how to use it, yet each phone held confidential client information. The legal and ethical consequences of data breaches continue to develop alongside the technological advances, and it’s imperative that psychotherapists uphold the tenet of confidentiality in any medium they use.
In a striking, true example of a catastrophic confidentiality breach brought about by the loss of a portable device, a psychotherapist’s phone somehow got into the wrong person’s hands. That person began calling people on the contact list, eventually stalking and raping a contact who turned out to be the clinician’s patient. Needless to say, this loss has had far-reaching consequences-legal, ethical, administrative, and emotional.
In a contrasting case, appropriate security measures-laptop locked in a desk behind a locked door in the office, use of passcode protection, and so forth-greatly reduced the therapist’s risk of liability after a theft. He filed reports with the police and his malpractice insurance and notified his patients of the theft. When he consulted his lawyer and ethics committee, he was advised that, because proper security measures had been taken and his patients’ specific compromised data had been minimal, he didn’t have to report the incident to entities set up by the Health Insurance Portability and Accountability Act (HIPAA) or his regulatory board, both of which have the authority to impose disciplinary actions or monetary fines.
Psychotherapists’ use of portable devices can be subject to state laws, licensing board ethical standards, and HIPAA regulations. Although many state governing boards and ethics committees don’t have portable device-specific regulations outlining exactly what steps must be taken to safeguard confidentiality by a therapist using such devices for work purposes, traditional confidentiality principles and Federal HIPAA regulations dictate that a therapist take reasonable and appropriate security measures for protecting patient confidentiality.
To adhere to the legal and ethical responsibilities of confidentiality, therapists generally need to manually enable various privacy settings and sometimes purchase additional security software when a client’s shielded information is stored on a portable device. While it would seem logical that manufacturers would automatically preset portable devices to protect the consumer’s privacy, they often do not. For example, to increase security levels when setting up a new iPhone, it’s necessary to enable settings that offer protection. That means setting the screen to lock to prevent unauthorized access; creating a passcode; sliding on the “erase data” option (after 10 wrong passcode attempts, the phone will erase itself); making sure location services are turned on for tracking capabilities; and activating Find My iPhone (an application that allows you to locate your iPhone on a map as well as execute a “remote wipe,” which cleans the data off it). During this process, you may discover that your particular device doesn’t offer all the safety measures you want. If that’s the case, you may need to limit and disguise any sensitive information it contains. Specific security actions for each smartphone, laptop, or tablet will differ. It’s up to therapists to do their homework to understand each device’s security capabilities and limitations.
Although there are many ways to implement technological security, here are basic lines of defense that any psychotherapist can employ for a solid start to data protection.
- Keep track of and limit any confidential information you store on your equipment. Do any of your stored notes contain identifying information? Could your calendar reveal clients’ identities? Do you allow unnecessary information like historic client texts or e-mails to remain on your device?
- I informally polled more than a dozen therapists who generally consider their confidentiality practices to be stringent. When asked if there was any client information on their mobile devices or laptop computers, most believed that confidentiality was protected. But when encouraged to look more closely, many soon recognized unexpected security risks. One forensic psychologist I spoke with shook her head in disbelief as she examined her smartphone. She said, “Yep. Here’s my ‘Private Practice’ e-mail account and my ‘Client E-mail’ folder, both clearly labeled. I can’t believe it! My computer synced it, and I didn’t realize.”
- Keep your devices on your person and don’t leave them unattended-at least not in plain sight. Although this may sound wildly obvious, a moment’s inattention can lead to big problems. A therapist I spoke with remembered what had happened when he hadn’t followed that approach: “It was my stupid mistake. I was in a rush. I left my computer bag on my car seat while I ran into the store. I was in there less than 10 minutes.”
- Use encryption coupled with passcodes and firewalls when possible. These help maintain a basic HIPAA tenet: regarding protected information, prevent unauthorized or inappropriate access, use, and disclosure. Passcode protection can authenticate a user the way a key opens a lock. The longer and more complex the passcode, the more difficult it is for someone to pry your device open. Encrypting basically means transforming readable into unreadable information. With encryption, a therapist may be allowed to avoid the mandatory HIPAA directive of notifying clients that their protected data may have been compromised. Firewalls help stop unwelcome visitors from infiltrating your information and devices-like the bars you put on your home’s windows that keep out unwanted burglars but let fresh air in.
A therapist’s best defense for minimizing liability is to demonstrate that he or she made reasonable efforts to properly protect and secure confidential data. You’d be well served to consult with technological, ethical, legal, and HIPAA compliance resources and experts in your state or jurisdiction for specifics about how to do this. Even if learning about your device’s security seems intimidating or laborious at first, your preventive actions will ultimately help decrease the complications in the event of a theft or a loss and increase the likelihood of maintaining your clients’ privacy and confidentiality.
Photo by Thirdman/Pexels
Alli Spotts-De Lazzer
Alli Spotts-De Lazzer, MA, LMFT, specializes in eating disorders. She has a private practice in California.
