By Alli Spotts-De Lazzer
Q: How do I ensure that my clients' privacy and confidentiality are protected if I lose my smartphone or laptop?
A: Like many of our most useful objects---think wallets, keys, or umbrellas---our smartphones, laptops, and other portable devices are easy to lose or misplace. In the United States, 113 mobile phones are lost per minute, as widely cited on the web. Every week, 1,200 laptops are lost, missing, or stolen at Los Angeles Airport, according to Airport Insecurity, a 2008 study conducted by the Ponemon Institute.
If you're a psychotherapist who uses any portable device to communicate with or about patients, it's vitally important to assess confidentiality risks and implement data security before a theft or loss occurs. Although no security is 100 percent foolproof, you can make reasonable and appropriate efforts to protect confidential data.
When I asked a group of therapists if they had passcode-protected smartphones, the majority didn't know the option existed or how to use it, yet each phone held confidential client information. The legal and ethical consequences of data breaches continue to develop alongside the technological advances, and it's imperative that psychotherapists uphold the tenet of confidentiality in any medium they use.
In a striking, true example of a catastrophic confidentiality breach brought about by the loss of a portable device, a psychotherapist's phone somehow got into the wrong person's hands. That person began calling people on the contact list, eventually stalking and raping a contact who turned out to be the clinician's patient. Needless to say, this loss has had far-reaching consequences---legal, ethical, administrative, and emotional.
In a contrasting case, appropriate security measures---laptop locked in a desk behind a locked door in the office, use of passcode protection, and so forth---greatly reduced the therapist's risk of liability after a theft. He filed reports with the police and his malpractice insurance and notified his patients of the theft. When he consulted his lawyer and ethics committee, he was advised that, because proper security measures had been taken and his patients' specific compromised data had been minimal, he didn't have to report the incident to entities set up by the Health Insurance Portability and Accountability Act (HIPAA) or his regulatory board, both of which have the authority to impose disciplinary actions or monetary fines.
Psychotherapists' use of portable devices can be subject to state laws, licensing board ethical standards, and HIPAA regulations. Although many state governing boards and ethics committees don't have portable device-specific regulations outlining exactly what steps must be taken to safeguard confidentiality by a therapist using such devices for work purposes, traditional confidentiality principles and Federal HIPAA regulations dictate that a therapist take reasonable and appropriate security measures for protecting patient confidentiality.
Although there are many ways to implement technological security, here are basic lines of defense that any psychotherapist can employ for a solid start to data protection.
Use encryption coupled with passcodes and firewalls when possible. These help maintain a basic HIPAA tenet: regarding protected information, prevent unauthorized or inappropriate access, use, and disclosure. Passcode protection can authenticate a user the way a key opens a lock. The longer and more complex the passcode, the more difficult it is for someone to pry your device open. Encrypting basically means transforming readable into unreadable information. With encryption, a therapist may be allowed to avoid the mandatory HIPAA directive of notifying clients that their protected data may have been compromised. Firewalls help stop unwelcome visitors from infiltrating your information and devices---like the bars you put on your home's windows that keep out unwanted burglars but let fresh air in.
A therapist's best defense for minimizing liability is to demonstrate that he or she made reasonable efforts to properly protect and secure confidential data. You'd be well served to consult with technological, ethical, legal, and HIPAA compliance resources and experts in your state or jurisdiction for specifics about how to do this. Even if learning about your device's security seems intimidating or laborious at first, your preventive actions will ultimately help decrease the complications in the event of a theft or a loss and increase the likelihood of maintaining your clients' privacy and confidentiality.
This blog is excerpted from "What If Your Mobile Device Went Missing?" by Alli Spotts-De Lazzer. The full version is available in the July/August 2012 issue, Ethics in the Digital Age: How Casual is Too Casual?
Read more FREE articles like this on Professional Development.
Want to read more articles like this? Subscribe to Psychotherapy Networker Today! >>
Illustration © iStock