Heads up to Psychotherapists & Counselors
By Ofer Zur, Ph. D. & Jeffrey Barnett, Psy.D., ABPP
A shorter pdf-printable version of this article was published in the National Psychologist
Stolen laptop computers that contain clients’ confidential information seem to become weekly news in the media. Administrators, programmers, psychotherapists, and researchers often travel with a laptop. Clinicians who work in multiple offices often find it especially helpful or even mandatory to utilize a laptop to transport clients’ records with them. Inevitably, some laptops are stolen, and inevitably there are breaches of confidentiality. This short article will help psychotherapists, counselors, administrators, and directors strategize how to do their best to prevent laptop theft and what to do when laptops are stolen.
Laptops or notebooks are not just an expensive piece of hardware. They often also contain the owners’ personal information, confidential office documents, a log of websites that have been visited recently, and . . . clients’ confidential information, such as clinical notes, diagnosis, treatment plans, test results, billing records, reports, testimonies, and much more. Obviously, a theft or even an accidental loss could put psychotherapy clients or patients and clinics and organizations, as well as the therapists themselves, at some serious risk.
Laptop theft is not a rare phenomenon. Some estimates suggest that a laptop is stolen every minute and most of them are never recovered. Laptops are stolen from cars, offices, and homes. They are mistakenly left behind in cabs, coffee houses, hotel rooms, and restrooms. While theft of laptops cannot always be prevented, it is the duty of the psychotherapists, administrators and directors to do their best to prevent breach of confidential information and, when such breach occurs, handle it appropriately.
In one of the few enforcements of HIPAA by Health and Human Services, a Seattle company that provides home health care services has been forced, in mid 2008, to pay a $100,000 settlement because laptops, disks and tapes containing individuals’ health records were taken from company employees’ cars on 5 occasions in 2005 and 2006. The agreement seems to signal that HHS is finally taking a tougher stance toward violations. This may have started a shift from the education approach they have taken so far to an enforcement mode. This HIPAA enforcement action suggests that psychotherapists who carry patient records with them are at risk for security violations and may be held legally and ethically accountable for security and privacy breeches.
Update for 2016: HHS has clearly taken a stance of enforcement, and has made many public statements confirming that they are enforcing and will continue to enforce HIPAA. Lost or stolen laptops remain the largest source of breaches of health record security to this date.
Therapists may want to assess whether or not the stolen laptop only contains confidential clinical information or also includes billing information, which may provide data (e.g., SS #) for someone to steal the identity of any and all patients. Most psychotherapists are more likely to be concerned about their clinical notes and how it can effect or embarrass their clients and not realize that it is the patient who is potentially in serious danger of identity theft.
While the APA, ACA, CAMFT, NASW, and most other professional organizations’ Codes of Ethics attend to the general issues of confidentiality, they do not specifically address the issue of laptops or electronically transporting clinical records. However, the professional codes of almost all professional associations apply to all professional activities regardless of the role and regardless of the medium. The use of laptops in psychotherapists’ professional roles, like the use of the Internet, falls under the requirements of these codes of ethics. The 2016 APA Code of Ethics and the 2014 ACA Code of Ethics, like several other codes, address the need to maintain confidentiality in the use of digital technology.
While laptops are here to stay and theft cannot be always avoided there are a several things that psychotherapists, counselors, and administrators should consider and implement.
General Information and Practice Guidelines: How to Handle a Laptop Outside the Office.
- The use of laptop computers must be addressed in the informed consent process, and any potential drawbacks or risks involved must be discussed along with all precautions taken to preserve and protect each counseling client’s confidentiality. This includes methods used to prevent unauthorized access into one’s laptop at home, at work, or elsewhere.
- There are several ways that therapists may inform their clients and help them make informed consent regarding electronic records and laptops. When appropriate, therapists may inform or discuss the issue in person. More commonly, Office Policies, which clients receive prior to treatment or in the first session, may include a section on keeping and transporting electronic records. (See our Essential Clinical Forms, including Office Policies.) Following is a sample paragraph that may be included:
- Generally, if you keep electronic clinical records, it means that you are a “Covered Entity” under HIPAA and must be HIPAA compliant. HIPAA covered entity status is an increasingly complex issue. Generally, one becomes a covered entity if one bills insurance electronically at any point in one’s career. However, many state laws complicate this issue (e.g. any clinician in Texas is a covered entity according to the Texas law HB300), and our professional standards of care around maintaining confidentiality of digital information is based on the standards set by HIPAA. Thus there is even more reason to act as if one of is covered entity or at least to become familiar with HIPAA. Zur Institute’s educational package covering HIPAA
- Make sure that the laptop has a security password installed. Do not make your password something others can easily figure out, such as your pet’s name, your birth date, your child’s name, or your nickname. Periodically change your passwords. Beyond simply a password, you should use encryption to protect your whole computer. Encrypting a computer is now quite easy and inexpensive. More below.
- Backup, backup and backup. Automatic periodic backups are very simple to install and use. If you do not have an automatic backup system, download all materials from your laptop onto a computer disk on a daily basis. Store all disks apart from the laptop in a locked storage cabinet, preferably in a different structure or different location from the computer. Security experts generally agree that backups should be kept in a separate location from the computer so as to reduce the risks of both the backup and the computer being stolen, lost, burned, etc at the same time. Protecting backups in a fire safe or other hazard and theft-proof container would also likely suffice.
- Use virus protection and a firewall on all your computers, including your laptop. Make sure you have automatic or other means to update your virus protection and firewall. The emerging trend in the digital world is that viruses and other malware are being increasingly used by hackers to get into home computers. The need to keep firewalls and anti-virus up to date is now very high.
- Delete all confidential files from your laptop that you will not need to access when going on a certain vacation or to a certain conference. Of course, keep back-ups of these files on your main computer, disc, flash-drive, etc.
- You may consider using additional password protection for the actual clinical files or folders on your computer. Beyond simply a password, you should use encryption to protect your whole computer. Encrypting a computer is now quite easy and inexpensive. More below.
- Consult with computer experts to ensure you utilize proper and appropriate available security procedures and techniques.
- HIPAA guidelines are “technologically neutral,” they do not mandate any specific technology or method, they just focus on how to maintain confidentiality in the best and most appropriate and relevant ways.
- Encryption is often recommended but, so far, is rarely used by psychotherapists in private practices, small clinics, or agencies. The main users of encryption have been those who do their billing online, health insurance companies who have online billing services, and those in certain industries with concerns about industrial espionage. Encryption software programs are increasingly more readily available and are likely to be more commonly used by psychotherapists in the future. Encryption is now a standard because it is quite easy and inexpensive to put into place for your laptop computer. It also provides great protection from potential liability if your computer is lost or stolen.
- Treat the laptop like the cash in your wallet and never leave it unattended, even when you are leaving the car for a few minutes or just taking a short break to use the restroom or the coffee vending machine.
- While traveling or attending a conference with your laptop:
- The easiest option to secure your laptop against theft is to put it in its carrying case and keep it on your shoulder at all times.
- When in your hotel room or even when in the office, consider securing it to an object that is not easily movable, such as a desk or dresser. Most laptops have a hole on the side that is used to lock in place a cable with a combination lock. This may be used in your office, hotel, etc. when the laptop is left unattended. Remember, it only takes a minute for a laptop (or wallet) to be stolen.
- Physically secure your laptop with a locking cable whenever you are not personally carrying it.
- Never leave it unattended such as in the overhead bin in an airplane when you go to the restroom or in your car when you run into a store for just a few seconds. The same applies to external hard drives, flash drives, and the like.
- Never grant another person access to your laptop computer if you store confidential client information on it, unless they are part of your clinical operation and need to have access to your laptop or to confidential information, are HIPAA trained, and have a written contract which includes a statement about confidentiality of electronic records.
- Therapists who use billing programs, such as Netsmart Helper, might want to contact the software company to see if they have any helpful hints regarding security for their product, and what they might recommend if the laptop gets stolen.
- When using your laptop computer to store confidential client information as well as to administer psychological tests and assessments, always closely supervise the use of the laptop. Never leave it unattended or unsupervised during testing.
- When deleting confidential records from your laptop, special software to wipe the hard drive must be used. Otherwise, even though you hit the delete button, others may be able to recover the materials from your hard drive. If you are not familiar with this special software, hire a techie to install it.
- Strictly follow all security procedures each and every day. It just takes one minute away from your laptop, putting it down unattended for 30 seconds, not backing up data just one time, failing to use password protection one time, or letting virus protection software lapse one day to violate clients’ trust and our responsibilities to them to protect and preserve their privacy in every reasonably available way.
- More diligent methods for protecting your laptop and data have been suggested by technically sophisticated experts. Following is a list of extra, not commonly used, available measures obtained from buzzle.com:
- Don’t use an obvious laptop bag. Carry your laptop in regular luggage that doesn’t look like it has a laptop. Don’t advertise your laptop to any would-be thieves.
- Encrypt data on your laptop. This is now a typical and expected measure for clinicians who use computers in their practices.
- Use visual locks and restraints to secure your laptop and to act as a deterrent. It won’t fool hardened thieves but most will opt for a less secure laptop. For example, you can use a product like STOP. This system works by attaching a specially made security plate to your laptop. This plate is bar-coded and registered. It also carries a warning label letting would-be cyber thieves know that the ownership of your laptop is permanently monitored.
- Use anti-theft software that can track and locate your laptop or computer through the IP address once the stolen laptop is used to access the Internet. Macintosh computers can be tracked through iCloud. This feature must be enabled in your iCloud settings on the computer.
- Use invisible ultraviolet markings so that any recovered stolen laptops will be clearly marked as yours to the police. Keeping track of your laptop’s serial number is also a good idea and have this number stored in a different place than on your laptop.
- If you place important information on your laptop, have a remotely controlled self-destruct solution in place. Then your highly sensitive information can be deleted remotely after your laptop is stolen.
E-MAILS, CELL PHONES, COMPUTERS AND FAXES: Note: Make sure that this section reflects your setting, situation, and practices. It is very important to be aware that computers and unencrypted e-mail, texts, and e-faxes communication can be relatively easily accessed by unauthorized people and hence can compromise the privacy and confidentiality of such communication. E-mails, texts, and e-faxes, in particular, are vulnerable to such unauthorized access due to the fact that servers or communication companies may have unlimited and direct access to all e-mails, texts and e-faxes that go through them. While data on (therapist’s name)’s laptop is encrypted, e-mails and e-fax are not. It is always a possibility that e-faxes, texts, and email can be sent erroneously to the wrong address and computers. (Therapist’s name)’s laptop is equipped with a firewall, a virus protection and a password, and he backs up all confidential information from his computer on a regular basis onto an encrypted hard-drive. Also, be aware that phone messages are transcribed and sent to (therapist’s name) via unencrypted e-mails. Please notify (therapist’s name) if you decide to avoid or limit, in any way, the use of e-mail, texts, cell phones calls, phone messages, or e-faxes. If you communicate confidential or private information via unencrypted e-mail, texts or e-fax or via phone messages, will assume that you have made an informed decision, will view it as your agreement to take the risk that such communication may be intercepted, and he will honor your desire to communicate on such matters. Please do not use texts, e-mail, voice mail, or faxes for emergencies.
Section H.5.a of the 2014 ACA Code of Ethics spells out a requirement for professional Counselors to inform clients when they keep electronic records, including how the records are kept and what security measures are used to protect the records. As such, a statement like the one above would be an ethical requirement for any clinician subject to the ACA Code of Ethics. Whether or not the description in the above paragraph is sufficiently thorough remains a grey area at this time.
When Records are Stolen and/or Patients’ Confidential Information is Compromised or Potentially Compromised
- Notify the clients who may be affected with such breach of confidentiality, unless there are (rare) compelling reasons not to so. Examples of such situations would be when a client is suicidal or in crisis. If you choose not to notify a client, document your reasons in your records and outline a plan as to when you will tell.
- Assess if besides the clinical-confidential information, the lost computer may also contain personal information, such as SS #, that can readily lead to identity theft.
- Notify any other people (non-clients) who may be significantly affected with such breach, unless there are reasons not to do so.
- File a report with police and with other agencies if necessary or required.
- Consult with your state or national ethics committee to discuss the matter and learn what additional steps or actions they may recommend.
- Consult with your malpractice insurer’s risk management experts for their advice and suggestions as well.
- Therapists who use billing programs might want to contact the software company to see what they might recommend.
- Review and update your security procedures to help ensure that such a breech cannot happen again. Learn from your mistake.
- The 2013 HIPAA Omnibus Rule included the Final Breach Notification Rule, which defines both when a breach needs to be reported and when it doesn’t. For details on the Final Rule, see this article on the 2013 HIPAA Omnibus Rule.
Codes of Ethics
While the APA, ACA, CAMFT, NASW and most other professional organizations’ Codes of Ethics attend to the general issues of confidentiality, they do not address, specifically, the issue of transporting clinical records. However, the APA Ethics Code of 2016, for example, clearly states in the Introduction and Applicability section that the standards of the Ethics Code apply to all professional activities of psychologists, such as the provision of clinical services, research, teaching, supervision, and others. Additionally, it states “The Ethics Code applies to these activities across a variety of contexts, such as in person, postal, telephone, Internet, and other electronic transmissions”. Thus, it can be seen that the APA Ethics Code applies to all professional activities of psychologists regardless of the role and regardless of the medium. The use of computers in psychologists’ professional roles (and the use of the Internet) falls under the requirements of the Ethics Code. Relevant standards of importance to laptop computer and Internet use include:
- 2.03 Maintaining Competence – Be sure to develop all needed competencies (knowledge and skills) to use laptops in a safe and appropriate manner,
- 3.04 Avoiding Harm – Failure to secure one’s laptop, allowing unauthorized individuals access, or allowing breeches of confidential information all may result in harm to clients who are trusting us to protect and preserve their privacy.
- 3.10 Informed Consent – All possible limits to confidentiality should be reviewed with clients at the outset. If a laptop computer will be used, the client should be informed of this in advance. All steps taken to protect each client’s privacy should be reviewed, and clients should be informed that they would be notified immediately if any security breeches occur.
- 4.01 Maintaining Confidentiality – “Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium” (p. 1067). We each must use all reasonably available technologies and practices to protect and preserve each client’s confidential information.
- 4.02 Discussing Limits of Confidentiality – As part of the informed consent process, we must ensure that clients understand all “risks to privacy and limits of confidentiality” (p. 1067) that come with the use of laptop computers.
- 4.05 Disclosures – Unless authorized by the client or mandated/permitted by law, psychologists do not disclose confidential client information, even unintentionally, such as though avoidable security breeches.
- 6.01 Documentation of Professional and Scientific Work and Maintenance of Records – We are required to “maintainstore, retain, records and data relating to [our] professional and scientific work” (p. 1069). Clearly, these records may be stored and maintained, and retained on one’s laptop computer.
- 6.02 Maintenance, Dissemination, and Disposal of Confidential Records of Professional and Scientific Work – We must take all reasonable steps to ensure that records under our responsibility are maintained in a manner that protects and preserves each client’s confidentiality “whether written, automated, or in any other medium” (p. 1069). Further, “If confidential information concerning recipients of psychological services is entered into databases or systems of records available to persons whose access has not been consented to by the recipient, psychologists use coding or other techniques to avoid the inclusion of personal identifiers” (p. 1069).
- 8.02 Informed Consent to Research – All research participants must be fully informed of all “limits to confidentiality” and “reasonably foreseeable factors that may be expected to influence their willingness to participate, such as potential risks” (p. 1070).
- 9.03 Informed Consent in Assessments – The informed consent process for assessments includes an open discussion of “the limits of confidentiality” (p. 1073). Assessment materials and reports should be preserved and protected on laptop computers just as all confidential materials should.
- 9.11 Maintaining Test Security – Psychological tests may be administered through laptop computers. In fact, some test may only be given using a computer, such as continuous performance tests. Others may be more easily administered and scored using computer software. “Psychologists make reasonable efforts to maintain the integrity and security of test materials and other assessment techniques” (p. 1074) regardless of the medium with which they are stored.
- 10.01 Informed Consent to Therapy – As has been highlighted, all reasonably anticipated limits to confidentiality should be included and openly discussed in the informed consent process. Further, just sharing this information is insufficient. To ensure that informed consent is valid, we must ensure each client’s understanding of the information provided.
Similar guidance is found in the ACA Ethics Code (ACA, 2014), which includes standards on informed consent, confidentiality, avoiding harm, research, assessment security, distance counseling, digital security, online professional presence, and competence as highlighted above. For example, in Section B: Confidentiality, Privileged Communication, and Privacy, Standard B.1.d. Explanation of Limitations, it states: “At initiation and throughout the counseling process, counselors inform clients of the limitations of confidentiality and seek to identify foreseeable situations in which confidentiality [may] be breached” (p. 7).
Further, Standard B.3.e. Transmitting Confidential Information is relevant to the storage and maintenance of client information on laptop computers, as well. It states: “Counselors take precautions to ensure the confidentiality of information transmitted through the use of any medium.” (p. 8). The 2014 Ethics Revision Task Force made it clear that the language “any medium” was used specifically so that the code of ethics natively applies to all uses of digital technology in professional practice.
At initiation and throughout the counseling process, counselors inform clients of the limitations of confidentiality and seek to identify foreseeable situations in which confidentiality must be breached.
Further, the ACA Ethics Code additionally includes Section H, Distance Counseling, Technology and Social Media, which includes:
- H.2.c. Acknowledgment of Limitations “Counselors inform clients about the inherent limits of confidentiality when using technology. Counselors urge clients to be aware of authorized and/ or unauthorized access to information disclosed using this medium in the counseling process.” (p. 18).
- H.2.b. Confidentiality Maintained by the Counselor “Counselors acknowledge the limitations of maintaining the confidentiality of electronic records and transmissions. They inform clients that individuals might have authorized or unauthorized access to such records or transmissions (e.g., colleagues, supervisors, employees, information technologists).”
- H.5.a. Records “Counselors maintain electronic records in accordance with relevant laws and statutes. Counselors inform clients on how records are maintained electronically. This includes, but is not limited to, the type of encryption and security assigned to the records, and if/for how long archival storage of transaction records is maintained.”