Email in Mental Health Practice:

Legal-Ethical, Clinical and Risk Management Issues

Roy Huggins, LPC NCCLiath Dalton

Person Centered Tech’s Partnership PolicyThis continuing education event is co-sponsored by Hushmail

While Person Centered Tech is happy to partner with Hushmail on this event, the partnership should not be construed as a recommendation for Hushmail for Healthcare over any of their competitors, except where such a recommendation is explicitly stated by a member of Person Centered Tech’s staff. The partnership is contingent on satisfying the terms of Person Centered Tech’s Partnership Policy.

Our partnership policy can be found in the page footer at https://personcenteredtech.com and here: https://personcenteredtech.com/partnership-policy/

Our Educational Objectives

● Choose email types that support HIPAA compliance and ethical decision making

● Manage ethical and effective boundaries around mobile, textual communication with clients

● Document messages exchanged with clients securely, legally, and ethically

Unit 1: Transmissions

The Big Legal-Ethical Issue: Sending StuffCounselors take precautions to ensure the confidentiality of all information transmitted through the use of any medium.

ACA Code of Ethics, 2014, B.3.e

Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium, recognizing that the extent and limits of confidentiality may be regulated by law or established by institutional rules or professional or scientific relationship.

Ethical Principles of Psychologists and Code of Conduct, 2010, 4.01

Social workers should take reasonable steps to protect the confidentiality of electronic communications, including information provided to clients or third parties. Social workers should use applicable safeguards (such as encryption, firewalls, and passwords) when using electronic communications such as e-mail, online posts, online chat sessions, mobile communication, and text messages.

NASW Code of Ethics, 2017, 1.07.m

34. NCCs shall protect the confidentiality and security of tests or assessments, reports, data and any transmission of information in any form.

National Board for Certified Counselors Code of Ethics, 2016

“Transmission Security”

Standard: Transmission security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.

45 CFR § 164.312 (e)(1)

“electronic communications network” = The Internet

The Internet -- Where Data Moves

Lots of Potential Bad Guys!

Transmissions?

● Email and texting are both transmissions

● Both transmit across the Internet

● Neither inherently uses protective measures, such as encryption

“Transmission?”

So what the heck is encryption??

Client Desire for Nonsecure Emails and Texts?

● Yes, HIPAA allows it

● Need to inform the client of the risks.

● Attorneys and security policies often refer to this as “alternative communication.”

● Does not impact your need to follow HIPAA standards, including the Business Associate rule

Is the client’s decision informed and autonomous if there is no reasonable secure alternative available?

When might nonsecure emails or texts be a bad idea regardless of what the client is asking for?

How Do Document Client Desire For Nonsecure Communications?

● Documentation or it didn’t happen!

● Speak with clients and use a consent form, such as the one included as a handout with this course.

● You can also use the included email and texting risk questionnaire to help you.

● There’s still The Initial Contact Problem

○ One solution: secure contact forms

Unit 2: Which Email to Use?

“Encrypted Email”

Describe an “Encrypted Email”

Categories of Email Security

● Conventional: might use TLS (see below), maybe. It depends. But you usually can’t rely on that.

○ Normal, everyday email. Should be regarded as nonsecure for policy-making purposes.

● Escrow: Annoying, but very good at protecting information from most risk situations.

○ Hushmail; many others.

● TLS: Actual encrypted email. Protected from privacy breaches during transmission, but introduces other potential issues.

○ Paubox “seamless encryption”; Sometimes major emails providers such as Google

Escrow Email

TLS Email

TLS Email and HIPAA’s Scope

Unit 3:Boundaries and Professionalism

Some Major Clinical-Ethical Considerations

● How does mobile, textual communication affect boundaries?

○ Where is this healthy/unhealthy? Therapy affirming/interfering?

● What topics should you email about?

● How do you address multicultural concerns in email?

● When and how quickly should you respond to clients?

Mobile, Textual Communication is Alway There

How Does That Make You Feel?

What Are Reasonable Boundaries?

● What does it mean for the clinician-client contact locale to extend beyond the office (physical or online) walls?

● What are the client’s subculture/age-bound expectations about boundaries around electronic communication?

● How quickly do clients expect a response to their messages?

Client expectations regarding reasonable boundaries may very well

differ from the therapist’s expectations

Suggestion for Boundary Setting

● Office Policies! E.g. Social Media Policies. Some things you might put in there:

○ It will be up to 24 hours

○ It will be more than 24 hours

○ Weekends and holidays don’t count towards the time

○ I don’t reply by email

● Talk to the clients about these policies. Keep the conversation going as much as needed.

● Avoid autoresponders as a blanket solution to boundary setting.

Unit 4: Documenting Emails

Emails are Records

● HIPAA requires we protect the availability of the PHI

● Professional associations and boards seem inclined to want full retention of the messages

● Courts may subpoena original emails

● Clients need to be informed that emails are in their record

Some Retention Strategies:

● Copy email message and paste into your EMR

● Print emails and put them in the paper record.

● Use an email service that guarantees the availability of all old emails, and rely on searching your email archives to find emails when you need them.

Some Final Risk Management Points

● Be wary/aware of crossing into telemental health territory

● Make sure that all use of email is done with intention, and is not reactive or unplanned

● Be sure clients are aware of how you will use email

○ Communications Policies?

References● American Counseling Association. (2014). Code of Ethics . Alexandria, VA: Author.

● American Psychological Association. (2010). American Psychological Association Ethical Principles of Psychologists and Code of Conduct . Washington, DC: Author.

● National Association of Social Workers. (2017). Code of Ethics . Washington, DC: Author.

● National Board for Certified Counselors. (2016). Code of Ethics . Greensboro, NC: Author.

● US Dept. of Health and Human Services. (2006). HIPAA Administrative Simplification . Washington, DC: Author.

● US Dept. of Health and Human Services. (2013). HIPAA Omnibus Final Rule . Washington, DC: Author.