This article looks at the new threats to client data, discusses the ethical considerations psychologists face, and advocates for the foundation of best practices to prevent breaches of client data.
The NSA has built an infrastructure that allows it to intercept almost everything . . . . I can get your emails, passwords, phone records, credit cards.”
— Edward Snowden
Protecting clients' privacy is clearly one of psychologists' top ethical priorities. To help prevent disclosures of patient information, APA offers specific guidance in its Ethics Code (APA, 2010) and its "Record Keeping Guidelines" (APA, 2007).
Unfortunately, with today's ever-evolving technology, such guidance may not be enough. As Edward Snowden showed the world in 2013, information on cloud storage centers is not secure (Gellman & Soltani, 2013; Greenwald, 2013).
This article gives an overview of the current record-keeping and communication regulations and guidelines, looks at new threats to client data, discusses the ethical considerations psychologists face, and advocates for the foundation of best practices to prevent breaches of client data.
From pen to keyboard
In 1965, Intel Corporation co-founder Gordon Moore successfully predicted that circuit technology would double every two years and lead to exponential growth while reducing the size of everything. This became known as Moore's law.
Since then, personal computers and smartphones have become ubiquitous and nearly 3 billion people have Internet access. This pervasive accessibility affects both practitioners and clients. Today, communication with a client can occur via text and/or email. Metal file cabinets have evolved into encrypted digital containers. Record keeping can be entirely digital.
In response to this revolution, over the years U.S. agencies have sought to provide legislative frameworks for the proper handling of private information. Among them is the Health Insurance Portability and Accountability Act (1996; HIPAA), which sought to increase the accessibility of medical records while maintaining confidentiality. The law calls for health providers to "maintain reasonable and appropriate administrative, technical and physical safeguards" when using electronic health information (HIPAA, 1996).
In 2003, the Department of Health and Human Service (HHS) provided security standards for health-care providers, including psychologists, who transmit private health information. The standards mandate that providers must take precautions to prevent a breach of data and that they conduct risk analyses. These regulations also apply to providers' business associates — practicing psychologists who operate with insurers must follow HIPAA's privacy and security rules and ensure that their business associates do so as well.
In 2009, The Health Information Technology for Economic and Clinical Health Act (HITECH) formalized business associate liability and offered stricter regulations for using client records. This law placed the burden of security on a business associate to meet security and privacy requirements. In addition, business associates are expected to provide notifications of any breaches to the entities they cover and are subject to civil and criminal penalties for the misuse and/or loss of data. For practitioners, this means if they sign a business agreement with a business associate to store client records or materials in a cloud environment, the associate must meet HITECH requirements.
APA's record-keeping guidelines
While APA's Ethics Code provides ethical principles and standards for psychologists, it does not provide specific record-keeping guidelines. That guidance comes from APA's "Record Keeping Guidelines" (2007), which highlight the many interactions that practitioners have with the health-care system and federal regulations, such as HIPAA. For this article, we are particularly interested in guidelines 3, 6 and 9 (of 13), which focus on the topics of security, privacy and confidentiality:
Guideline 3 deals with confidentiality of client records. This recommendation states that practitioners should be aware of the regulatory and legal requirements that involve records.
Guideline 6 outlines the security measures that psychologists should engage in to protect those records. If practitioners create physical records, they should protect them with key and cabinet. If they use digital records, practitioners should properly secure them.
Guideline 9 informs practitioners on the use of electronic records. APA analogizes electronic to physical records and states that practitioners should be concerned with the use of e-mail and other communication tools because of the possibility that they can been seen by others.
These guidelines are not enforceable; they only offer guidance to practitioners.
Unfortunately, neither the federal government nor APA has proffered specific steps that should be taken to increase privacy and confidentiality to meet the challenges created by today's technology. The current guidelines only state that practitioners should use "passwords, firewalls, data encryption and authentication" (APA, 2007, p. 998). Although these recommendations would better secure systems, they do not establish directions and specific methods for creating secure passwords, activating firewalls or using data-encryption techniques, and they do not explain what authentication protocols are.
Providing specific guidelines that are constructed and updated regularly might alleviate part of the burden on practitioners to prepare for and understand growing threats to client privacy.
Threats to client privacy
Many psychologists are embracing email and text messaging to communicate outside of therapy sessions. Some, too, are writing notes in electronic medical records that rely on local, network and/or cloud storage. Others are interested in using smartphone applications and social networking interventions. And numerous practitioners see telehealth as a potential intervention and therapeutic delivery method (Colbow, 2013).
All of these uses of technology increase the risk to client privacy. These risks include:
Risks from individuals and collective actors: On Sept. 1, 2014, The Guardian reported that an individual or small group of hackers "exploited" celebrity Apple iCloud accounts, which stored phone data including emails, address books and photos (Arthur, 2014). Although celebrity data were the main targets, hackers could have compromised other individuals' accounts using similar methods. If a practitioner had chosen to communicate or store any records on Apple's iCloud platform, the information could have been compromised.
Information that is stolen via digital storage services is regularly sold on the "dark Web" — hidden websites that are inaccessible to most Internet users. Some medical records can be purchased for about $50. Similarly, if psychologists communicate with clients via smartphones and similar devices, those communications could be compromised with mobile malware that costs around $150.
Risks from corporations: Companies that provide cloud storage, email and communications services generally make money from mining personal data. Their privacy policies and terms of services can be complex, which can place a significant burden on psychology practitioners. For example, Facebook, like Google, uses social profiles for marketing and to provide users with related information. Facebook has expansive privacy policies to enable it to provide "relevant" advertising and learn about user habits. If a psychologist is communicating protected health information on these platforms, the corporate entity would have knowledge of client contact. Certain companies provide stronger privacy policies for communication. For instance, Apple's iCloud service does not mine emails for content. Most providers do not encrypt emails at rest (on cloud servers), allowing companies to more easily hand over message contents to third parties (Apple Inc., 2014a).
Another concern is data retention. Most cloud storage and communication providers say little about how long they keep their data. This amorphous data-retention policy stands in contrast to APA's record-keeping guidelines, which suggest that client records and data may be destroyed after seven years in the absence of superseding legal requirements. This policy also calls into question a practitioner's ability to maintain and provide confidentiality and proper informed consent when using certain corporate providers. And it is questionable whether practitioners could ever believe that records had been deleted if the cloud provider did not clearly and publicly state its data-retention standards.
Risks from the government: A variety of governmental entities interact with client data. As Edward Snowden and journalist Glenn Greenwald revealed in 2013, NSA analysts were able to access private cloud data centers from Google and Yahoo (Gellman & Soltani, 2013), which could have compromised protected health information and other client data.
Email at public universities is also at risk. Anyone can request the emails of public university staff members through a Freedom of Information Act (1966) request. Although some universities and colleges defend against open access to communication, email-based consultations between providers (that do not contain protected health information) might not be as protected as messages conveyed through patient files and electronic medical records would be.
Client information may also be inadvertently compromised as a result of the Stored Communications Act (1986), which was created before the Internet, email and personal computers became the tools of everyday life. The law states that email left on Web servers for over 180 days is considered abandoned. That "abandoned" data can be requested without formal judicial review. In addition, beyond surveillance by the NSA, the Federal Bureau of Investigation is permitted to access email in certain situations without first notifying the person under investigation (Counterintelligence Access to Telephone Toll and Transactional Records, 2012).
Various principles and standards in APA's Ethics Code are imperiled by the use of electronic storage and communications. In particular, psychologists should be aware of Principle E and Sections 2, 4, 6, and 10 of the Ethics Code.
Principle E (Respect for People's Rights and Dignity) provides a foundation for privacy and confidentiality. This principle recognizes the need to protect these rights and to safeguard clients' trust. Because of emerging threats to privacy, client data may be underprotected, regardless of current policies.
Section 2 of the Ethics Code focuses on ethical questions regarding competence. Of specific interest are Standards 2.01 (Boundaries of Competence) and 2.03 (Maintaining Competence). Standard 2.01 posits that psychologists must practice and provide services within their area of competence and that psychologists have an obligation to obtain training and/or support in areas that they are not familiar with, including technology. Shapiro and Schulman (1996) warned that accepting new technologies without critical, expert analysis might test practitioners' boundaries of competence. Similarly, Standard 2.03 outlines an expectation that psychologists will continue their education.
Taken together, Section 2 suggests that practitioners are expected to gain competence or support if they use privacy and security tools. Ethically, it may also be expected that practitioners continue to be informed about the various threats to client data.
Standard 4 may be the most relevant to the issue at hand because it explicitly outlines privacy and confidentiality expectations. As noted earlier, digitizing records and communications may lead to them being accessed by outside entities. This threat primarily affects two standards: 4.01 (Maintaining Confidentiality) and 4.02 (Discussing the Limits of Confidentiality). Section 4.02 establishes an ethical obligation to explain how certain record-keeping and communication practices may limit confidentiality. As a result, if psychologists use text messaging and email with a client, it might be ethically appropriate to talk about how these technologies may result in intrusions on privacy. In discussing the limits, it is important to consider how a client's information could be used against him or her. Psychologist-led discussions should facilitate evaluation of the appropriateness of certain disclosures on the basis of foreseeable client risk.
Section 6 specifies ethical obligations for record-keeping and fees. The standard of interest is 6.02 (Maintenance, Dissemination, and Disposal of Confidential Records of Professional and Scientific Work). The Ethics Code explains that within any medium, record storage and creation must be kept confidential. Moreover, if a practitioner needs to use shared records (such as in hospital settings), he or she should minimize the use of protected health information whenever possible to improve client privacy. Today's therapeutic interventions are performed in a variety of settings, and as technology becomes an important part of these, maintenance of confidentiality in record keeping comes into question.
Section 10 deals with concerns regarding therapy. According to Standard 10.01 (Informed Consent to Therapy), clients are to be informed of the limits of confidentiality and about communication methods available during treatment. If practitioners are interested in communicating via email and text, clients should be informed about these methods. Without a thorough informed consent process that covers these factors, client confidentiality cannot be properly founded (Everstine et al., 1980).
APA's Ethics Code and "Record Keeping Guidelines" inform counseling and record-keeping, but there are additional practices that psychologists can consider to further prevent breaches of confidentiality. To proactively help prevent privacy breaches and maintain client confidentiality, psychologists can:
Develop a threat model: Practitioners should create a threat model to assess each client and his or her practice's associated risk (Barrows & Clayton, 1996; Lee, 2013). The Electronic Frontier Foundation (2014) has suggested that such threat models contain five questions:
- What do you want to protect?
- Who do you want to protect it from?
- How likely is it that you will need to protect it?
- How bad are the consequences if you fail?
- How much trouble are you willing to go through to try to prevent those?
Practitioners could, for instance, answer those questions with the following responses:
"I want to protect client records and communications."
"I want to protect it from unauthorized government access and individual hackers."
"I am currently working with a public, political figure, who has expressed concerns regarding unauthorized disclosures and leaks of data."
"Considering the public nature of this client, my practice could be threatened and culpable for damages."
"I am willing to spend an additional hour per week to secure this individual's client records on an external, air-gapped computer."
In general, APA's Ethics Code and the "Record Keeping Guidelines" emphasize stronger protections. By asking these five questions, practitioners can reduce accidental and/or targeted attacks on client information.
Encrypt everything: If possible, every client record and communication should be encrypted. When mobile devices are used for client contact, it is important to consider the phone's encryption capabilities. Currently, iPhones, with a good password, can be encrypted and protected from password attacks for about 5.5 years (Apple Inc., 2014b). It is also possible for iPhones to encrypt iMessages (text messages between iPhones), which would only be accessible between sender and recipient. Older phones cannot generally encrypt messages.
The APA Practice Organization (2014) separated computer encryption into three parts: (a) full-disk encryption, (b) virtual-disk encryption and (c) file/folder encryption. Full-disk encryption provides protection for an entire system, but once a password is used, the entire file system is accessible. Virtual-disk encryption is an encrypted container that acts like a digital flash drive and is protected from access through encryption. These containers require a password after logging into the computer. The file/folder encryption option regards individual files. For instance, a Microsoft Office Word file can be password protected.
By using all three of these methods, a stolen computer would be protected at multiple levels and virtually inaccessible.
The chief technology officer of the Freedom of the Press Foundation and technologist for The Intercept suggests disk encryption, firewalls, strong passwords (never renew or use the same) and cryptology to communicate when possible. For example, Apple computers come with built-in full-disk encryption via FileVault. In addition, by using a strong, 8- to 10-character password with special symbols, varied capitalization and avoidance of dictionary words, practitioners can have an encrypted and well-protected computer.
For instance, Google Apps uses various standardized security certificates to ensure data safety and retention. Even if practitioners choose to be responsible and HIPAA compliant, files should still be encrypted. Devereaux and Gottlieb (2012) recommend that if cloud providers encrypt data, this process should meet the need for "reasonable conduct" and protection of records.
This argument is predicated on trust. A cloud provider that encrypts data but still has access to encryption keys would be forced to decrypt this information if compelled by the federal government. Likewise, if a private employee or contractor was given the key, they could potentially decrypt data unlawfully. Any cloud storage used should be backed up locally and completely encrypted prior to upload. There are a variety of encryption software packages available; one example, a cross-platform option, is TrueCrypt.
Use two-factor authentication: This authentication method requires psychologists to first enter a password and then a six- to eight-digit "token" to log onto a site. If a password were lost or stolen, an attacker would still need access to the token to log in. Without the token, a stolen password would be of no use. Mobile devices can often receive two-factor tokens via text message. Google, Dropbox and Twitter are all examples of companies that offer such two-factor authentication.
Work with air-gapped computers: Psychologists who are working with the most sensitive cases and clients may need greater data protection. Similar to locked and local file cabinets, an air-gapped computer is separated from networked data and Internet access — Ethernet cables and Wi-Fi antennas are disabled or removed. This would likely necessitate a practitioner to purchase a separate computer that would stay permanently disconnected from the Internet and only provide access to files. To share files with another computer, the psychologist would need to manually move them via USB-based external drives, thus lessening the risk of data leaks. Using an air-gapped computer, however, does present a different risk: If the computer's hard drive fails, the data is not backed up on a network, so data loss is more likely.
Modify informed consent: APA's Ethics Code states that informed consent should incorporate a method for securing, protecting and handling data. As Devereaux and Gottlieb (2012) suggest, it is important that an informed consent document properly explain, justify and present accurate risks of data storage and communication. If psychologists agree with their clients that they may use phone, text and/or email communication, the psychologist should inform the client about the increased risk of confidentiality breaches and about ways to reduce such leaks. In the interest of client privacy and autonomy, it may be appropriate to suggest pen and paper if worries about privacy concerns are present.
More than ever, practitioners are considering digital means for client records and communication. But with technological advances, there are greater threats to client confidentiality. Individual hackers have more power than ever to buy and sell private information. Corporate entities are scanning data by default for advertising and marketing purposes. In addition, governmental actors are collecting massive amounts of data (even when protected) for further analysis. With each step, important ethical obligations have been threatened.
As a result, it is vital to approach all cloud-based client work with caution. By following best practices, practitioners can significantly reduce the chance of breaches. At a time when even data stored in "secured" locations is at risk, psychologists should consider the appropriateness of current informed consent practices within the United States. Moreover, practitioners should question whether electronic-transmission surveillance laws are compatible with this field's support for privacy.
While individual practitioners should and do bear the ultimate responsibility for confidentiality and privacy, a unified message from APA might help prevent data storage and communication concerns resulting from poor and/or naïve risk management. Although APA's Ethics Code and "Record Keeping Guidelines" place the responsibility for client confidentiality — in any medium — with practitioners, it is important that an organization provide constant, up-to-date guidance for members.
Future record-keeping guidance would likely benefit greatly from the inclusion of best practices.
Psychologists should not fear technological changes, but they should prepare for the unexpected. By synthesizing the various individual, corporate and governmental actors that threaten client privacy, practitioners should have a newfound understanding and appreciation for security concerns.
Written by: Samuel D. Lustgarten, a graduate student in the counseling psychology PhD program at the University of Iowa, Iowa City. His research centers on the intersection of technology, psychology and client privacy.
This is a condensed version of "Emerging ethical threats to client privacy in cloud communication and data storage," which appeared in the June 2015 issue of the APA journal Professional Psychology: Research and Practice, Vol. 46(3). To read the full article, which includes all references, go to http://dx.doi.org/10.1037/pro0000018.