05 Jun 2017

What are the Keys to a Good Electronic Records System?

These systems streamline practitioners' paperwork—and are no longer as intimidating or expensive as they once were

Psychologist Diana L. Prescott, PhD, already uses electronic health records in the integrated health-care work she does at Eastern Maine Medical Center. She even created the behavioral health component of the system for the center's pediatric obesity program. Now she wants to make the shift to electronic health records at the private practice she and her husband David L. Prescott, PhD, run in rural Maine.

"In a small practice, there's not a lot of space to store paper records," says Prescott, a member of APA's Committee for the Advancement of Professional Practice. "And it takes time to file those records." Plus, she says, patients expect electronic records, just like they see in medical offices.

But, she says, figuring out how to make the transition has been a time-consuming struggle. Should the practice buy a server—with all the expense and upkeep that entails—or go for a cloud-based product? The cloud offers protection from fires or burglary, but is it secure enough, especially since a breach of confidentiality could be particularly devastating to the reputation of a rural practice? How long would it take the Prescotts and practice manager Ruth Siebert to learn a new system? Answering these and other questions has proven so difficult that Prescott now hopes to make a decision some time during the new year.

Electronic health records are worth the hassle, says Lynn Bufka, PhD, associate executive director of research and policy in APA's Practice Directorate. In addition to offering "less paper, less filing, less cabinet space," she says, electronic records make it possible to access files remotely. It's easier to share records with patients or other providers when you can just click a button to print a copy or save to a flash drive instead of copying page after page of paper records. And thanks to the security measures you can put in place, such as automatic monitoring of who accesses what information and for how long, electronic records may actually be better at safeguarding confidentiality than paper ones, says Stacey Larson, JD, PsyD, a consultant who works with APA on legal and regulatory issues. "You can see if Joe Schmo accessed the record," she says. "You might not know if someone got into the file cabinet."

The federal government is also pushing the use of electronic health records, with the hope that "interoperable" records that can communicate not just within but across practices and health-care systems will reduce redundancies and improve care by ensuring that all providers involved in a patient's care have access to test results and treatment plans. Down the road, says Bufka, referrals from other health-care providers or even payers may even come via electronic records.

Given those advantages, how can you make the process of selecting a system easier? Bufka and others suggest the following steps:

Conduct a needs assessment. Think about the capabilities your practice needs in addition to such basic functions as billing and scheduling, says Bufka. If your office offers testing services, for example, determine whether the record can store the resulting data. If you'll be storing psychotherapy notes on the system, you'll need "data segmentation," which allows those notes to stay hidden when a record is shared. Also consider who will be using the system. If your practice includes a psychiatrist or another professional who can prescribe, you'll want a system that includes electronic prescribing. You might find other features—an internal email system or a web portal for patients, perhaps—attractive.

Set a budget. Many solo or small practices worry that electronic health record systems will be prohibitively expensive, says Larson. The high prices many people have heard about came from early adopters, she says. "There weren't as many options back then, so they adopted big, big systems," she says. Others may have invested in new servers to run their systems or opted for systems with all the bells and whistles small practices may not need, such as prescribing portals in practices where no one can prescribe, she says. Systems—especially cloud-based ones—are now much more affordable, she says, adding that she has seen ones that cost as little as $50 a month to use.

When you're looking at prices, make sure you're looking at all the costs involved, not just the initial start-up costs. Other costs may include training and monthly subscription fees either for the practice as a whole or per provider.

Ensure patient privacy. "Be knowledgeable about how data are stored," says Bufka. "There's not necessarily a right or wrong answer when it comes to cloud versus localized storage, but you'll want to know the pros and cons."

Privacy is the main issue Prescott is struggling with as she searches for the right system for her practice. Cloud-based products seem very secure, she says, and the vendors would assume much of the responsibility for complying with the Health Insurance Portability and Accountability Act (HIPAA). (With a server-based system, she explains, responsibility for HIPAA compliance rests on the practice.) "Even though there are a lot of arguments that records are more secure on the cloud, many people are uncomfortable with private information being placed in the cloud," she says. "You read in the paper all the time about things being hacked." While keeping records on a server within the building would probably be best for her, she adds, it's a much more expensive option.

Review your options. If you're already using practice management software, ask the vendor about electronic health record software that's compatible so you can stick with what you're already comfortable with, suggests Larson.

If that's not possible, ask colleagues whose practices have needs that are comparable to yours what system they like, says Prescott. A colleague who touted one brand turned out to like it because of its billing feature—a nonissue for Prescott's practice, which requires patients to pay up front.

You can also view options online through an aggregator site, such as www.capterra.com, which brings together information on hundreds of electronic health record systems, including about 150 systems specifically designed for mental health professionals. "You can type in what you want, and it spits back options," Larson says.

Test the system and the vendor's technical support. Be sure to try out an electronic health record system before you commit, Larson emphasizes. Once you've got your choices narrowed down to two or three, contact each vendor and ask them to walk you through their systems. Many will even let you test demos online. "If your practice isn't tech-savvy, choose a system that's more intuitive and has good customer support," says Bufka. Also ask what kind of support you'll have as you learn the system. And remember that you can always call APA and the APA Practice Organization staff for advice. "It has been super-helpful to talk with different staff members about the research they've done," says Prescott.

Additional resources

www.apapracticecentral.org
Visit APA's Practice Central and search for "electronic health records" to watch a video on using electronic health records.

www.HealthIT.gov
Learn more about contracts for electronic health records at the federal government website.

By Rebecca A. Clay


This article was originally published in the January 2017 Monitor on Psychology

Did you find this article useful?

0 0
01 Jun 2017

New Threats to Client Privacy

New Threats to Client Privacy

This article looks at the new threats to client data, discusses the ethical considerations psychologists face, and advocates for the foundation of best practices to prevent breaches of client data.

The NSA has built an infrastructure that allows it to intercept almost everything . . . . I can get your emails, passwords, phone records, credit cards.” 

— Edward Snowden

Protecting clients' privacy is clearly one of psychologists' top ethical priorities. To help prevent disclosures of patient information, APA offers specific guidance in its Ethics Code (APA, 2010) and its "Record Keeping Guidelines" (APA, 2007).

Unfortunately, with today's ever-evolving technology, such guidance may not be enough. As Edward Snowden showed the world in 2013, information on cloud storage centers is not secure (Gellman & Soltani, 2013; Greenwald, 2013).

This article gives an overview of the current record-keeping and communication regulations and guidelines, looks at new threats to client data, discusses the ethical considerations psychologists face, and advocates for the foundation of best practices to prevent breaches of client data.

From pen to keyboard

In 1965, Intel Corporation co-founder Gordon Moore successfully predicted that circuit technology would double every two years and lead to exponential growth while reducing the size of everything. This became known as Moore's law.

Since then, personal computers and smartphones have become ubiquitous and nearly 3 billion people have Internet access. This pervasive accessibility affects both practitioners and clients. Today, communication with a client can occur via text and/or email. Metal file cabinets have evolved into encrypted digital containers. Record keeping can be entirely digital.

In response to this revolution, over the years U.S. agencies have sought to provide legislative frameworks for the proper handling of private information. Among them is the Health Insurance Portability and Accountability Act (1996; HIPAA), which sought to increase the accessibility of medical records while maintaining confidentiality. The law calls for health providers to "maintain reasonable and appropriate administrative, technical and physical safeguards" when using electronic health information (HIPAA, 1996).

In 2003, the Department of Health and Human Service (HHS) provided security standards for health-care providers, including psychologists, who transmit private health information. The standards mandate that providers must take precautions to prevent a breach of data and that they conduct risk analyses. These regulations also apply to providers' business associates — practicing psychologists who operate with insurers must follow HIPAA's privacy and security rules and ensure that their business associates do so as well.

In 2009, The Health Information Technology for Economic and Clinical Health Act (HITECH) formalized business associate liability and offered stricter regulations for using client records. This law placed the burden of security on a business associate to meet security and privacy requirements. In addition, business associates are expected to provide notifications of any breaches to the entities they cover and are subject to civil and criminal penalties for the misuse and/or loss of data. For practitioners, this means if they sign a business agreement with a business associate to store client records or materials in a cloud environment, the associate must meet HITECH requirements.

APA's record-keeping guidelines

While APA's Ethics Code provides ethical principles and standards for psychologists, it does not provide specific record-keeping guidelines. That guidance comes from APA's "Record Keeping Guidelines" (2007), which highlight the many interactions that practitioners have with the health-care system and federal regulations, such as HIPAA. For this article, we are particularly interested in guidelines 3, 6 and 9 (of 13), which focus on the topics of security, privacy and confidentiality:

Guideline 3 deals with confidentiality of client records. This recommendation states that practitioners should be aware of the regulatory and legal requirements that involve records.

Guideline 6 outlines the security measures that psychologists should engage in to protect those records. If practitioners create physical records, they should protect them with key and cabinet. If they use digital records, practitioners should properly secure them.

Guideline 9 informs practitioners on the use of electronic records. APA analogizes electronic to physical records and states that practitioners should be concerned with the use of e-mail and other communication tools because of the possibility that they can been seen by others.

These guidelines are not enforceable; they only offer guidance to practitioners.

Unfortunately, neither the federal government nor APA has proffered specific steps that should be taken to increase privacy and confidentiality to meet the challenges created by today's technology. The current guidelines only state that practitioners should use "passwords, firewalls, data encryption and authentication" (APA, 2007, p. 998). Although these recommendations would better secure systems, they do not establish directions and specific methods for creating secure passwords, activating firewalls or using data-encryption techniques, and they do not explain what authentication protocols are.

Providing specific guidelines that are constructed and updated regularly might alleviate part of the burden on practitioners to prepare for and understand growing threats to client privacy.

Threats to client privacy

Many psychologists are embracing email and text messaging to communicate outside of therapy sessions. Some, too, are writing notes in electronic medical records that rely on local, network and/or cloud storage. Others are interested in using smartphone applications and social networking interventions. And numerous practitioners see telehealth as a potential intervention and therapeutic delivery method (Colbow, 2013).

All of these uses of technology increase the risk to client privacy. These risks include:

Risks from individuals and collective actors: On Sept. 1, 2014, The Guardian reported that an individual or small group of hackers "exploited" celebrity Apple iCloud accounts, which stored phone data including emails, address books and photos (Arthur, 2014). Although celebrity data were the main targets, hackers could have compromised other individuals' accounts using similar methods. If a practitioner had chosen to communicate or store any records on Apple's iCloud platform, the information could have been compromised.

Information that is stolen via digital storage services is regularly sold on the "dark Web" — hidden websites that are inaccessible to most Internet users. Some medical records can be purchased for about $50. Similarly, if psychologists communicate with clients via smartphones and similar devices, those communications could be compromised with mobile malware that costs around $150.

Risks from corporations: Companies that provide cloud storage, email and communications services generally make money from mining personal data. Their privacy policies and terms of services can be complex, which can place a significant burden on psychology practitioners. For example, Facebook, like Google, uses social profiles for marketing and to provide users with related information. Facebook has expansive privacy policies to enable it to provide "relevant" advertising and learn about user habits. If a psychologist is communicating protected health information on these platforms, the corporate entity would have knowledge of client contact. Certain companies provide stronger privacy policies for communication. For instance, Apple's iCloud service does not mine emails for content. Most providers do not encrypt emails at rest (on cloud servers), allowing companies to more easily hand over message contents to third parties (Apple Inc., 2014a).

Another concern is data retention. Most cloud storage and communication providers say little about how long they keep their data. This amorphous data-retention policy stands in contrast to APA's record-keeping guidelines, which suggest that client records and data may be destroyed after seven years in the absence of superseding legal requirements. This policy also calls into question a practitioner's ability to maintain and provide confidentiality and proper informed consent when using certain corporate providers. And it is questionable whether practitioners could ever believe that records had been deleted if the cloud provider did not clearly and publicly state its data-retention standards.

Risks from the government: A variety of governmental entities interact with client data. As Edward Snowden and journalist Glenn Greenwald revealed in 2013, NSA analysts were able to access private cloud data centers from Google and Yahoo (Gellman & Soltani, 2013), which could have compromised protected health information and other client data.

Email at public universities is also at risk. Anyone can request the emails of public university staff members through a Freedom of Information Act (1966) request. Although some universities and colleges defend against open access to communication, email-based consultations between providers (that do not contain protected health information) might not be as protected as messages conveyed through patient files and electronic medical records would be.

Client information may also be inadvertently compromised as a result of the Stored Communications Act (1986), which was created before the Internet, email and personal computers became the tools of everyday life. The law states that email left on Web servers for over 180 days is considered abandoned. That "abandoned" data can be requested without formal judicial review. In addition, beyond surveillance by the NSA, the Federal Bureau of Investigation is permitted to access email in certain situations without first notifying the person under investigation (Counterintelligence Access to Telephone Toll and Transactional Records, 2012).

Ethical concerns

Various principles and standards in APA's Ethics Code are imperiled by the use of electronic storage and communications. In particular, psychologists should be aware of Principle E and Sections 2, 4, 6, and 10 of the Ethics Code.

Principle E (Respect for People's Rights and Dignity) provides a foundation for privacy and confidentiality. This principle recognizes the need to protect these rights and to safeguard clients' trust. Because of emerging threats to privacy, client data may be underprotected, regardless of current policies.

Section 2 of the Ethics Code focuses on ethical questions regarding competence. Of specific interest are Standards 2.01 (Boundaries of Competence) and 2.03 (Maintaining Competence). Standard 2.01 posits that psychologists must practice and provide services within their area of competence and that psychologists have an obligation to obtain training and/or support in areas that they are not familiar with, including technology. Shapiro and Schulman (1996) warned that accepting new technologies without critical, expert analysis might test practitioners' boundaries of competence. Similarly, Standard 2.03 outlines an expectation that psychologists will continue their education.

Taken together, Section 2 suggests that practitioners are expected to gain competence or support if they use privacy and security tools. Ethically, it may also be expected that practitioners continue to be informed about the various threats to client data.

Standard 4 may be the most relevant to the issue at hand because it explicitly outlines privacy and confidentiality expectations. As noted earlier, digitizing records and communications may lead to them being accessed by outside entities. This threat primarily affects two standards: 4.01 (Maintaining Confidentiality) and 4.02 (Discussing the Limits of Confidentiality). Section 4.02 establishes an ethical obligation to explain how certain record-keeping and communication practices may limit confidentiality. As a result, if psychologists use text messaging and email with a client, it might be ethically appropriate to talk about how these technologies may result in intrusions on privacy. In discussing the limits, it is important to consider how a client's information could be used against him or her. Psychologist-led discussions should facilitate evaluation of the appropriateness of certain disclosures on the basis of foreseeable client risk.

Section 6 specifies ethical obligations for record-keeping and fees. The standard of interest is 6.02 (Maintenance, Dissemination, and Disposal of Confidential Records of Professional and Scientific Work). The Ethics Code explains that within any medium, record storage and creation must be kept confidential. Moreover, if a practitioner needs to use shared records (such as in hospital settings), he or she should minimize the use of protected health information whenever possible to improve client privacy. Today's therapeutic interventions are performed in a variety of settings, and as technology becomes an important part of these, maintenance of confidentiality in record keeping comes into question.

Section 10 deals with concerns regarding therapy. According to Standard 10.01 (Informed Consent to Therapy), clients are to be informed of the limits of confidentiality and about communication methods available during treatment. If practitioners are interested in communicating via email and text, clients should be informed about these methods. Without a thorough informed consent process that covers these factors, client confidentiality cannot be properly founded (Everstine et al., 1980).

Best practices

APA's Ethics Code and "Record Keeping Guidelines" inform counseling and record-keeping, but there are additional practices that psychologists can consider to further prevent breaches of confidentiality. To proactively help prevent privacy breaches and maintain client confidentiality, psychologists can:

Develop a threat model: Practitioners should create a threat model to assess each client and his or her practice's associated risk (Barrows & Clayton, 1996; Lee, 2013). The Electronic Frontier Foundation (2014) has suggested that such threat models contain five questions:

  1. What do you want to protect?
  2. Who do you want to protect it from?
  3. How likely is it that you will need to protect it?
  4. How bad are the consequences if you fail?
  5. How much trouble are you willing to go through to try to prevent those?

Practitioners could, for instance, answer those questions with the following responses:

"I want to protect client records and communications."

"I want to protect it from unauthorized government access and individual hackers."

"I am currently working with a public, political figure, who has expressed concerns regarding unauthorized disclosures and leaks of data."

"Considering the public nature of this client, my practice could be threatened and culpable for damages."

"I am willing to spend an additional hour per week to secure this individual's client records on an external, air-gapped computer."

In general, APA's Ethics Code and the "Record Keeping Guidelines" emphasize stronger protections. By asking these five questions, practitioners can reduce accidental and/or targeted attacks on client information.

Encrypt everything: If possible, every client record and communication should be encrypted. When mobile devices are used for client contact, it is important to consider the phone's encryption capabilities. Currently, iPhones, with a good password, can be encrypted and protected from password attacks for about 5.5 years (Apple Inc., 2014b). It is also possible for iPhones to encrypt iMessages (text messages between iPhones), which would only be accessible between sender and recipient. Older phones cannot generally encrypt messages.

The APA Practice Organization (2014) separated computer encryption into three parts: (a) full-disk encryption, (b) virtual-disk encryption and (c) file/folder encryption. Full-disk encryption provides protection for an entire system, but once a password is used, the entire file system is accessible. Virtual-disk encryption is an encrypted container that acts like a digital flash drive and is protected from access through encryption. These containers require a password after logging into the computer. The file/folder encryption option regards individual files. For instance, a Microsoft Office Word file can be password protected.

By using all three of these methods, a stolen computer would be protected at multiple levels and virtually inaccessible.

The chief technology officer of the Freedom of the Press Foundation and technologist for The Intercept suggests disk encryption, firewalls, strong passwords (never renew or use the same) and cryptology to communicate when possible. For example, Apple computers come with built-in full-disk encryption via FileVault. In addition, by using a strong, 8- to 10-character password with special symbols, varied capitalization and avoidance of dictionary words, practitioners can have an encrypted and well-protected computer.

Use HIPAA-compliant cloud providers: Any provider that stores protected health information should publicly document its privacy policy, terms of service and information-handling restrictions.

For instance, Google Apps uses various standardized security certificates to ensure data safety and retention. Even if practitioners choose to be responsible and HIPAA compliant, files should still be encrypted. Devereaux and Gottlieb (2012) recommend that if cloud providers encrypt data, this process should meet the need for "reasonable conduct" and protection of records.

This argument is predicated on trust. A cloud provider that encrypts data but still has access to encryption keys would be forced to decrypt this information if compelled by the federal government. Likewise, if a private employee or contractor was given the key, they could potentially decrypt data unlawfully. Any cloud storage used should be backed up locally and completely encrypted prior to upload. There are a variety of encryption software packages available; one example, a cross-platform option, is TrueCrypt.

Use two-factor authentication: This authentication method requires psychologists to first enter a password and then a six- to eight-digit "token" to log onto a site. If a password were lost or stolen, an attacker would still need access to the token to log in. Without the token, a stolen password would be of no use. Mobile devices can often receive two-factor tokens via text message. Google, Dropbox and Twitter are all examples of companies that offer such two-factor authentication.

Work with air-gapped computers: Psychologists who are working with the most sensitive cases and clients may need greater data protection. Similar to locked and local file cabinets, an air-gapped computer is separated from networked data and Internet access — Ethernet cables and Wi-Fi antennas are disabled or removed. This would likely necessitate a practitioner to purchase a separate computer that would stay permanently disconnected from the Internet and only provide access to files. To share files with another computer, the psychologist would need to manually move them via USB-based external drives, thus lessening the risk of data leaks. Using an air-gapped computer, however, does present a different risk: If the computer's hard drive fails, the data is not backed up on a network, so data loss is more likely.

Modify informed consent: APA's Ethics Code states that informed consent should incorporate a method for securing, protecting and handling data. As Devereaux and Gottlieb (2012) suggest, it is important that an informed consent document properly explain, justify and present accurate risks of data storage and communication. If psychologists agree with their clients that they may use phone, text and/or email communication, the psychologist should inform the client about the increased risk of confidentiality breaches and about ways to reduce such leaks. In the interest of client privacy and autonomy, it may be appropriate to suggest pen and paper if worries about privacy concerns are present.

Conclusion

More than ever, practitioners are considering digital means for client records and communication. But with technological advances, there are greater threats to client confidentiality. Individual hackers have more power than ever to buy and sell private information. Corporate entities are scanning data by default for advertising and marketing purposes. In addition, governmental actors are collecting massive amounts of data (even when protected) for further analysis. With each step, important ethical obligations have been threatened.

As a result, it is vital to approach all cloud-based client work with caution. By following best practices, practitioners can significantly reduce the chance of breaches. At a time when even data stored in "secured" locations is at risk, psychologists should consider the appropriateness of current informed consent practices within the United States. Moreover, practitioners should question whether electronic-transmission surveillance laws are compatible with this field's support for privacy.

While individual practitioners should and do bear the ultimate responsibility for confidentiality and privacy, a unified message from APA might help prevent data storage and communication concerns resulting from poor and/or naïve risk management. Although APA's Ethics Code and "Record Keeping Guidelines" place the responsibility for client confidentiality — in any medium — with practitioners, it is important that an organization provide constant, up-to-date guidance for members.

Future record-keeping guidance would likely benefit greatly from the inclusion of best practices.

Psychologists should not fear technological changes, but they should prepare for the unexpected. By synthesizing the various individual, corporate and governmental actors that threaten client privacy, practitioners should have a newfound understanding and appreciation for security concerns.

Written by: Samuel D. Lustgarten, a graduate student in the counseling psychology PhD program at the University of Iowa, Iowa City. His research centers on the intersection of technology, psychology and client privacy.


This is a condensed version of "Emerging ethical threats to client privacy in cloud communication and data storage," which appeared in the June 2015 issue of the APA journal Professional Psychology: Research and Practice, Vol. 46(3). To read the full article, which includes all references, go to http://dx.doi.org/10.1037/pro0000018.

Did you find this article useful?

1 0
01 Jun 2017

Avoiding a Disconnect with Telemental Health

Avoiding a Disconnect with Telemental Health

New technologies are increasing access to mental health care and helping psychologists run their practices more smoothly and efficiently than ever before. But these benefits come with ethical, legal and clinical challenges.

Telemental health offers psychologists a tremendous opportunity: the ability to increase access to psychological care for people who, for a variety of reasons, are not able to meet with a practitioner face-to-face.

Most commonly, telehealth services include providing crisis intervention to clients over the telephone in between in-person sessions, delivering clinical services across long distances via interactive videoconferencing to clients who would not otherwise be able to receive treatment, and using smartphone apps to augment and enhance treatment services provided.

Unfortunately, the great benefits that can come with telemental health also introduce a number of ethical, legal, and clinical challenges. In this article, we present two cases that highlight the benefits and risks of telemental health.

Case #1: Unforeseen ethics concerns

Dr. Ino Vater, a licensed psychologist, sees telemental health as a potentially lucrative way to expand her private practice. She develops a business plan that includes advertising her services via the Internet to tap into new markets. She plans to begin offering email counseling with a guaranteed 24-hour response time at a rate of $25 per email. She also plans to offer online individual and group psychotherapy via Skype.

Dr. Vater announces these new services on her website, stressing her qualifications as a licensed practitioner with over 30 years of experience. Being somewhat technologically savvy, she already has her standard informed consent form on her website for new clients to review and sign electronically. She also has an electronic calendar on her website so new clients can schedule their initial appointment with her directly. Payments are easily accepted via PayPal, so clients can pay in advance for services.

Word spreads quickly and numerous new clients schedule appointments with her for email and videoconference counseling. She is thrilled that people from around the world are seeking treatment from her. She is also excited to see that the clients present with so many different problems. Pleased with all the new business, Dr. Vater continues accepting all new clients and is very gratified that the new business plan she developed is working so well.

Has Dr. Vater overlooked any important ethical, legal and clinical issues? In short, yes. While telemental health can be helpful to many individuals, how it is applied requires careful forethought.

As a starting point, practitioners must understand that all requirements of their profession's ethics code apply to the provision of telemental health services. For example, APA's Ethics Code applies to all professional services provided by psychologists, regardless of their type and whether they are delivered in person, over the phone, via the Internet, or in other ways.

As a result, before Dr. Ino Vater launched her new business plan, she should have considered her:

Competence in telemental health: Competence requires practitioners to possess the knowledge and skills needed to ensure they meet (and hopefully, exceed) the minimum expectations for the quality of professional services provided. Before providing any telemental health services, practitioners should familiarize themselves with relevant guidelines for this practice area, such as those available through the Tele-Mental Health Institute at http://telehealth.org/ethical-statements. APA has also published guidelines at www.apapracticecentral.org/ce/guidelines/telepsychology-guidelines.pdf (PDF, 112KB).

While guidelines do not contain enforceable standards, they represent each profession's consensus statement on telemental health best practices.

Technological competence: In addition to clinical competence, practitioners should also be knowledgeable about the various technologies used in telemental health practice, such as the hardware, software, type of Internet connection, privacy safeguards and security precautions needed to help ensure client privacy. Practitioners should be familiar enough with the systems so that they can adjust the auditory and visual quality of the technology as needed. They should be able to address difficulties that may arise, including the loss of an Internet connection or other interruptions of service, and have a backup plan for making contact should that happen.

Practitioners should also be familiar with the strengths and weaknesses of the software programs they use for clinical services. For example, while Dr. Vater may have over 30 years of clinical experience and may use certain technologies in her personal life, her failure to take courses on telemental health and her use of text-based therapy as an alternative suggests that her professional understanding of telemental health may be limited. In addition, her choice of a nonsecure video platform is inappropriate since Skype is not compliant with the Health Insurance Portability and Accountability Act (HIPAA). Only products that are HIPAA-compliant and meet federal requirements for protecting each client's privacy should be used. Examples of such platforms include Vyzit, VSee, Zoom, Regroup Therapy and Breakthrough.

General telemental health competence: Dr. Vater should have also carefully considered the appropriateness of each technology for each client's particular needs. Research has shown, for example, that using email for counseling and psychotherapy services has many limitations, such as the absence of visual cues and significant potential for miscommunication; the difficulty in assessing and diagnosing individuals one does not have the opportunity to observe; and a lack of empirical support for the effectiveness of email as the primary means of providing such services.

By reading up on the literature, Dr. Vater would have also discovered that some technologies may be effectively used in telemental health with some clients. For example, there is a significant body of literature that demonstrates the value of videoconferencing for providing psychotherapy and counseling to a wide range of clients. Research has shown that the therapeutic alliance in psychotherapy via videoconferencing is comparable to the alliance found in in-person treatment.

There is also a broad literature on the effectiveness of videoconferencing in treating a wide range of mental health issues and concerns. It has been shown to be helpful in treating individuals, couples, families and groups for issues such as anxiety disorders including generalized anxiety disorder, post-traumatic stress disorder and panic disorder (e.g., Germain, Marchand, Bouchard, Drouin, & Guay, 2009; Spence, Holmes, March, & Lipp, 2006; Wims, Titov, Andrews, & Choi, 2010); depression and grief (e.g., Dominick et al., 2009; Ruwaard et al., 2008); and addictions (e.g., Mermelstein & Turner, 2006; Riper et al., 2009); among others. Mental health clinicians should familiarize themselves with this extensive and rapidly expanding literature to ensure that treatments offered have empirical support.

An important aspect of competence requires practitioners to be able to determine which telemental health services and treatment modalities may be appropriate for which clients. Telemental health would be inappropriate, for example, with clients with serious mental illness, including serious depression, suicidality and impulse control difficulties, such as violence and homicidality. Unfortunately, Dr. Vater is welcoming all prospective clients into her telemental health practice, regardless of their needs or circumstances. While some clients may benefit from counseling services offered via telephone or email, some will need videoconferencing treatment, others will need in-person treatment and still others may benefit from a combination of these services. These decisions should be made after carefully screening each potential client to determine the seriousness of a diagnosis, whether or not the client is in crisis, the level of rapport, and the client's motivation for therapy. Screening should also explore whether the client has a support system, whether the client can find competent clinician services, and whether the client has access to a secure and private space for participating in the telemental health services.

The clinician should document the rationale for concluding that a particular client is suitable for telemental health services. Ideally, clinicians will also begin with cases that present the best chance of success from receiving distance services, such as clients who already have an established and positive treatment relationship with the clinician or who are temporarily traveling. Potential clients outside of one's local area who, after careful screening, are deemed to be best served by in-person treatment should be referred to others.

Multicultural competence: Mental health clinicians who provide services via the Internet may easily find themselves violating professional expectations for multicultural competence. For example, since Dr. Vater is accepting clients from around the world, she will be interacting with people from different cultural, ethnic and linguistic backgrounds. Failing to give careful consideration to each client's individual differences may result in more harm than good.

When treating clients from around the world, it is not realistic to expect them to all speak English fluently. Yet, the ability to communicate effectively is essential for counseling to be successful. Similarly, clients may come from a wide range of cultural backgrounds. Even if there are no language barriers, practitioners should possess the necessary multicultural competence to ensure sensitivity to clients' beliefs and practices so these are not misinterpreted or violated.

Clinical competence and telemental health: It may be tempting to accept new clients, regardless of their problems, but of course clinicians should not provide assessments and treatments via telemental health if they are not competent to provide them in person. Mental health services must be provided in accordance with the requirements of the each professional's code of ethics. As a result, if Dr. Vater is conceptualizing her email communications with clients as "advice giving" or "a helping conversation," she may be overlooking clients' treatment needs and expectations. She may also be misrepresenting the services she is providing as something other than psychotherapy. Or she may be calling it psychotherapy when she is providing something else.

Informed consent process: Informed consent is designed to ensure that prospective clients get the information they need to make an educated decision about participating in the services offered. As APA's Ethics Code states, psychologists are required to "inform clients/patients as early as is feasible in the therapeutic relationship about the nature and anticipated course of therapy, fees, involvement of third parties, and limits of confidentiality and provide sufficient opportunity for the client/patient to ask questions and receive answers."

Practitioners who provide telemental health services will need to modify the informed consent procedures they typically use for in-person treatment for several reasons. For one, it is important to discuss openly with clients the options and alternatives available to them — including in-person treatment and the range of telemental health services — to help them decide which is most appropriate for them. Dr. Vater lists only two telemental health modalities on her website and both appear to be unacceptable forms of treatment for a clinician who is interested in evidence-based or HIPAA-compliant treatment. If clients' treatment needs won't be met by these modalities, she should refer these clients to other competent professionals who can provide the needed services.

In addition, Dr. Vater should discuss her fees up front, including any charges for contact between regularly scheduled appointments, such as phone calls, emails and texts. It also should be made clear whether insurance will cover the services provided. Clinicians need to be aware of appropriate billing codes for telemental health services so they are not inadvertently engaging in insurance fraud by billing these services the same as face-to-face services. Often there is a GT code signifier to show that the service took place via phone or video, although noting phone or video next to the code is recommended so as not to unintentionally mislead the insurance company.

The issues of confidentiality and its limits are especially relevant for clients considering telemental health. The informed consent agreement should cover these issues so that prospective clients understand that absolute confidentiality can never be guaranteed. Clinicians can help protect confidentiality by using encrypted email communications, virus and malware protection, firewalls, passwords and secure Internet networks. Clinicians should inform clients about the factors that can trigger an exception to confidentiality and to whom and in which state information will be released. The informed consent agreement should also include emergency contact information, as well as procedures to follow when interruptions in telehealth communication occur.

Also, since not all individuals have the legal right to give consent to treatment, the provider should first obtain proof that the prospective client is legally an adult and has the right to consent to treatment. In addition, clinicians have a duty to put procedures in place to ensure that someone does not pose as a client to gain access to someone else's psychotherapy — for example, the client and provider can use an agreed upon password exchanged through encrypted media.

Practitioners should see informed consent as an ongoing process. They must obtain a client's informed consent at the outset of the professional relationship, but also continually update it as circumstances change. Any substantive change to how treatment is provided, the risks involved in participating in it, fees or financial arrangements, and the like, should be discussed with clients before changes are made. So, if a client has agreed to videoconferencing for treatment, and over time the practitioner decides that a different treatment modality would be preferable, the informed consent should be updated to discuss the reasons for the change, the other options available, and the risks and benefits of each option.

Case #2: Legal issues and requirements

Dr. Roule Breyker is a licensed psychologist in Montana, practicing in one of the state's four urban areas. Montana is a rural state with an average of only 6.4 persons per square mile. Many of its counties have no mental health professionals.

Dr. Breyker has decided to begin offering telemental health to residents throughout the state to better meet the need for services. His expansion is going so well that he has begun receiving inquiries from potential clients who live in the surrounding states of Wyoming, North Dakota, Idaho and South Dakota as well as from the neighboring Canadian provinces of Alberta, Saskatchewan and British Columbia. He is excited about how word of his telemental health services is spreading and he is gratified to know that he is helping to meet the significant mental health treatment needs of rural communities.

When he shares the news about his expanding work at a meeting with several Montana colleagues, he is shocked to hear their concerns about his interjurisdictional practice. Dr. Breyker states that he is helping people who would not otherwise be able to receive mental health treatment and he expresses dismay at his colleagues' concerns. He abruptly leaves the meeting, chalking it up to his colleagues' professional jealousy.

As noble as Dr. Breyker's intentions are, practitioners who provide telemental health services must be sure that they follow the requirements of licensing laws and regulations of the jurisdictions where they work and where their clients live. Crossing state and national boundaries creates several important legal issues and challenges. They include:

Licensing issues: When using telemental health services to provide treatment to clients within one's state, province or territory, the practitioner follows the dictates of his or her license. But licensure requirements may be less clear when a client lives in another jurisdiction — and so far, not all jurisdictions have addressed this issue in their licensing laws and regulations. In addition, decisions about what is appropriate are subject to idiosyncratic jurisdictional authorities.

This can create a tremendous challenge for practitioners who want to engage in interstate or international practice. An important first step for practitioners is to research the licensure laws and regulations in the jurisdiction where each client is located. If these documents lack clarity on interjurisdictional practice, the practitioner should submit a written request for clarification to that jurisdiction's licensing board. For jurisdictions that require in-state licensure, the practitioner could seek licensure in that state (which may be time-consuming, expensive and impractical) or practice in the other jurisdiction without being licensed there, an option that can place the professional at significant legal risk. Some states will permit clinicians to practice short-term (e.g., a period of 30 days) in a state in which the clinician is unlicensed, if she or he is licensed in another state. Some of these provisions can be found at www.apapracticecentral.org/advocacy/state/telehealth-slides.pdf (PDF, 1MB).

APA and the Association of State and Provincial Psychology Boards are working to resolve the challenge of interjurisdictional practice. They also are attempting to develop interstate compacts similar to those of the nursing profession, which allow nurses to practice in other states with their license from their home state if they follow the laws and regulations of the local jurisdiction. Until such an arrangement is adopted, mental health professionals must be cautious and keep in mind that legal and regulatory requirements may vary from state to state.

The same issues are relevant when providing mental health services across international borders. It is each clinician's responsibility to research any applicable licensing laws and regulations prior to providing professional services in those jurisdictions.

Duty to report: What should Dr. Breyker do if a client in Wyoming discloses in a telemental health session that she is physically or sexually abusing her child? Should he follow the laws in Montana? Or, those in Wyoming (and does he even know them)? Or, should he attempt to follow both states' laws? If he is licensed in both jurisdictions, there may be different requirements.

An important study by Maheu and Gordon (2000) found that of the mental health professionals providing telemental health services whom they surveyed:

  • 75 percent reported providing services across state lines.
  • 60 percent inquired about each client's state of residence.
  • 74 percent were uncertain or incorrect about each state's telehealth laws.
  • 50 percent made advance arrangements for responding to emergencies or crises.
  • 48 percent used a formal informed consent procedure prior to providing online services.

It is vital that Dr. Breyker research the laws relevant to the mandatory reporting of suspected abuse and neglect of minors in each state in which he provides services. But, as is highlighted in the Maheu and Gordon study, one must first find out where potential clients live. Even if Dr. Breyker becomes licensed in the surrounding states or obtains temporary licensing permission to offer telemental health services in these states, he still needs to be knowledgeable about the laws in these states relevant to his role as a treating clinician. In addition, clinicians should be aware that when one reports across state lines, one loses immunity. (Interstate licensure compacts may, however, more formally address this issue.)

While every state has laws regarding the mandatory reporting of suspected abuse and neglect of minors, the laws differ with regard to how abuse and neglect are defined, the threshold to be followed for making reports, in which jurisdiction the report should be filed, the age of majority in that state, and more. Failure to know and follow these laws can place minors at risk unnecessarily. Understanding these laws also is necessary so that practitioners can address these potential limits to confidentiality as part of the informed consent process.

Similarly, all jurisdictions have laws that address mandatory reporting requirements for the suspicion of harm to other vulnerable individuals, such as some older adults and developmentally delayed adults. Yet each jurisdiction's laws are different. Some have focused on different definitions of what it means to be a vulnerable adult; some have different definitions of abuse, neglect, self-neglect and exploitation; and some have different reporting thresholds. Once again, possessing knowledge of these laws in the jurisdictions where clients reside is essential for fulfilling both ethical and legal obligations.

Dangerousness and the duty to warn, protect or treat: Based on the landmark Tarasoff v. Regents of the University of California legal decisions (1974/1976), many jurisdictions have laws regarding the requirement to take action when a client discloses an imminent threat to do harm to an identifiable victim or group of victims. Yet, these laws vary significantly. Some jurisdictions have duty-to-warn laws and some have duty-to-protect laws. Others have duty-to-warn, protect, and treat laws and some have none of these requirements. As a result, a clinician's good-faith effort to protect others from harm may result in inappropriately violating the client's confidentiality and violating state law.

When practicing telemental health across national borders, the issue is further complicated since these issues may be addressed quite differently in another country — or may not be addressed at all.

It is essential that mental health professionals who practice telemental health cross-jurisdictionally be familiar with the laws in the jurisdictions where the clients reside. Yet, in a study by Pabian, Welfel, & Beebe (2009), 76.4 percent of clinicians surveyed "were misinformed about their state laws, believing that they had a legal duty to warn when they did not, or assuming that warning was their only legal option when other protective actions less harmful to client privacy were allowed." This failure to know and follow these laws can have lethal and tragic consequences. Similar to other reporting requirements, knowledge of these laws affects the informed consent agreement with regard to the limits to confidentiality that exist in the treatment relationship.

Issues regarding both voluntary and involuntary hospitalization across state lines are quite complex. In addition to understanding state laws where the client resides, it would be wise to have handy the numbers for local police and the address for the nearest ER when a client engages our services from another location.

Recommendations for telemental health practice

In summary, to practice telemental health in an ethical, legal and clinically effective manner, we recommend that clinicians:

  • Follow all requirements for ethical conduct from your profession's code of ethics regardless of the telemental health medium used.
  • Become familiar with and be guided by relevant telemental health practice guidelines.
  • Learn and follow the relevant telemental health laws in all jurisdictions in which you will be providing clinical services.
  • Assess each potential client's treatment needs to ensure the appropriateness of participating in telemental health and that the most appropriate medium is used. Make referrals to other competent professionals when in the client's best interest.
  • Use a comprehensive informed consent process that addresses all issues relevant to the practice of telemental health.
  • Take all reasonable actions and use all readily available technology to protect each client's confidentiality, such as the encryption of email communications.
  • Only use HIPAA-compliant software programs to provide video conferencing with clients.
  • Only provide clinical services that you are competent to provide based on your education, training and relevant clinical experience.
  • Before providing telemental health services, develop competence regarding all hardware and software you will be utilizing to communicate with clients.
  • Ensure multicultural competence and attend to linguistic and other diversity issues in your online interactions with clients.
  • Learn about and follow all duty to warn and mandatory reporting requirements in the jurisdictions where you are providing telemental health services.
  • Before providing telemental health services, learn about resources in each client's local area and make arrangements there for emergency and crisis situations.
  • Document all telemental health services provided just as you would document in-person mental health services, ensuring that all records are stored securely so that each client's confidentiality is preserved.
  • When unsure if a client should be treated via telemental health, utilize an ethical decision-making model and consult with experienced colleagues.
  • Maintain appropriate liability insurance coverage and confirm that your malpractice insurance policy covers the provision of telemental health services.

By Jeffrey E. Barnett, PsyD, ABPP, an associate dean and professor of psychology at Loyola University Maryland and he is an independent practitioner in Towson, Maryland. Keely Kolmes, PsyD, an independent practitioner in San Francisco.


This article is condensed from "The Practice of Tele-Mental Health: Ethical, Legal, and Clinical Issues for Practitioners," which appeared in the January 2016 issue of Practice Innovations. To read the full article, which includes all citations, go to http://dx.doi.org/10.1037/pri0000014.

Did you find this article useful?

2 0