ECM8495 - SECTION 6: ETHICAL USE OF ELECTRONIC MEDIA FOR COMMUNICATION WITH CLIENTS
It has already been noted that social media operates with a degree of openness that makes it difficult to control the flow of communication in ways that provide a high level of privacy. What about other modes of electronic communication for which there is a higher degree of control and more effective ways of addressing privacy issues? What are the complications, contraindications and danger areas and how can they be best managed? In an era where an entire sub-field of mental health services – Telemental Health (TMH) – is being conducted in real time via distance modes of counseling, what are the provisions and guidelines for engaging with our clients in a legal and ethical way?
These questions will form the central focus of the next two sections of the course.
This examination will not attempt to cover all of the knowledge base for conducting Telemental Health services in a professional and ethical way. States are beginning to address this issue in a more systematic way, writing into state laws and statutes guidelines for clinicians who wish to add this format to their practice. The complications involved in practicing TMH are clinical, technological, legal and ethical in nature, and a sufficiently comprehensive training would require a longer and much more extensive program than can be offered here.
Instead, we will examine the use of electronic media from the perspective of the clinician engaged primarily in face to face services, but whose practice may make use of smart phone and email technology for adjunct client contacts such as follow-up, scheduling, and between session support, and/or emergency or crisis contact.
The availability of multiple ways of conducting client contacts provides greatly increased flexibility and accessibility to both the client and the clinician, neither of whom need to be tied down to a land line in order to be able to communicate. However, for reasons that have already been addressed, this increase in mobility means that communication is also more likely to occur in less private settings and with an increased potential for outside parties to intercept and listen in on private conversations.
Let’s begin this exploration of how to proceed with an examining of what instructions are clarified in the federal laws and statutes addressing patients’ rights around privacy: HIPAA and the Hi-Tech Act of 2010. HIPAA: Office for Civil Rights (OCR)
Data Safeguards. A covered entity must maintain reasonable and appropriate administrative, technical, and physical safeguards to prevent intentional or unintentional use or disclosure of protected health information (PHI) in violation of the Privacy Rule and to limit its incidental use and disclosure pursuant to otherwise permitted or required use or disclosure. For example, such safeguards might include shredding documents containing protected health information before discarding them, securing medical records with lock and key or pass code, and limiting access to keys or pass codes. P 14
As we noted earlier, many people are moving away from even possessing a land line phone, and only conduct routine communication via cell phone, texting or email. Since none of these of considered secure communication vehicles without the addition of specialized encryption add-ons, it does not offer any secure options for the clinician to have contact with many current or potential clients. What is a clinician to do?
The Office of Civil Rights offers some guidance that may be helpful in understanding how to address this problem.
Guidance from the Office of Civil Rights (OCR) on the Hi-Tech Act
Question: Does the HIPAA Privacy Rule permit health care providers to use e-mail to discuss health issues and treatment with their patients?
Yes. The Privacy Rule allows covered health care providers to communicate electronically, such as through e-mail, with their patients, provided they apply reasonable safeguards when doing so. See 45 C.F.R. § 164.530(c). For example, certain precautions may need to be taken when using e-mail to avoid unintentional disclosures, such as checking the e-mail address for accuracy before sending, or sending an e-mail alert to the patient for address confirmation prior to sending the message. Further, while the Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail. In addition, covered entities will want to ensure that any transmission of electronic protected health information is in compliance with the HIPAA Security Rule requirements at 45 C.F.R. Part 164, Subpart C.
Note that an individual has the right under the Privacy Rule to request and have a covered health care provider communicate with him or her by alternative means or at alternative locations, if reasonable. See 45 C.F.R. § 164.522(b). For example, a health care provider should accommodate an individual’s request to receive appointment reminders via e-mail, rather than on a postcard, if e-mail is a reasonable, alternative means for that provider to communicate with the patient. By the same token, however, if the use of unencrypted e-mail is unacceptable to a patient who requests confidential communications, other means of communicating with the patient, such as by more secure electronic methods, or by mail or telephone, should be offered and accommodated.
Because HIPAA regulations were released in 1996, prior to the explosion of smart phone technology and e-communication, a major update to these HIPAA guidelines was put into effect with the Hi-Tech Act of 2010. This covered the following areas:
¥ New guidelines for addressing breaches of confidential information
¥ Extensions to guidelines for providers covered under Business Associate Agreements
¥ Modifications to definitions of electronic media to address advances in technology (cell phones, texting, IM, and other new forms of electronic communication)
The Hi-Tech Act is such an important statute for health care providers to research and understand, we have included a link that will take you to a printable copy of what is included in this statute. That link is shown below:
Like most complex laws and statutes, the Hi-Tech Act is not an easily digestible article for reading. Fortunately, all other health professional have been faced with similar difficulties in terms of maintaining adequate privacy in the era of e-communication.
For the benefit of our trainees, we have located a very helpful and easy to read set of guidelines put forth by the Florida Medical Association to address these questions. These guidelines will be presented on the pages that follow, with additional discussion in subsequent pages.
The link to see this document in its original form may be found at:
Guidance from the FMA on the Hi-Tech Act
The HITECH Act requires that all communications involving ePHI (electronic Protected Health Information) be encrypted. (Emphasis ours) HHS recently adopted National Institute of Standards and Technology guidelines for encryption. This means that if a physician wants to consult, refer or prescribe for a patient by e-mail, the e-mail had better be encrypted. Of course, most patients do not have software to decrypt. So what alternatives do health care providers have? And, more importantly, how can this be made easy and pragmatic? E-mail was designed to simplify, not complicate.
Health care providers may seek their patients’ consent to communicate via unencrypted e-mail. (Emphasis ours) While HHS does not provide a standard form for securing patient consent, basic “informed consent” strategies should apply. First, get the patient’s consent in writing. The patient should not be given just a binary choice, but a menu of choices. For example, a patient may wish to electronically receive information on appointment dates, but not test results. The consent document — as is standard with most routine HIPAA forms — also should note that the patient may withdraw his or her consent at a later time. This can be part of an expanded HIPAA form the patient signs when first seeing you in the office.
Here are some more recommendations when communicating with patients electronically:
1) A physician may be held responsible for a delay when responding to a patient’s e-mail. Solution: A physician who wishes to accept e-mail from patients should use an auto response feature that informs the patient that a) the physician typically responds to e-mail within a specified number of hours/days, and b) if the patient requires immediate attention, he or she should telephone the physician’s office or contact an emergency health care provider.
2) If a patient initiates an e-mail with a physician, Rachel Seeger of HHS Office for Civil Rights says that it is assumed that the patient consents to unencrypted communication. “If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.”
3) If a physician does end up sending a patient an e-mail, he or she should double check the recipient’s e-mail address before clicking “send.” This is to prevent the e-mail from being sent to the wrong person, therefore sharing private information to an unintended party. That’s good advice outside the health care world, too.
4) Add any e-mail a patient sends (and any response) to the patient’s charts.
5) In the HITECH Act, code 170.210 section B, states that the date, time, patient identification and user identification, must be recorded when electronic health information is created, modified, deleted or printed, and an indication of which actions occurred also must be recorded. This means if you send an e-mail to a patient with protected health information and then delete it, you will need a record of what was deleted and when. This is not dissimilar to crossing out a line in a paper medical record (updating the record) with a date of the update.
6) Since the guidelines for communicating with patients via e-mail are becoming stricter, more physician offices and hospitals are using portals as a means of communication. (Emphasis ours) This allows the patient to sign in with a secure username and password to view his or her records and communicate with physicians. The security rule allows for Electronic Protected Heath Information (e-PHI) to be sent over an electronics open network, as long as it is adequately protected. Of course, this is more complicated than using Outlook or Gmail.
With these recommendations presented, let’s consider the implications for the practice of most mental health clinicians item by item.
Item One: Encrypted e-PHI
Encryption and password protection for Protected Health Information sent through electronic means is required by the Hi-Tech Act in order to protect the patient’s private healthcare information. PHI includes any information about the patient’s medical condition, as well as any information that might reveal the identity of the patient as a patient,
Encryption technology establishes reasonable precautions against any parties overhearing or otherwise intercepting the patient’s PHI in the course of transfer from one party to another. PHI sent via encryption platforms can only be decrypted with a secure password.
As noted in recommendation number 6, clinicians who expect to engage in regular communication with clients via email should consider investing in the acquisition of a web based portal that contains encryption technology. This allows for the patient to send and receive healthcare information and communications in a more controlled and secure environment.
Physicians tend to utilize more robust portal products, such as those offered by Cerner and NetGen, which allow for patient accessing of electronic medical records and other services not likely to be needed by mental health clinicians. There are numerous vendors of secure email systems that operate with encryption technology and are password protected.
There are, however, several factors that need to be considered if a clinician wishes to move in the direction of a secure email system for client interactions. First, the system must be HIPAA compliant. Over and above the technical aspects of this, which will be covered shortly, there is the need for the vendor of the email system to be willing to offer a Business Associate Agreement (BAA) that addresses the privacy issues in ways that meet the standards for privacy outlined under HIPAA.
Briefly, a BAA is required for any vendor who provides services that involve access to patients’ PHI. Electronic billing services, companies that provide electronic medical records, or providers of portals or secure email systems would fall under this category. The agreement attests that the vendor will protect the PHI with the same degree of conscientiousness as the clinician.
A HIPAA valid BAA would have several important components, the most important of which attests that the vendor will protect the PHI with the same degree of conscientiousness as the clinician. Vendors who market themselves to healthcare providers will typically have their legal advisors draw up a contract that satisfies the standards for HIPAA compliance.
However, clinicians should do their research carefully to verify that the vendor operates in a HIPAA compliant manner and scrutinize the BAA carefully to ensure that it passes muster. Less than scrupulous vendors may try to insist that a BAA is not required for HIPAA compliance, or may forward a BAA that does not sufficiently cover the areas necessary for full HIPAA compliance.
The Office of Civil Rights has prepared a document that covers this issue in some detail and offers guidelines for what provisions should be included in a correct and proper BAA.
The link to see this document in its original form may be found at:
Any clinician who intends to engage in substantial amounts of communication with clients via email is strongly recommended to invest in the purchase of either a secure portal site or a secure email system, with a valid BAA and careful examination of the capabilities and limitations of the system being used.
The system must meet certain technological and system standards in order to provide the degree of security necessary under the Hi-Tech Act. These standards include the following elements shown on the next slide.
Elements for a Secure and HIPAA Compliant System
1. The system must employ at least 128 bit encryption technology.
2. The system must allow for password protection of any emails or documents being sent, and mechanisms must be established for forwarding passwords separately.
3. The system must use 2 factor authentication for emails to be opened.
4. The system needs to be able to clarify that a document or email has been delivered.
5. The system needs to be able to notify the sender automatically if a document is not successfully delivered.
6. The system has to have a secure way to make sure that unencrypted documents are not accessible during communication over the system.
7. The system must have a mechanism that allows for electronic signatures.
Additional Elements for Ethical Compliance
As noted in recommendation 1, it is also important to make sure that every patient is aware of the potential for there to be a delay between the receipt of an email from a client and the response from the clinician. An automated response feature is very helpful along these lines, notifying the client about the possible delay in response.
It is also advisable to cover this aspect of e-communication when it is first determined that email communication will be a feature of the client-clinician relationship. A formal statement to this effect can be included in the statement of informed consent, with time allocated to cover this component during the face to face discussion of the informed consent process.
It is important not to skip over this factor in a hurry to cover all the other parts of the informed consent agreement, particularly if there is any indication that the client has suicidal tendencies. Many of the problems in establishing the communication guidelines can be avoided with a purposeful and comprehensive informed consent process.
Even with a very thoughtfully constructed e-communication system, there still exists the potential for HIPAA violations due to human error. If a clinician is going to communicate via email, it is extremely important to verify the client’s email address at several stages of the communication process.
Clients often come to treatment sessions with a great deal on their minds. They can be subject to distractions and prone to errors due to any number of reasons connected to their mental health concerns. If a client provides an email address on initial intake forms, double check that address verbally prior to sending any communications via email. If possible, request that the client send you an email first so that you can verify the address from its actual point of origin.
Then double check the address again prior to sending out any individual email with PHI generally, or sensitive clinical information more specifically. If there is any doubt in the email address provided by the client, defer sending the email until the address can be fully corroborated. Any email sent to the wrong address with PHI contained is considered a HIPAA breach.
As noted, all communications with clients should be recorded in the client’s case record. Email communications should include the date, time, patient identification, clinician identification, and the subject of the communication. It is strongly recommended that the message contained in the email be recorded exactly as it was composed to the client. This provides a fully accurate record of what was communicated should there ever be a disagreement with the client over what occurred during that communication.
A copy of a Client Activity Record is provided on the following page to demonstrate what an appropriate note of this interaction would look like.
Jane Q. Clinician LCSW
Case Activity Record
Client Name: Joe S. Client Date/Time: 2/5/15 8:54 AM
Activity Type (Phone call, letter, Case conference, etc.): Email
Parties Involved: Client
Activity Notes: The following message was sent via email to email@example.com: I am unable to attend the session scheduled for tomorrow night at 7 PM. Please forward me some times when I might reach you by phone to reschedule.
Follow-up Plans: A follow-up call will be made upon receipt of a message from client as to when client will be available.
Signature: Jane Q. Clinician, LCSW
Additional Elements for Ethical Compliance
For clinicians who are less likely to engage in email communication with clients, there may be a simpler way to approach the complications present here. The right to privileged information belongs to the client, not to the clinician, and the client may choose to approach e-communications in a more open, less secure way.
If a client provides consent for a clinician to communicate via email using non-secure methods or systems, then the clinicians is free to proceed using a standard email system – without all of the components that are necessary for a HIPAA compliant, secure system.
This is not an unusual occurrence. Many clients are much more concerned about adding more layers of complication to their lives than they are concerned about an email based breach of their privacy. They may agree to allow you to communicate with them on any system that you choose.
However, this must be accomplished with clarity about what constitutes informed consent. The client must do more than just consent to the use of non-secure e-communications; must be fully informed about and actually comprehend the implications and risks of communicating in this format. Once this level of understanding has been accomplished, the client’s consent allows you to proceed without the risk of a HIPAA violation.
This is a good place to review and expand upon the recommendations noted earlier:
1) Get the patient’s consent in writing.
2) The patient should not be given just a binary choice, but a menu of choices. For example, a patient may wish to electronically receive information on appointment dates, but not test results. It may be helpful to provide the patient with a well-constructed checklist of all matters for which email may and may not be utilized.
3) The consent document — as is standard with most routine HIPAA forms — must note that the patient may withdraw his or her consent at a later time. If, for instance, a client should be involved in a high-conflict divorce, he/she may have changed concerns about whether privacy is more essential with regard to email communications
Just as a final reminder of a matter noted earlier in this section, “If a patient initiates an e-mail with a physician, Rachel Seeger of HHS Office for Civil Rights says that it is assumed that the patient consents to unencrypted communication. “If this situation occurs, the health care provider can assume (unless the patient has explicitly stated otherwise) that e-mail communications are acceptable to the individual.”
Even with this instance of “implied consent,” a conscientious clinician will follow up with the client as soon as possible to clarify the extent to which the client would like to consent to e-communication in the context of the therapy relationship – and put the consent agreement in written form. A copy of this can be placed into the case record and a copy can be provided to the client detailing what circumstances permit and do not permit email communication.
Important Vocabulary for the Era of Social Media and E-communication
In this era of enhanced communication options - and complexities - there is a whole new vocabulary that should be part of the mental health clinician's knowledge base. For your benefit, this information is presented below:
Glossary of Key Terms, Acronyms and Concepts Useful for TMH Practice
128-bit Encryption: 128-bit encryption is the minimal standard of encryption required to meet Advanced Encryption Standards, which is in turn necessary to meet HIPAA encryption standards. 128-bit encryption is the equivalent of encrypting a message with a 32-digit password so that the world’s fastest computer systems would require thousands of years to break the encryption code.
AES: Advanced Encryption Standard specifies the guidelines for the level of encryption required to be considered secure for electronic data as clarified by the U.S. National Institute of Standards and Technology (NIST).
Asynchronous/Synchronous Communication: Synchronous communication consists of any mode of interactions that is occurring in real time between the client and the service provider, including face-to-face contact, phone contact, and real-time video teleconferencing interactions. Asynchronous communications consist of any interactions with clients in which a lag time occurs or may occur in the receipt and transmission of communications and responses, including texting, email, snail mail, and chat based modes of interaction.
BAA: A Business Associate Agreement is a formal, legal document required by HIPAA to be used when any HIPAA entity contracts for services that will involve the transmission, storage, or use of clients’ Protected Health Information (PHI). The BAA must commit the contractor – and any sub-contractor – to treating PHI with the same level of HIPAA compliant care that the Covered Entity provides in the management of private health information.
Bandwidth: Bandwidth consists of the capacity of electronic communication platforms to transmit clusters of data at a given rate of speed. Bandwidth is usually measured in Megabits per second (Mbs) or Kilobits per second (Kbs). Typically, the more information that is stored in any data cluster, the more bandwidth is required for a fast and smooth transfer of the data without slowdowns, buffering or interruptions. For example, a color video file with sound will contain more information than an audio file and will require a system with larger bandwidth to allow for a fast transfer of the data. A very fast wireless internet connection will offer a bandwidth of just over 50 Mbs, allowing for the smooth transmission of large video files, such as music videos or movies.
Distant Site/Origination Site: When distance modes of service delivery are being used to interact with clients, the legal term for the location of the client is the Origination Site, while the service provider’s location is called the Distant Site.
Encryption: Encryption is the mathematical scrambling of data so that it is cannot be understood by eavesdroppers. Encryption uses complex math formulas ('ciphers') to turn private data into meaningless gobbledygook that only trusted readers can unscramble.
HTTPS: HTTPS, seen at the beginning of a web address, stands for HyperText Transport Protocol Secure. HTTPS is the secure version of the prefix HTTP, using secure socket layer (SSL) encryption technology to create security for the transferred information. This allows for the secure transmission of private information, like credit card information. It is not advisable to provide confidential information over the internet unless you see the HTTPS prefix show up on the internet address.
IM (Instant Messaging): IM is a computer program or smart phone application, usually secured at not cost, that operates like texting or email, that allows you to connect to other IM users through the Internet.
IMSI-catcher: An IMSI-Catcher (International Mobile Subscriber Identity) is a device that masquerades as a cell phone signal router or base to fool a mobile device into changing its encryption into something that can be controlled, allowing the device user to listen in on cell phone signals. The Stingray is one version of an IMSI-catcher.
Man in the middle attack: This an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. In order for electronic communications to be protected, the providers of the communication infrastructure are supposed to anticipate and have strategies for addressing these kinds of communication interception problems.
Portal: - A web site that offers services to customers of particular industries, such as a Web-based patient "portal," on which patients can set appointments, email their medical provider, and see copies of their medical records.
SMS: Short Message Service (text messaging) is a service of sending short (up to 160 characters) messages via smart phones, cell phones or personal digital assistant (PDA).
VoIP: Voice over Internet Protocol is a system that allows voice communication to be translated into digital format and sent over the internet. VoIP calls can be secure if they are sent over an established Virtual Private Network.
VPN: Virtual Private Network is a system allowing computers to connect securely through public internet servers by establishing either dedicated connections, virtual tunneling protocols, or encrypting/decrypting technologies that allow for secure transmission of text, voice, video, or multi-media communication.