Pope & Vasquez (2016). Confidentiality

Confidentiality: Ethical Challenges and Best Practices in Professional Psychology

Introduction to Confidentiality

Client Trust and Its Importance

Clients place a lot of trust in psychological professionals to safeguard their confidential information.

They trust you are:

Protecting digital records from internet leaks, social media, curious eyes, and identity thieves.
Securing physical paper charts.
Abstaining from discussing treatment details with colleagues in public spaces (e.g., hospital halls, clinic cafeterias, train stations).

Consequences of Breaches

Leaks of confidential information can lead to various problems, impacting clients without warning

Ways it can Impact Clients

A rushed response to a subpoena might grant unauthorized access to sensitive documents.
A simple phone message asking a client to return a call could inadvertently reveal therapy engagement to an abusive partner.
- Example: In one CBC News report, more than a dozen Canadians were blocked from entering the U.S. because their mental illness records were shared with the U.S. Department of Homeland Security. Information in the Canadian Police Information Centre (CPIC) database, which can include mental illness history (e.g., suicide attempts), is accessible to American authorities (Bridge, 2011; "Canadians' Mental-Health Info Routinely Shared With FBI, U.S. Customs," 2014).
How we could inadvertently breach confidentiality
- 1. Signing notes in titanium (will use the Citrix retriever)
- 2. Conducting Telehealth at home
- 3. Also if I were to be discussing a client with someone in the cubicles
- 4. Not sharing too much with family friends when discussing your day
- 5. Using a template in research or for notes
- 6. Reports being written at home

Prevalence of Confidentiality Violations

Confidentiality is a persistent and significant ethical challenge for psychologists:

Over half ( $62\%$ ) of therapists in one national study (Pope, Tabachnick, & Keith-Spiegel, $1987$ ) reported unintentionally violating patient confidences.
Another national study (Pope & Bajt, $1988$ ) found that intentional violations of law or ethical standards by senior, prominent psychologists most frequently involved confidentiality.
- $21\%$ of cases, therapists intentionally violated confidentiality in transgression of law.
- In another $21\%$ of cases, therapists refused to breach confidentiality to make legally required reports of child abuse.
Therapists’ experience as patients
- About $10\%$ of therapists surveyed (Pope & Tabachnick, $1994$ ) reported that their own therapists had violated their rights to confidentiality.

Emerging Challenges: Data Privacy and Re-identification

Data Aggregation and Re-identification Risks

Clinical information, often shared with consent with insurance or managed care companies, is increasingly aggregated into large research databases. While intended to be de-identified, sophisticated strategies can re-identify individuals.

Latanya Sweeney, Director of Harvard's Data Privacy Lab, successfully re-identified people with Huntington's disease from a de-identified database.
An example cited (Walter, $2007$ , p. $92$ ) describes a banker cross-referencing publicly available de-identified data to identify clients with cancer and call in their loans.

Flaws in Anonymization

Scientists have demonstrated that individuals "hidden" in anonymized data can often be "reidentified" or "deanonymized" with astonishing ease (Ohm, $2010$ , p. $1701$ ).

This fundamental misunderstanding about data privacy pervades nearly all information privacy laws and regulations.
The U.S. President's Council of Advisors on Science and Technology (PSCST, $2014$ , p. $38$ ) reported that "anonymization (also termed deidentification) applies when the data, standing alone and without an association to a specific person, do not violate privacy norms….Unfortunately, it is increasingly easy to defeat." (see also Daries et al., $2014$ ).

Threats and Pitfalls in Practice

Human Factors and Ethical Lapses

Confidentiality helps clients speak freely, but therapists can be tripped up by human factors.

Fatigue, stress, and routine can dull awareness, leading to "ethical sleep" or automatic behavior when vigilance is crucial.
Lapses of attention, even brief ones, can cause significant problems, similar to driving.
Despite thorough professional diligence (studying laws, ethics codes, consulting attorneys), ethical intelligence can falter, leading to trouble.

Increasing Complexity of Confidentiality

Maintaining and protecting client records has become significantly more complex in recent years (Bemister & Dobson, $2011$ , p. $302$ ).

Additional layers of complexity arise from variations in the nature of confidential material and the number of people entitled to receive it (Allen, $2009$ ).
Confidential material includes more than just facts; "facts, impressions, events, and data of all sorts can be deemed confidential" (Allen, $2009$ , p. $127$ ).
The "community authorized to receive confidential information can be smaller than a family or as large as a workforce" (Allen, $2009$ , p. $127$ ).

Specific Pitfalls:
- 1. Referral Sources: Sending thank-you notes to referral sources that mention a specific patient or provide details about their appointment/discussion without the patient's knowledge or consent is an unintentional breach.
- 2. Public Consultations: Discussing confidential patient information within earshot of unauthorized individuals in public places (e.g., clinic hallways, elevators, restaurants, large meeting waiting areas).
  - Example: A therapist discussed a "difficult" patient on a crowded elevator, unaware the patient was standing nearby and listening.
  - Private consultations must remain private.
- 3. Gossip: Talking about work to "blow off steam" in social settings (lunch, staff lounges, parties) can easily lead to slipping a patient's identity or betraying confidences.
  - Sharing fascinating or news-worthy patient information, or engaging in "insider trading of confidences" (knowing who is in treatment and why), is unethical.
- 4. Case Notes and Patient Files: Many people have likely seen unsecured documents with patient names or confidential information.
  - Lack of Security: Example of a prestigious teaching hospital stacking patient charts in an unattended public hallway with names clearly visible.
  - Lack of Discretion: Colleagues leaving charts and patient information visible on their desks.
  - Key Issues:
    1. Visibility: Keeping information out of sight of unauthorized people. Documents should be inside charts, folders closed, and patient names not visible on the outside (coding systems are recommended).
    2. Security: Charts in unattended areas must be under lock and key.
  - The Golden Rule: Consider what level of care one would want for their own chart, containing their deepest secrets, if they were the patient. This includes safeguarding against accidental visibility to employers, neighbors, relatives, etc.
- 5. Phones, Faxes, and Messages:
  - Leaving phone messages with patient names, numbers, and reasons for calling visible.
  - Faxes about patients arriving where content can be seen.
  - Overhearing both sides of a patient phone call.
  - Answering Machines/Voicemail with Speakerphones: Playing back messages (some from patients) when others are present (e.g., friends waiting for lunch, family at home) can lead to accidental disclosures.
  - Golden Rule Application: Remaining constantly mindful, aware, and alert to these potential problems.
- 6. Home Office: Poses unique challenges:
  - Patients encountering family members or friends upon arrival/departure.
  - Children interrupting sessions.
  - Files, appointment books, message slips left visible to family members.
  - Family members overhearing phone or Skype sessions.
  - Confidential information on shared computers without proper security.
  - Shared telephone answering machines playing back patient calls to family members.
- 7. Sharing with Loved Ones: Therapists sharing daily work details with a spouse or partner as an act of intimacy, but this must be done without violating patient confidentiality.

Complex Settings and Specific Situations

Communications in Group or Family Therapy:

Informed Consent: Patients in multi-person therapy must be informed in advance about the limitations of privacy, confidentiality, or privilege due to the presence of others.
Handling "Secrets": Clinicians must clarify how "secrets" will be handled (e.g., if a minor reveals drug use or pregnancy, or an adult reveals an affair or financial secrets) so clients can provide informed consent (e.g., Kuo, $2009$ ).
Trust: While trust is a major theme, there's always a risk that a group member might be there for ulterior motives (e.g., a reporter gathering information for an exposé, someone writing a memoir) or simply pass information along to family and friends, causing it to ripple outwards.
Documentation Challenges: If a single record is kept for a family or group, a request/subpoena for records by one member cannot be fulfilled without the informed consent or legal waiver of each patient named. A solution is to keep separate charts for each patient in a family or group.

Written Consent

Common Problem: Failing to obtain written informed consent to release confidential information.
Ethics Codes: Both the APA and CPA Ethics Codes address documenting consent, whether a signed form or a note about oral consent.
Clarity: Written consent promotes clarity between therapist and patient, preventing misunderstandings about:
- Exactly what information will be released.
- Whether the therapist can discuss any aspect of history, situation, and treatment, or provide all clinical files vs. a summary.
- When authorization ends; if future requests from the recipient are covered or require renewal.
Insurance Disclosures: Patients may not understand the type of information insurance companies require or the degree to which it will be safeguarded.
- Keith-Spiegel and Koocher ( $1985$ , p. $76$ ) provide a hypothetical therapist statement:
  > "If you choose to use your coverage, I shall have to file a form with the company telling them when our appointments were and what services I performed (i.e., psychotherapy, consultation, or evaluation). I will also have to formulate a diagnosis and advise the company of that. The company claims to keep this information confidential, although I have no control over the information once it leaves this office. If you have questions about this you may wish to check with the company providing the coverage. You may certainly choose to pay for my services out-of-pocket and avoid the use of insurance altogether, if you wish."

Managed Care Organizations (MCOs): Challenges to confidentiality have grown significantly since the advent of MCOs.
- Increased Information Requests: MCOs ask for much more information than traditional third parties.
  - Reasons: Known instances of clinicians distorting information or charging for unprovided services; ensuring treatment meets "medical necessity" criteria.
  - Requests often include treatment plans, copies of notes, on-site chart reviews, and direct patient contact for verification (Moffic, $1997$ , p. $97$ ).
- Impact on Patients: Patients feel betrayed when psychotherapy records become part of their general medical record in an HMO and are further shared.
  - Example: A woman's treatment was posted on an employee relations bulletin board by management and union to cut sick leave and healthcare costs, as per contract terms.
- Ethical Guidelines for Professional Care: The National Academies of Practice (including various health professions) adopted Ethical Guidelines for Professional Care and Services in a Managed Care Environment ( $1996$ ), listing confidentiality as a primary concern.
  - While utilization and quality assurance reviews are acknowledged, safeguards are emphasized to protect privacy and confidentiality.
  - Rationale: Founded on the patient's autonomous right to control sensitive personal information and the historical value of confidentiality in enhancing trust (Hippocratic Oath, p. $5$ ).
- Multidisciplinary Teams: The increasing capacity to generate and disseminate health information, coupled with complex healthcare provision, raises questions about how much information can be shared within multidisciplinary teams and who qualifies as a team member (Slowther & Kleinman, $2008$ , p. $43$ ).
  - Case conferences may lack proper monitoring, leading to inadvertent overhearing by inappropriate audiences.
  - Fears exist regarding wider circulation of electronic patient records (Ward, $2010$ , p. $113$ ).
- Electronic Medical Records (EMRs): Pose difficult confidentiality challenges.
  - Richards ( $2009$ , p. $553$ ) notes psychologists documenting in EMRs potentially inform all members of a patient's medical team that the patient is in psychological care. While informed consents discuss limits, patients may not realize the extent of information shared (e.g., participation, dates, services, diagnoses – similar to insurance billing).
  - This information might be something a client doesn't want their primary care physician to have.
- HIPAA Updates ( $2013$ ): Key changes affecting psychologists storing/transmitting client information electronically:
  - Enforcement and Penalties & Breach Notification: Heighten risks for non-compliant practitioners.
  - HIPAA Security Rule: Mandatory for psychologists storing or transmitting Protected Health Information (PHI) electronically.
    - PHI includes electronically stored client contact information, even without clinical details.
    - Compliance requires comprehensive review of security risks, including encryption.
    - Encryption is necessary but not sufficient; it protects information if a device is lost/stolen but doesn't solve all security problems.
    - Resources for compliance: APA Practice Organization's Security Rule Online Compliance Workbook and Privacy Rule Compliance product.
- Small Town Challenges: Example: A chief health-care administrator proposed periodic case review by staff psychologists in a town of fewer than $10,000$ people. Psychologists would know many patients socially/professionally, and patients had not given informed consent for this review.
  - Solution: Hire an external psychologist from another community to conduct reviews, ensuring patients understand the process.

Disclosing Confidential Information for Mandated Reports:

Legal Limits: Evolving legislation defines the extent of information to be revealed.
Case Example (People v. Stritzinger, $1983$ ): A psychologist reported suspected child abuse but then provided additional information to a deputy sheriff beyond the initial report, based on the deputy's interpretation of mandated reporting law.
- The California Supreme Court sided with the stepfather, ruling the psychologist was not obligated to make a second report concerning the same activity.
- The value of psychotherapy relies on a confidential relationship where the patient can freely share thoughts, fears, and weaknesses in an uninhibited manner (p. $437$ ).
Lawsuits for Disclosure: Psychotherapists can be sued for disclosing privileged information in court, even with general legislation protecting statements in court proceedings if it violates the patient's constitutional right to privacy (Chiang, $1986$ , p. $1$ ).

Publishing Case Studies: Requires exceptional care, as merely changing names and a few details may not suffice.
- Case Example (Pope, Simpson, & Weiner, $1978$ ): A therapist was successfully sued for publishing a book about a patient's treatment without consent and with insufficient disguise of her history.
- APA Casebook on Ethical Principles of Psychologists ( $1987$ a, p. $72$ ) example: Psychologist G conducted an evaluation of an accused murderer in a sensational case. After conviction, G wanted to write a book, expecting it to be lucrative. The convicted murderer refused permission, despite the information being public domain through court evidence.
  - Opinion: The Ethics Committee advised that publishing would be legal but unethical.
  - The fact that material is in the public domain or there's an implied waiver does not free the psychologist from the ethical obligation (Principle $5$ .b) to obtain prior consent before presenting personal professional information in a public forum.
  - Ethical Standard > Legal Requirement: In this case, the ethics code required a higher standard than the law.

Therapist Factors Affecting Confidentiality

Distraction: Momentary distractions can cause lasting problems.

No matter the experience or skill, therapists are still human and can be tired, overwhelmed, rushing, or careless.
Masterson's Example ( $1989$ , p. $26$ ): A prominent therapist describes denting his car, then being distracted and inadvertently picking up the wrong patient's file, allowing another patient to see the name. He recognized this as a "countertransferential failure to pay proper attention."

Focusing on Legal vs. Ethical Responsibilities: (Fisher, $2008$ )

Problem: Confidentiality workshops often overemphasize laws and risk management, with little time on ethical responsibilities.
HIPAA's Influence: Led to attorney-led HIPAA-compliance training, further overshadowing ethics training.
Ethical Problems Created by Legal-Based Training:
1. Attorney as sole expert: Fosters the impression that attorneys, not clinicians, are the "real" experts.
2. Usurping clinical language: Creates a legal language about confidentiality that threatens to replace psychologists' own clinical or ethical language.
3. Figure-ground confusion: Substitutes legal rules for ethical rules and often takes a risk-management perspective focused on avoiding risks to oneself, rather than client risks or ethical obligations.
4. Obscuring risk management: Understanding and following ethical principles is essential for avoiding malpractice suits.

HIPPA is medical information

Confidential is information that someone shares in a space and is broad

UKTH.zoom is what we want not UK.Zoom