TPC-Journal-V2-Issue3

The Professional Counselor \Volume 2, Issue 3 193 Poorly maintained ePHI systems are a significant legal and ethical risk for counselors for a variety of reasons. This risk involves a breadth of information typically kept by counselors, including reports, case notes, billing materials, correspondence, personal notes, and research kept on electronic devices including computers, smartphones, and other electronic devices (particular issues related to smartphones and similar devices are discussed below). This is due to the expanded definition of protected health information (PHI) that HIPAA creates—virtually anything that could be traced back to a client that confirms their treatment. HIPAA defines PHI as material in any format that “relates the past, present, or future physical or mental health or condition of an individual” (HIPAA, 2007, §160.103(2)[definition of individually identifiable health information]). It also covers information that is involved in payment for these services. In order to be categorized as ePHI, the information must be used to identify an individual—that is, de-identified information is not covered under this definition. HIPAA includes requirements for both physical and electronic safeguarding of ePHI (or computers that store ePHI). Physical security includes access to devices on which information is kept. Tools and procedures related to physical security involving access to records will probably be familiar to most counselors. Typically, this refers to basic practices such as antivirus software and other technical practices, but additionally refers to specific access and data management practices as discussed below. Concerns related to electronic security are somewhat more complex and come with broader implications. For example, there is little information to help counselors determine what counts as a “reasonably anticipated” (HIPAA, 2007, §164.306 (a)(2)) electronic threat. Note that there are other areas where HIPAA may affect mental health practice in ways that may conflict with generally accepted standards of practice or ethical guidelines, such as the fact that communication for continuity-of-care or insurance billing purposes no longer legally requires a release. This discussion falls out of the area of focus of this article, which is on the specific effects of the security rule on counseling practice. (A general discussion of HIPAA issues affecting counselors can be found in Freeburg & McCaughan, 2008). Ethics, Law and Client Files Counselors will be happy to learn that there are few significant conflicts between counseling ethics (ACA, 2005) and law in regards to ePHI. Differences are typically found when ethics codes within the mental health profession do not address issues that are addressed by HIPAA and HITECH. For example, general guidelines for the protection of client records are discussed in the most recent ethics code of the American Counseling Association (ACA, 2005). However, these guidelines focus more on a general need to keep confidentiality and possible reasons for breaking confidentiality. The code does not suggest specific guidelines for keeping electronic records, but only notes that “records are kept in a secure location and that only authorized persons have access to records” (ACA, 2005, Standard B.6.a). No specific measures regarding ways to manage confidentiality, security or privacy of ePHI are offered. HIPAA and HITECH lay out a number of details in addition to this general rule. Data Backups One primary concern not applicable to paper records is the legal requirement to keep an easily accessible, but equally secure and encrypted, backup of all ePHI (HIPAA, 2007, §164.308, (7)(ii)(a): an entity must “establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information”). Since this guideline is meant as part of a disaster recovery plan, assuming loss of all data in a counselor’s office, this backup may often be kept offsite. That is, an additional secure location outside of the office is now necessary. With this rule and the advent of nominally secure and easily accessible cloud backup services, the variables defining a “secure location” have changed significantly since HIPAA was established. Counselors may be tempted to use an online backup service as an offsite backup, and can be aided by provisions of HIPAA and HITECH in making a choice between an offsite physical backup in an additional secure location and the use of an online backup service. Under HIPAA and HITECH, the appropriateness of online backup can be somewhat murky. Separate encryption of data on the local computer (as required by HITECH, see below) before sending the data over an encrypted connection to an online service may alleviate this concern. Before using any cloud backup solution, counselors