TPC-Journal-V2-Issue3

The Professional Counselor \Volume 2, Issue 3 195 Counselors also should note that there are other backup services that offer what is called user or client-side encryption. ePHI is encrypted before it leaves the counselor’s computer, and no individual at the physical storage site can access the information. This protects the counselor, as they cannot provide any information about data that they are storing for the counselor. It is important to note that this does not mean that information on the counselor’s own computer is encrypted. Communication of Client Information HIPAA also addresses the transmission of ePHI via electronic methods such as e-mail. The law states that medical professionals must have some sort of measure to “guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network” (HIPAA, 2007, § 164.312(e) (1)) such as the Internet. Similar language regarding secure electronic communication is found in the ACA ethics code. It is important for counselors to be aware of this requirement, as communication with clients via e-mail or other online communication is likely to become more common for general communication as well as therapeutic tasks. As an example, McDaniel (2003) discusses the benefits of having clients e-mail weekly journals to their clinicians. This work was published before the HIPAA security rule went into effect and the general idea is certainly no less useful today. However, the online transmission of identifiable material directly related to clinical work certainly falls under the legal guidelines discussed here. While in most cases clients are clearly giving permission for counselors to correspond via e-mail or by other means such as videoconferencing or online chat (Haberstroh et al., 2008), the laws regarding secure electronic transmission still apply. It is important to note that the counselor is not liable for encryption or safety of material on the receiving end of the transmission (HITECH). This problem could be solved by using an e-mail service that forces encryption before transmission, an option available through most e-mail services. As indicated in the ACA ethics code, if online communication is utilized by a counselor, they should indicate the limitations of this method of communication in regards to the possible insecurity of online communication and encourage the client to take similar precautions when sending messages to the counselor. Loss of Data or Involuntary Breaches of Confidentiality One aspect of the care of ePHI that is not completely addressed by HIPAA or the most recent ethical codes is what should happen when ePHI is accessed inappropriately. For example, there is no specific guideline in the ACA ethics code indicating that clients should be notified when their files are accessed. It is up to the individual counselor to determine what to do if a client’s paper file is stolen. HITECH has changed this in regards to ePHI, however. The law requires medical professionals to have a specific plan in place to notify affected clients in the case of a breach of unprotected (e.g., unencrypted) electronic information—and to immediately notify the Secretary of Health and Human Services (HHS) if the breach involves more than 500 individual clients. At first glance this may seem like a large number, especially for an individual in private practice. However, any practicing individual who has used electronic records for some time will have at least this many case files over the lengthy period (often at least seven years) in which documentation may be kept. This means that if an unprotected backup of ePHI is stolen, the counselor is responsible for notifying every individual whose identity may be compromised within 60 days. There are no ethical or legal requirements for disclosure after the loss of encrypted data, leaving it to the counselor to choose whom to notify. Case Notes and Assessment Data Another important ethical question that presents itself regarding ePHI involves unique types of medical information that are typically handled by counselors. Counselors may handle some types of information that have differing practical and legal status than “traditional” medical records, including case notes and testing material. Case notes have historically enjoyed nearly absolute privacy protection in the United States (Mosher & Swire, 2002) and are specifically addressed in HIPAA. They continue to retain expanded protection under current law, requiring a separate release when they are accessible at all (see Hixson & Hunt-Unruh, 2008). These include the type of separate notes that some counselors keep separately from the patient file and specific to the counseling process. They include observations, inferences and conceptualizations of the client; however, typical case notes including such information as diagnosis, prognosis, and changes in symptoms, etc. are not covered under this expanded protection (HIPAA, 2007). The case of assessment records, particularly raw data, is somewhat murkier. The general idea is that data may be misused or misinterpreted by individuals who are not trained in interpretation of test data, in addition to concerns about