TPC-Journal-V2-Issue3

The Professional Counselor \Volume 2, Issue 3 196 the security of test instruments themselves (Committee on Legal Issues, 2006). Given the historical view of the fields of psychology (Committee on Legal Issues, 1996) and the current view of counseling (ACA, 2005) on the security of test data, particularly raw data, one might expect assessment data to be separated in a manner similar to case notes in regards to release of the information. However, rules in HIPAA regarding test data state that a client can choose to sign their entire medical record (sans case notes) to any third party (HIPAA, 2007). While HIPAA allows the medical professional to exclude certain information based on client safety, or if the counselor obtained the information under separate release from another practice, possible misuse of test data is not an acceptable reason to exclude portions of a counselor’s record (Erard, 2004). There are no stipulations in HITECH that change this. However, ACA’s 2005 ethics code is clear in its statement that “[test] data are released only to persons recognized by counselors as qualified to interpret the data” (Standard E.4). This is the most significant difference between the ACA ethics code and current law. Online assessment and treatment is another activity that counselors may not have considered when reviewing the impact of law on their practice. A growing number of therapists, for example, are using online tools for various tasks such as career assessment (Gysbers, Heppner, & Johnston, 2009), and are starting to pursue online counseling activities (Haberstroh et al., 2008). This information is typically stored on computers that belong to the test owner, not the counselor, and the counselor is not directly responsible for information on these machines. However, counselors have an ethical responsibility to ensure the integrity of the website that a client may use for such an assessment. The ACA ethics code specifically addresses this issue by stating that counselors should be aware of the limitations of online activities and share this information with the client. It also discusses guidelines for supervision of online activities (ACA, 2005). This is a relatively new area of practice that is not covered by HIPAA or the more recent HITECH. However, the same care should be taken with any information downloaded from these sites as with any other ePHI. A Note About Smartphones It also is important to note that as “alternative” (and easily lost) computing devices such as smartphones and tablet computers become more common, counselors are likely to use these to monitor and keep client records as well. Most cloud storage systems offer mobile applications for smartphones, or have websites that may be accessed by smartphones. Additionally, there are a number of smartphone tools designed to assess symptoms or help a client keep a journal. As a part of informed consent in treatment, clients should be reminded of the risk of keeping such information on their phone. At the current time, it is not advisable to use smartphones or tablet devices to access ePHI unless it is being accessed over a secure network and then deleted (e.g., information is accessed through a local network or virtual private network). Often, information such as this may be cached on the device and accessible if the device is stolen or lost. Counselors also should be encouraged to utilize a passcode on these devices, as required under the rules regarding computer access under HITECH. Finally, counselors should take care to monitor the security of any messaging that they use on their phone. While secure e-mail can be configured on most smartphones, there is no way to secure a text message and clients must be informed of this risk if text messaging is used as a form of communication between counselor and client. (For good examples of situations where text messaging may be a productive tool in counseling, see Agyapong, Farren, & McLoughlin, 2011, and Suffoletto, Callaway, Kristan, Kraemer, & Clark, 2012). Practice Guidelines Access Policies and Documentation Counselors are responsible for a number of procedural issues regarding “live” practice. The organization is required to have a designated individual who is responsible for ensuring the practice meets legal guidelines regarding records as well as other issues. In solo practices, this would mean the individual counselor. In group practices, this person needs to be readily identifiable and does not have to be a licensed individual, or someone who is an active counselor in the practice. The practice also must have a manual of procedures regarding such things as password policies, access policies, standards regarding computer security, instructions for encryption and storage of files, and documentation that everyone in the office has been kept up to date on these policies. This is not an exhaustive list, but indicative of the types of information that need to be covered and readily available in the case of an audit. “Case notes” also are required for this list of procedures,