TPC-Journal-V2-Issue3

The Professional Counselor \Volume 2, Issue 3 197 documenting changes to these policies as they are made (HIPAA, 2007). Not only must counselors have general physical safeguards in place, there must be policies specific to physical access to any computers that can access or modify records. Controlled access to individual machines is required, including user-specific logins with passwords and automated logoff in case an individual leaves their desk and forgets to log off. Counselors should be encouraged in particular to pay close attention to their password policies (see Proctor, Lien, Vu, Schultz, & Salvendy, 2002). Ideally, in small group practices each individual will have their own computer which is only accessible using their personal login. If more than one counselor uses a computer, the counselor must be able to show that individuals who should not be able to access certain information are not able to do so. For example, in many situations graduate counseling students might access services through a college counseling center. If some of their peers work at this site, steps would need to be taken to ensure that they do not have access to these files. In another case, in many areas with less access to counseling services, an individual with a close relationship to one counselor may be seeing another individual in the practice. Depending on the nature of a practice’s electronic records, keeping a separate individual paper file may be easier than modifying ePHI procedures to account for this type of issue. Another alternative might be to keep a file on a counselor’s individual computer, if records are kept on a central storage device or server. Encryption Although not specifically addressed by ethical standards, encryption of electronic files is encouraged by relevant law. This concerns not only local files, but also offsite backups. According to HIPAA, an electronic file had to be kept in such a way that it was not able to be modified by unauthorized individuals. This could be interpreted as encryption, but controlled access to computers technically counted as this type of protection. HITECH, however, encourages medical professionals to encrypt all local data. In addition to the required notification discussed above, fines of up to $50,000 (per incident) have been instated for loss of client data. As noted, notification of clients or the department of HHS is not legally required for the loss of adequately encrypted data, and it is up to the counselor to create a policy regarding notification to clients of loss of encrypted data. The current ACA ethics code does not specifically address encryption or backup of ePHI. Additional HITECH Practice Guidelines There are other changes in HITECH that will affect counseling practice that are not specifically related to the use of electronic records. HIPAA and HITECH also have guidelines regarding what are labeled as “business associates.” Counselors may occasionally share information regarding clients with other individuals or agencies in order to assist with such activities as billing or collections. This information is part of a client’s PHI. As such, it is the responsibility of the counselor to create a contract with this “business associate” that includes language stating that the associate also will maintain HITECH-compliant security (similar to HIPAA, but including rules regarding encryption, etc.) related to any information that the counselor shares with this agency. The counselor is presumably, but not specifically, also responsible for ensuring that the other agency has some awareness of security requirements for ePHI. The counselor is not, however, responsible for monitoring this other agency and is not responsible for data lost by this other agency (HIPAA, 2007; HITECH, 2009). HITECH has made some changes in regards to the provision of records to the client and to insurance companies. Clients must be provided with a complete copy of their records upon request at “reasonable” cost—if the counselor charges any amount for release of records, ePHI must be shared with only a reasonable cost of labor. Clients also have the right to records about the sharing of records with other entities for up to three years. This means that in addition to typical record-keeping, counselors also must keep some sort of receipt or other notes indicating exactly what information has been shared with others, such as providers or insurance companies. Finally, while this was an existing ethical requirement (ACA, 2005), counselors are now legally allowed to share only the minimum necessary amount of information in order to meet the needs of the other agency or individual who is requesting the information. For example, records shared with another entity such as an insurance company should involve only the information necessary for the insurance company to be able to appropriately bill for services. HITECH clarifies