Law and ethics chapter 7 review answers

CHAPTER 7

Standards on Privacy

and Confidentiality

4. Privacy and Confidentiality

4.01 Maintaining Confidentiality

Psychologists have a primary obligation and take reasonable precautions to protect confidential

information obtained through or stored in any medium, recognizing that the extent and limits of

confidentiality may be regulated by law or established by institutional rules or professional or

scientific relationship. (See also Standard 2.05, Delegation of Work to Others.)

Psychologists respect the privacy and dignity of persons by protecting confidential

information obtained from those with whom they work (Principle E:

Respect for People’s Rights and Dignity). Standard 4.01 of the APA Ethics Code

(APA, 2002b) is broadly written and requires all psychologists to take reasonable

precautions to maintain confidentiality. The nature of precautions required will

differ according to the psychologist’s role, the purpose of the psychological activity,

the legal status of the person with whom the psychologist is working, federal

regulations, state and local laws, and institutional and organizational policies. The

term reasonable precautions recognizes both the responsibility to be familiar with

appropriate methods of protecting confidentiality and the possibility that confidentiality

may be broken despite a psychologist’s best efforts. The following are

general recommendations for maintaining confidentiality across a variety of psychological

activities.

Use of the Internet and Other Electronic Media

When providing services, conducting distance learning, or collecting research

data over the Internet, psychologists must become knowledgeable about or

HMO

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

136——PART II ENFORCEABLE STANDARDS

obtain technical assistance in employing appropriate methods for protecting

confidential records concerning clients/patients, organizations, research participants,

or students.

􀀵 When files are stored via a common server or backed up on a university system or hub

server, discuss and develop security measures with appropriate personnel.

􀀵 Use encrypted data transmission, password-protected data storage, and firewall

techniques.

􀀵 When confidential information is e-mailed, faxed, or otherwise electronically transmitted

to scientists, professionals, or organizations, take reasonable steps to ensure that

recipients of the information have an adequate confidentiality policy (see also discussion

of HIPAA later in this chapter).

􀀵 Psychologists using the Internet for clinical supervision should instruct trainees on

appropriate procedures to protect client/patient confidentiality.

􀀵 Avoid leaving telephone messages for clients/patients on answering machines.

When such a message is unavoidable, take precautions to ensure the message does

not reveal to others that the client/patient is in treatment or any other confidential

information.

Audio, Video, or Digital Recordings of Voices or Images

Protecting confidentiality when recording voice or images of clients/patients,

research participants, employees, or others may require technical advice or

assistance.

Need to Know: Cybersecurity

Is a Two-Way Street

Cybersecurity at only one end of a network of communication is insufficient. Psychologists

should work with organizations, clients/patients, students, and others regarding how to

install appropriate security protections. This may include discussion of shared encryption

methods and adequate password protection for communications conducted on mobile

computing devices, such as smart phones and other digital devices (for a detailed review

of security concerns and practices, see T. J. Schwartz & Lonborg, 2011).

􀀵 Store recordings in safe locations or use passwords to protect computer access.

􀀵 Distort voice recordings or mask faces in visual images to protect confidentiality.

􀀵 Destroy recordings when they are no longer needed, as long as their destruction does

not conflict with other ethical obligations to maintain scientific, organizational, or

professional records.

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

Chapter 7 Standards on Privacy and Confidentiality——137

􀀵 Use participant codes on all data collection materials and data entered for analysis.

􀀵 Maintain records linking participant codes to personal identifiers in a secure file and

destroy such records once they are no longer needed.

􀀵 Limit access to personally identifiable information and supervise research personnel in

routine confidentiality precautions.

􀀵 Separate consent forms from coded materials to avoid participant identification.

􀀵 Apply for a Certificate of Confidentiality under 301d of the Public Health Service Act of

1946 to obtain immunity from a subpoena requiring disclosure of identifying information

when there is a possibility that data collected are of a sensitive nature that, if

released, could result in stigmatization, discrimination, or legal action that could jeopardize

an individual’s financial standing, employment, or reputation (see http://grants2

.nih.gov/grants/policy/coc/).

􀀵 When publishing or otherwise disseminating research findings, consider special confidentiality

protections when unnamed but small, unique samples can be identified

through descriptions of demographic variables (e.g., persons with rare diseases from

distinct communities).

􀀵 Ensure that recruitment and research procedures do not inadvertently reveal confidential

information. For example, when studying addictions, mental disorders, sexually

transmitted diseases, or other potentially stigmatizing conditions, approaching target

populations for recruitment may result in public identification of the condition.

􀀵 Become familiar with and ensure HIPAA compliance when research involves the use of

PHI obtained directly by the investigator or through a covered entity (see section on

HIPAA later in this chapter).

􀀵 Become familiar with cultural and contextual factors that may influence participant

confidentiality preferences and concerns.

􀀵 A psychologist conducting cross-cultural research in the Amazon arranged to have

individual interviews conducted in a private area of the village to protect participant

confidentiality. To the psychologist’s surprise, the villagers objected to these arrangements

as strange and uncomfortable because they did not ordinarily conduct social

or business interactions in private settings. In addition, those who did express interest

in participation brought their family members to the interview. With permission

from his IRB, he modified the procedures so that interviews were conducted in a

corner of a public space within the village, and family members were permitted to

be present at the invitation of the participants. Informed consent clarified to villagers

Research

􀀵 An educational psychologist sought consent and parental permission to use teacher

and student images in a web-based instructional video for science education. To

address parental concerns that students might be identified by Internet predators she

used “masking” effects on video shots of students’ faces and sound editing to remove

any reference to names. When there were too many faces to conceal through masking,

she extracted a digital photograph from a scene in which only activities and not

identities were visible and then used editing software to extract appropriate audio

recordings to supplement the photographs (see Schuck & Kearney, 2006).

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

138——PART II ENFORCEABLE STANDARDS

Implications of HIPAA for Practice and Research

Practitioners and scientists whose work includes creating, using, disclosing, collecting,

storing, or analyzing PHI should become familiar with requirements of the

HIPAA Privacy Rule summarized below (45 CFR Parts 160–164; see also “A Word

About HIPAA” in the Preface of this book).

Privacy Officer

Under HIPAA, “covered entities” must designate a “privacy officer” to oversee

and ensure that HIPAA-compliant privacy procedures are developed and

implemented. This requirement is “scalable,” in that meeting the requirement

will differ depending on whether a psychologist is in solo practice, directing a

group practice, or administrating a large institutional program. Covered entities

must implement security procedures that prevent unauthorized access to

health records. They must also take steps to ensure that employees, business

associates, individual contractors, consultants, collection agencies, third-party

payors, and researchers with whom Protected Health Information (PHI) is

shared comply with HIPAA regulations. Psychologists transferring PHI files to

or from HMOs or other companies are required to take steps to ensure that

confidential records are transmitted in secure ways, for example, by means of a

secured fax machine. Requirements for HIPAA compliance also vary with each

state’s privacy laws.

the type of information to be discussed, how the discussion with each individual

would be kept confidential from all who were not present during the interview, and

steps the psychologist would take to ensure that individual participants could not be

identified by others when the study results were disseminated (adapted from Monshi &

Zieglmayer, 2004).

􀀵 Store therapy notes or client/patient records in locked file cabinets or in passwordprotected

computer files.

􀀵 When working with an HMO or within an institution, personally confirm that client/

patient permission for sharing confidential information has been obtained appropriately

through third-party contractual or institutional release forms.

􀀵 Protect the identity of clients/patients or other persons not covered by an HMO when

the HMO conducts a utilization review that includes inspection of noncovered clients’/

patients’ records.

􀀵 Obtain appropriate written permission and/or signed HIPAA-compliant authorization

before releasing confidential information to third parties (see below).

Assessment and Psychotherapy Records

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

Chapter 7 Standards on Privacy and Confidentiality——139

Small Group Practices

HIPAA distinguishes between large and small health care practices, recognizing

that for the latter, it is impractical to expect that employees will not handle PHI.

The following is a partial list of requirements when staff members have access to

such records (see Rada, 2003):

All staff must be formally trained in HIPAA regulations, including state laws

relevant to faxing information that includes PHI and the group’s sanction

policy for violators.

Staff must sign an employee confidentiality form, placed in their personnel

record along with a record of their training.

E-mails and fax coversheets used to communicate PHI must indicate that the

information is confidential.

The fax policy must be posted beside the fax machine.

All vendors used by the practice for accounting, legal, actuarial, billing, or

other services must sign a business associate contract with the practice.

In addition to a privacy officer responsible for the development and implementation

of the policies and procedures, each group practice must have an

office manager who (a) oversees HIPAA authorizations, completion and maintenance

of required records, and new staff training; (b) receives privacy complaints

and mitigates harmful effects of privacy disclosures; and (c) applies

sanctions when appropriate. In small clinics or practices, one person may

perform both these roles.

Research Creating, Using, or Disclosing PHI

Psychologists who are health care providers or who employ health care providers

to conduct research involving assessments or diagnoses that will be entered into a

participants’ permanent health record or used for treatment decisions involving

research participants should consider themselves or their research team covered

entities under HIPAA. Investigators who are not themselves health care providers

but who conduct intervention evaluation research or quality improvement research

for a health care facility or any other organization that is a covered entity must also

ensure that their procedures are HIPAA compliant. Additional details are provided

in Chapter 11 in the sections on Standards 8.02, Informed Consent to Research, and

8.05, Dispensing with Informed Consent for Research.

Implications of FERPA for Psychologists

Working in Schools

The Family Educational Rights and Privacy Act of 1974 (FERPA; http://www2

.ed.gov/policy/gen/guid/fpco/ferpa/index.html) is a federal law that protects the

privacy of student education records in all schools that receive funds under an

applicable program of the U.S. Department of Education. FERPA gives certain

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

140——PART II ENFORCEABLE STANDARDS

rights to parents that get transferred to the student at age 18 or after leaving high

school. A student’s educational record may not be released without written permission

from the parent or the eligible student.

FERPA does allow disclosure of records without consent (a) in cases of health

and safety emergencies; (b) to comply with a judicial order or with state or local

authorities within the juvenile justice system; (c) to school officials with legitimate

educational interest; (d) to accrediting agencies, specified officials, or organizations

in connection with auditing or certain studies on behalf of the school; (e) to schools

to which the student is transferring; or (f) to parties in connection with the student’s

financial aid. HIPAA regulations do not apply to records that fall under

FERPA regulations. FERPA, unlike HIPAA, does not make distinctions between

student health and academic records. School psychologists need to be familiar with

state and district policies, which may be more protective of student health privacy

(e.g., HIV/AIDS). Readers may wish to also refer to “Need to Know: Avoiding

Conversion of Treatment Records to Educational Records” in the Chapter 9 section

on Standard 6.01, Documentation of Professional and Scientific Work and

Maintenance of Records.

4.02 Discussing the Limits of Confidentiality

(a) Psychologists discuss with persons (including, to the extent feasible, persons who are legally

incapable of giving informed consent and their legal representatives) and organizations with

whom they establish a scientific or professional relationship (1) the relevant limits of confidentiality

and (2) the foreseeable uses of the information generated through their psychological activities.

(See also Standard 3.10, Informed Consent.)

Legal, institutional, or professional obligations frequently place limits on the

extent to which private information acquired during psychological activities can be

kept confidential. Psychologists are often legally required to (a) report suspected

child abuse or neglect to child protection agencies; (b) contact family members or

other professionals to protect an individual from imminent self-harm; (c) warn a

potential victim of a client’s/patient’s intent to harm him or her; (d) contact a law

enforcement agency when they have foreknowledge of certain crimes; (e) assist in

lawful military investigations; (f) provide companies, police departments, or military

agencies psychological information to determine suitability for employment,

promotion, or assignments; (g) provide treatment or assessment information in

criminal or civil cases; or (h) provide information to third-party payors when mental

health treatment is covered by a health plan.

Disclosure of such information can have serious material consequences for

clients/patients, research participants, organizational clients, and others with whom

psychologists work. Promising confidentiality without revealing its known limitations

is a misrepresentation of fact that may violate a person’s privacy and liberty

(Bersoff, 1976). Release of confidential information poses risks to individuals and

their families when disclosures lead to investigation by child protective services,

arrest, conviction, institutionalization, loss of health or disability insurance, loss of

HMO

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

Chapter 7 Standards on Privacy and Confidentiality——141

child custody, or social stigmatization. Disclosures of confidential information can

also lead to financial or legal risk for organizations.

Under Standard 4.02a, psychologists must discuss with persons and organizations

with whom they work reporting obligations and other limits to the confidentiality

of information that can be reasonably anticipated. This includes informing

those with whom one works about (a) state-mandated reporting requirements

related to suspicion of child maltreatment and elder abuse and foreknowledge of

specific types of crimes, and (b) the psychologist’s own professionally derived standards

for disclosing information (see Standard 4.05b , Disclosures).

Persons Legally Incapable of Consent

This requirement extends to persons who are legally incapable of giving informed

consent and their legal representatives (see Standard 3.10b, Informed Consent; “A

Word About HIPAA” in the Preface of this book). Practicing psychologists should

inform clients/patients and their legal guardians about the nature of information

that will be shared with guardians and with others based on law, institutional or

organizational regulations, or the psychologist’s policies regarding disclosure of

information related to self-harm or harm to others (Fisher, 2002a; Fisher & Oransky,

2008; Zeranski & Halgin, 2011; see also the Hot Topic, “Confidentiality and

Involvement of Parents in Mental Health Services for Children and Adolescents,” at

the end of this chapter). School psychologists may need to inform students, guardians,

and school personnel about laws governing the release of school records—for

example, FERPA, which establishes the right of parents to obtain copies of their

children’s school records (20 U.S.C. § 1232G[a][1][A]; 34 CFR § 99.11b).

Research psychologists should inform legal guardians and, to the extent possible, the

prospective participants themselves about any limitations in confidentiality. Such

limitations might include reporting requirements, if investigators are state-mandated

child abuse or elder abuse reporters, or protective policies, if the investigators have

elected to disclose to guardians or professionals information about participants with

suicidal ideation or other serious health compromising behaviors (Fisher 2002b,

2003a, 2003b; Fisher & Goodman, 2009; Fisher & Vacanti-Shova, 2012).

Third-Party Payors

When services will be covered by third-party payors, psychologists need to

inform clients/patients about information that will be shared with the third party,

including treatment plans, session notes, and diagnoses. Some contractual agreements

with health maintenance organizations (HMOs) permit utilization reviews

that provide HMO access to information about clients/patients not covered under

the policy. Clients/patients must be informed of such limits on confidentiality if

records cannot be adequately de-identified. Psychologists receiving payment

through credit cards should inform persons about the possible use of this information

by credit card companies that may sell their client lists to organizations specializing

in self-help or other related products.

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

142——PART II ENFORCEABLE STANDARDS

Military

In the military, there is no psychologist–client confidentiality in the traditional

sense. Military psychologists are required to release information on command to

assist in the lawful conduct of investigations or to determine suitability of persons

for service or assignments. One of the most noteworthy gains in confidentiality and

respect for the rights of the individual was the implementation of DoD Directive

6490.1 (U.S. DoD, 1997a) and DoD Instruction 6490.4 (U.S. DoD, 1997b). Thanks

to the efforts of military psychologists, active-duty service members sent for

commander-directed mental health evaluations now have (a) the right to know why

they were referred for the evaluation and who will be conducting that evaluation,

(b) an opportunity for a second opinion following receipt of a summary of the findings,

and (c) a right to speak with legal counsel, a chaplain, and a member of

Congress regarding their situation (see Orme & Doerman, 2001). W. B. Johnson,

Grasso, & Maslowski (2010) point out that actual “conflicts” between the APA Ethics

Code and military law (Standard 1.02, Conflicts between Ethics and Law, Regulations,

or Other Governing Legal Authority) can be avoided by skilled clinicians who work

within the chain of command. For example, when ordered to provide a client’s/

patient’s record under the DoD need-to-know statute, a psychologist could work

with the requesting officer to determine the specific information of interest (e.g., is

this member fit to deploy?), so that the client’s/patient’s privacy could be protected

with a general response that does not include specific details of mental health history

and current specific problems (W. B. Johnson et al., 2010).

Implications of HIPAA

Psychologists creating, transferring, analyzing, or storing PHI via electronic

transmission or working with a managed care company, bill collection agency, or

other organization that does so are required to provide individuals with a Notice

of Privacy Practices that details the uses and disclosures of PHI and the individuals’

privacy rights under relevant federal or state law (45 CFR 164.520).

Notice of Privacy Practices and informed consent forms used by psychologists

working in small group practices need to clarify the extent to which confidential

information will be shared with other practicing professionals in the group on a

regular basis and how confidentiality protections will be protected (see “A Word

About HIPAA in the Preface of this book).

(b) Unless it is not feasible or is contraindicated, the discussion of confidentiality occurs at the

outset of the relationship and thereafter as new circumstances may warrant.

Clients/patients, research participants, organizations, and others are entitled to

know the limits of confidentiality and its potential consequences before deciding

whether or how to engage in a scientific or professional relationship with a

psychologist. Standard 4.02b requires that psychologists discuss the known extent

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

Chapter 7 Standards on Privacy and Confidentiality——143

and limits of confidentiality at the outset of the relationship. The phrase “unless it

is not feasible or is contraindicated” permits psychologists to delay discussion of

confidentiality in cases in which the treatment needs of a new client/patient, such

as acute trauma, must take priority. It also permits delays when the limits of confidentiality

need to be further explored. For example, a therapist may need to call a

client’s/patient’s health plan to determine its utilization review policies. In such

situations, confidentiality is discussed as soon as the crisis has subsided or all information

has been obtained.

In some instances, the scientific or professional relationship may change over

time, requiring renewed discussion of confidentiality. For example, in longitudinal

studies involving children extending over several years, both participants and their

guardians may need to be reminded of confidentiality policies, especially if a change

in such policies is warranted as the child matures into adolescence or adulthood.

A psychologist whose client/patient asks him or her to testify as a fact witness

on the client/patient’s behalf should carefully explain to the client/patient how

this changes the nature of confidentiality and the implications of waiving client–

therapist privilege.

Need to Know: Should Psychologists

Search the Internet for Information on

Clients/Patients, Students, Employees,

and Others With Whom They Work?

The informational opportunities offered by new technologies raise ethical questions regarding

confidentiality and informed consent when psychologists’ search cyberspace for information

about those with whom they work. F. W. Kaslow, Patterson, and Gottlieb (2011)

suggest that intentional Internet searches conducted without the knowledge of those with

whom psychologists work may violate an individual’s expected zone of privacy, erode trust

in the professional relationship, shift the psychologist’s role to that of an investigator, and

impede the developing autonomy of clients/patients, students, or employees (Principle A:

Beneficence and Nonmaleficence; Principle B: Fidelity and Responsibility; Principle C:

Integrity; Principle E: Respect for People’s Rights and Dignity). They suggest the following:

The psychologists’ Internet search policies should be made clear at the outset of

any professional relationship and be similarly direct when the psychologist obtains

information through such a search.

Before conducting an Internet search, psychologists should consider whether it

would violate fundamental assumptions of privacy, integrity, and trust held by clients,

students, prospective employees, and others with whom they work.

Intentionally searching for information over the Internet without the knowledge of

clients, students, and others should only be undertaken when absolutely necessary

(e.g., when there is a concern about potentially violent behavior or self-harm).

Psychologists should also keep in mind that information on the Internet is not

always accurate, and they should guard against unverified assumptions.

FOR THE USE OF UNIVERSITY OF PHOENIX STUDENTS AND FACULTY ONLY.

NOT FOR DISTRIBUTION, SALE, OR REPRINTING.

ANY AND ALL UNAUTHORIZED USE IS STRICTLY PROHIBITED.

Copyright © 2013 by SAGE Publications, Inc.

144——PART II ENFORCEABLE STANDARDS

4.03 Recording

Before recording the voices or images of individuals to whom they provide services, psychologists

obtain permission from all such persons or their legal representatives. (See also Standards 8.03,

Informed Consent for Recording Voices and Images in Research; 8.05, Dispensing With Informed

Consent for Research; and 8.07, Deception in Research.)

Psychologists who use audio, visual, or digital recordings of voices or images to

provide services to individuals must obtain permission from all such persons or

􀀵 Psychologists conducting therapy or assessments via e-mail or through secure chat

rooms should inform clients/patients about the possibility of strangers hacking into

secure sites or, when applicable, the extent to which institutional staff have access to

secure sites on a hub server.

􀀵 Sometimes, clients/patients may send unsolicited sensitive communications to a

therapist’s personal e-mail account. Once psychologists become aware that such an

e-mail has been sent, they should inform such clients about the risks of others reading

these e-mails and discourage clients/patients from future e-mail communications if

such communications are clinically contra-indicated.

􀀵 Clients/patients who discuss sensitive information with psychologists over a cell

phone should be warned about the limits of confidentiality when this medium is

used.

􀀵 Psychologists transmitting health records to managed care companies or other health

providers need to alert clients/patients to potential breaches that may occur when

health information is passed through multiple systems, including utilization reviewers,

case managers, bookkeepers, and accountants (such information may be included in

the HIPAA Notice of Privacy Practices discussed earlier in this chapter).

􀀵 Psychologists providing services on a website should include a visible and easy to

understand privacy statement whenever a consumer’s personal information is

requested. In addition to information regarding site privacy protections (e.g. firewalls),

the privacy statement should advise consumers of how personal information will be

used (e.g., sold to other sites, used to contact the consumer at a later date) and

whether they can opt out of these uses.

(c) Psychologists who offer services, products, or information via electronic transmission inform

clients/patients of the risks to privacy and limits of confidentiality.

Psychological services or transmission of records conducted over the Internet

and other electronic media are vulnerable to breaches in confidentiality that may

be beyond the psychologist’s individual control. Under Standard 4.02c, clients/

patients must be made aware of the risks to privacy and limitations of protections

that the psychologist can institute to guard against violations of consumer confidentiality

when information is transmitted electronically (see Standard 4.01,

Maintaining Confidentiality).