Confidentiality

Law and Ethics Nuts and Bolts

GENERAL RULES

Release of information. Unless there is written release of information from a client, a therapist is legally and ethically obligated to keep the client’s confidentiality. This includes not confirming or denying that the person is your client.

​

Right to release information. Generally, the person(s) who has the right to consent to your client’s treatment is the person who has the right to sign a release of information.

Verbal release. Sometimes verbal permission to release information is sufficient, but best practice is to obtain written permission as soon as possible. Document verbal permission in progress notes.

Families. To disclose or release information about any client in family or couples therapy, the therapist needs written permission from everyone who attends the sessions.

Children. For a client under 18, the legal requirement is to have the parent (or whoever is authorized to consent to treatment) sign the release of information. The best ethical practice with children over 12 is to have the child sign it as well.

Secrets policies. When seeing a family or couple, a therapist can set whatever policy seems clinically appropriate for keeping (or not keeping) secrets within the family group being seen. But there must be a consistent policy and it must be told to the family members at the onset of therapy. (Most family therapists prefer to have a “no secrets” policy. For example, if one member of a couple calls between sessions to tell the therapist she is having an affair and isn’t ready to tell her partner, the best practice usually would be to encourage her to bring it up in the next session, with the caveat that if she doesn’t, the therapist will.)

Information from other sources. A release of information does NOT allow a therapist to release information in the client’s chart that came from other sources, eg previous therapists’ records, or reports from MDs.

 

ELECTRONIC COMMUNICATION

Any communication about a client by electronic means must go through secure software and servers. Insurance companies and government entities who request client information should have these systems in place for you.

Email and texting are not secure and should NOT be used to exchange information about clients.

Inform clients in writing about your policy on using email and texting, and make sure they understand that their confidentiality may be compromised if they choose to use these methods to communicate with you.

Avoid being the one to initiate text or email communication with a client, unless the client has agreed to this and understands the possible compromise to confidentiality. Document this agreement.

If you do allow clients to communicate with you via email and text, it is a good idea to limit that to appointments and logistics, and avoid engaging in email or text conversations about clinical issues.

A statement such as the following, placed at the end of your email signature, may help your cause if you are ever challenged about allowing a client’s personal information (or even their identity as a client) to be revealed through insecure email.

Confidential Health Information Enclosed: This message is intended for the use for the person or entity to which it is addressed and may contain information that is privileged and confidential, the disclosure of which is governed by applicable law. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this information is strictly prohibited. If you have received this message in error, please notify the sender immediately and destroy this email and all its attachments.

 

HIPAA (Health Insurance Portability and Accountability Act)

Reasons to be HIPAA-compliant

• HIPAA compliance for all clients is required if a therapist communicates electronically about any client.
• It is unlikely you will be able to conduct business without ever using electronic communication.
  
• Most third party payers require HIPAA-compliance.
  
• Other HIPAA-compliant providers and payers are not legally allowed to communicate with you electronically if you are not HIPAA-compliant.
  

Basic HIPAA requirements for a small entity such as a private practice

• Give each client a copy of the Privacy Statement.
• Keep the Privacy Statement on hand in your office, along with other required HIPAA forms, ie the Request to Alter the Record and the Release of Information.
  
• Use reasonable effort and industry standards to keep electronic records safe.