HIPAA: Setting Ethical Client Boundaries

In the last section, we discussed three concepts that focus on the HIPAA guidelines related to minors. These three concepts related to HIPAA guidelines on minors include: autonomy; State Law vs. HIPAA; and exemptions.

In this section, we will examine three risks in which ethical boundaries could be broken due to the sharing of HIPAA approved information on the internet. These risks for boundary breaking due to the sharing of HIPAA approved information on the internet include: nationwide database; hackers; and errors in correspondence.

3 Risks of Sharing Information on the Internet

♦ Risk #1 Worldwide Database
The first risk posed by the internet to ethical boundaries is a nationwide database. This database requires the entry of personal and private information which can be accessed by government agencies, bureaucrats, pharmaceutical companies, private insurance companies, police agencies, foreign government officials and others without the authorization of the client and sometimes despite a client’s objections.

As of 2004, transfer of information and Medicare and Medicaid insurance billing are required in compatible electronic formats, so the earlier system of paper documents no longer applies, although this system proved to be more difficult for unauthorized personnel to access.

The question then becomes, what is the definition of "privacy?"

Even though these records are not readily accessible to the public, the idea that they are actually accessible to anyone at all becomes a great concern for many clients. Some clients are afraid that they might have to pay higher fees if their insurance company finds out they are depressive. Others just do not feel comfortable with the idea that anyone can look at their records, regardless of the exact information shared.

Erica, age 38, was diagnosed as being schizophrenic. She learned about the database from an article on the internet. Erica developed extremely paranoid delusions in which the government was watching her every move. Obviously, the knowledge of the new database worsened her condition, and eventually, she refused to attend sessions because she believed that I worked for the people who were after her.

Although Erica is an extreme case, I have also heard from other clients who know about the database, that they do not feel their interests are being considered. Because of this, the therapist-client relationship becomes strained and some serious and essential information is not shared during a session.

Think of your clients. How would they react if they knew of the nationwide database?

♦ Risk #2 Hackers
The second risk posed by the internet to ethical boundaries is hackers. Now more than ever, in a moment's time, a hacker can steal a person’s information and learn the most specific details about social security numbers and other statements.

For example, the confidential records of thousands of patients were stolen from the University of Washington Medical Center in 2001. And in Philadelphia, from the Drexel University College of Medicine's database, 5,000 neurosurgery patients records were accessed last year. Even Microsoft and the Pentagon, with state of the art computer security systems, were recently victims of hackers.

In general, the better the security system, the more adept hackers become at breaking codes. As long as there is information to steal, computer-savvy hackers will try to get at it, as long as it benefits them financially. Although there are measures clinicians and others can take to prevent a system breach (firewalls, access-control servers, encryption, etc.), there is no foolproof system to guarantee that the nationwide database will not be breached.

In addition to hackers, the databases may not be safe even from the people with legitimate access to them. In the medical world, for instance, a public health worker gave two newspapers a computer disk with 4,000 names of HIV-positive individuals. A banker called due the mortgages on cancer patients after cross-referencing information he obtained as a county health board member.

Although these are technically medical instances, as you can see, the same could easily happen in the mental health circles as well. Most especially, clients who suffer from pedophilia or sex addictions may become targets of a malevolent and illegal manhunt into mental health records. Think of your clients. Would any of them feel unsafe if their information was shared illegally with the general public?

♦ Risk #3 Errors in Correspondence
In addition to the nationwide database and hackers, the third risk posed by the internet to ethical boundaries is errors in correspondence. Electronic information can be sent to the wrong place, or the wrong information may be sent. The sheer volume of transmissions translates one simple mistake into thousands of cases misplaced or misdirected.

Glitches occur within a company's computer system leading to unintended dissemination of proprietary information. Just one simple mistake can result in the inadvertent and illegal sharing of documentation that otherwise would have been kept private. On top of this, legal retribution for damages caused by negligent failure to secure confidential information is practically nonexistent.

Under the new privacy rule, the public has no recourse to sue for the inadvertent sharing of private documentation. HIPAA threatens penalties for noncompliance with security regulations, but if hackers or others obtain private information and an individual is harmed, the option to sue has been removed. Instead, the client can only complain to the Department of Health and Human Services, who can hardly take legal action themselves when no clear definitions exist. Not only that, but also the large number of instances of negligent behavior resulting in illegal documentation disclosure makes it near impossible for an individual to gain any attention or retribution.

Think of your electronic data base. What precautions do you take to avoid such a situation?

In this section, we discussed three risks in which ethical boundaries could be broken due to the sharing of HIPAA approved information on the internet. These risks for boundary breaking due to the sharing of HIPAA approved information on the internet include: nationwide database; hackers; and errors in correspondence.

In the next section, we will examine three changes in ethical boundaries in regards to the disclosure of raw test-data. These three test-data boundary changes include: shift in standards; effects of HIPAA; and protecting test security.

Peer-Reviewed Journal Article References:
Nielsen, B. A. (2015). Confidentiality and electronic health records: Keeping up with advances in technology and expectations for access. Clinical Practice in Pediatric Psychology, 3(2), 175–178.

Richards, M. M. (2009). Electronic medical records: Confidentiality issues in the time of HIPAA. Professional Psychology: Research and Practice, 40(6), 550–556.

Pierce, B. S., Perrin, P. B., & McDonald, S. D. (2020). Pre-COVID-19 deterrents to practicing with videoconferencing telepsychology among psychologists who didn't. Psychological Services. Advance online publication.

Raja, S., Rabinowitz, E. P., & Gray, M. J. (2021). Universal screening and trauma informed care: Current concerns and future directions. Families, Systems, & Health. Advance online publication.

Rigg, T. (2018). The ethical considerations of storing client information online. Professional Psychology: Research and Practice, 49(5-6), 332–335.

Ethics CEU QUESTION 5
What are three risks in which ethical boundaries could be broken due to the sharing of HIPAA approved information on the internet? To select and enter your answer go to Ethics CEU Test.