Technology & Security Practices

HOW I PROTECT ELECTRONIC DATA

The following statements regarding confidentiality and privacy align with the NASW, ASWB, CSWE, & CSWA Standards for Technology in Social Work Practice (written by the National Association of Social Workers, Association of Social Work Boards, Council on Social Work Education, and Clinical Social Work Association); and are in compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) federal laws.

All clients’ personal (protected) health information (PHI) or electronic personal (protected) health information (ePHI) is collected, managed, stored, and disposed of in a secure and confidential manner. This includes identifying information that is transmitted, maintained, shared, and stored via any means, such as electronic, hard copy, or verbally. Reasonable steps are taken to ensure that information remains private, in accordance with multi-level regulating bodies’ laws, ie. federal and state government, including the Office of the Professions New York State Education Department, which is my New York State professional licensing board.

This website is HIPAA compliant. Information is gathered and stored on a cloud in which only I, the therapist, can access. Any third party, for example, the webhost, email provider, video host, is contractually bound to ensure reasonable steps be taken to ensure the confidentiality and privacy of all of my clients’ ePHI.

The video host for online therapy sessions is also HIPAA compliant and is bound by its own contract with me to ensure that reasonable steps be taken to ensure the confidentiality and privacy of all of my clients’ ePHI.

My email provider is HIPAA compliant, and is contracted with me to provide reasonable steps to ensure the confidentiality and privacy of all of my clients’ ePHI. I have a professional email account, separate from my personal email account to ensure integrity of private communications and ePHI.
My professional phone is separate and apart from my personal phone. It is designated specifically for professional use with clients and related therapy practice business. This is in adherence to reasonable efforts to maintain confidentiality and privacy of PHI.

Although all clients’ personal information is gathered, managed, and stored in compliance with federal and state laws, there is a chance of a breach due to circumstances beyond my control, such as hacking. Should even the possibility of a breach in confidentiality occur, all third parties (such as the webhost, email provider, video host) are lawfully obligated to inform me immediately. At which time I would, in turn inform all of my clients, in writing and/or via telephone communication, of any potential security breaches.

I routinely implement risk management assessments in my practice, and make changes as needed, to ensure that I am providing reasonable steps to maintain my clients’ confidentiality, and to ensure that my management of PHI and ePHI is updated as necessitated in accordance and in compliance with federal and state laws, my New York State professional licensing board’s rules and regulations, and my social work professional organizations’ rules, regulations, and standards.

BENEFITS AND POSSIBLE RISKS OF USING ELECTRONIC THERAPY SERVICES

I am bound by my profession’s ethical standards to inform you of the benefits and possible risks of using electronic social work services.

Benefits

  • Ability for clients to access psychotherapy services when they may otherwise not be able to go to an in-office therapy session. For example, in the following situations:
    • Travel challenges due to unavailable transportation
    • Travel challenges due to Inclement weather
    • Homebound individuals due to physical illness or disability
    • Time challenges due to primary care status for children or adults in their home
    • Unavailable therapists within proximal distance
  • Ability to be flexible around clients’ schedules.
  • Assistance with clients’ time management goals, due to reduction in travel to a physical office.
  • Cost-effective delivery of services.
  • Ease of communication.
  • Ability to rapidly respond to clients.
  • Ability to monitor clients in real-time, when appropriate.

Possible Risks

  • Potential for technology failure and interruption of services.
  • Potential for confidentiality breaches, for example, hacking or electronic information unintentionally sent to the wrong person.
  • Potential unauthorized use or unethical purposes.
  • Clients’ possible challenges with adeptness and comfort level when using technology.
  • Possible higher cost of technology.

SOCIAL MEDIA POLICY

In accordance with my profession’s ethical standards, I am providing the following information to you regarding social media interactions between myself and my clients (prior and current). Please note when the word “client” is used herein, it refers to current and prior clients. Social media is electronic interaction that can be communicated to massive amounts of people. Social media can roughly be described in the following categories.

Social networks Examples: Facebook, Twitter, LinkedIn
Media sharing networks Examples: Instagram, Snapchat, YouTube
Discussion forums Examples: reddit, Quora
Bookmarking and content curation networks Examples: Pinterest, Flipboard
Consumer Review networks Examples: Yelp, Zomato, TripAdvisor
Blogging and publishing networks Examples: WordPress, Medium
Social shopping networks Examples: Polyvore, Etsy, Fancy
Interest-based networks Examples: Goodreads, Houzz, Last.fm
“Sharing economy” networks Examples: Airbnb, Uber
Anonymous social networks Examples: Whisper, After School Social Media may not protect your privacy and is considered to be public communication. For this reason it is my duty to inform you of risks to your confidentiality and privacy when using social media.

How I Use Social Media in My Therapy Practice

I do not use social media in my therapy practice. If, at some point, I begin to blog, for example, via my website, Facebook, Twitter, or YouTube, etc. clients will be able to access these communications privately. Please note:

  1. I will never request your email address for the purpose of a mass distribution of information. That would be a breach in your Electronic Protected Health Information (ePHI).
  2. If I begin to use social media professionally, I will never post identifying or confidential information about my clients in any form.
  3. I will never ask a client to sign up for, or use, a social media application in their communication with me, or in any other context related to me. This is true in professional and personal contexts.
  4. I also request that my clients do not seek me out, professionally or personally, via social media applications. If a client does seek me out, for example requests to friend me, all requests will be refused, denied, and/or ignored. I do not initiate interaction with my clients via social media.
  5. I will never interact with my clients via social media, either professionally or personally.
  6. If it is discovered that my client and I participate in the same online social media group, or share the same “friend,” I request that my client ignore my presence by not friending me, not reading my posts, and not reacting/responding to my posts. I will also honor these requests in regard to my client and client’s posts.
  7. I will never ask a client to review my business services on social media, or on any forum. If any reviews are identified on the Wide World Web, the consumer review was not set up, nor initiated nor maintained by me. Any and all consumer/business review listings are not authorized by me and will be ignored by me.

The above seven measures protect the integrity and efficacy of the therapeutic relationship between my client and myself, as well as protect the privacy and confidentiality of my client and of myself.

THERAPIST & CLIENT ELECTRONIC COMMUNICATION POLICY

Email. I request that clients who desire to communicate with me via email, use my designated professional and HIPAA compliant email address, or contact me via my HIPAA compliant website email link. I request that these interactions remain professional and relevant.

Text Messaging. I request that clients who desire to communicate with me via text messaging, use my designated professional and HIPAA compliant text messaging application, and that texting is kept to a minimum in both frequency and text length. Lengthier communications would be better served via email or phone communication.

Mobile Phone Communication and Smartphone Applications. I do not store your phone number in my mobile phone. If your phone number shows up in my cell phone’s history of phone calls, it is not attached to your name or any other identifying information. My professional mobile phone is locked and secured. Its screen is set to lock after 5 seconds of inactivity. It is my policy to not share information through smartphone applications with my client, even if the application helps my client work towards a goal. I encourage my clients to use smartphone applications when appropriate and to verbally share findings with me if desired.

ELECTRONIC DATABASE AND INFORMATION GATHERING POLICY

Electronic Search Engines. I do not use search engines to seek information about you. A rare exception might warrant this behavior in the case of a crisis, if I have reason to suspect that you may be in danger to yourself or others and I have exhausted other resources. Should this occur, I will document this search in your clinical record and discuss it with you soon after. Please refrain from using search engines to seek personal information about me. PRIVACY MEASURES FOR CLIENTS By entering into an online therapeutic relationship with me, you are agreeing that any breach on the user end in privacy and confidentiality in relation to services that I provide to you, frees me from all liability. Please note that I do not have control over how you gather, manage, and store your ePHI. The following are some helpful tips on how you can secure your privacy when using technology.

  • Conduct therapy sessions in a private location where others cannot hear you.
  • If someone enters your location during the session acknowledge them so that I will know that there is someone else in the room.
  • Only use devices and internet services that you trust are secure.
  • Password protect your computer, tablet, phone, and any other device with a password that is unique.
  • Use full disk encryption on any computer and/or device you use.
  • Always log out of your sessions.
  • Do not have any software remember your password. Sign in every time.
  • Do not share your passwords with anyone.
  • Do not share your computer when you are logged in to any counseling software.
  • If you wish to avoid others knowing that you are receiving therapy services, clear your browser’s cache (browsing history), and on your phone list your therapist by a name rather than as “counselor” or “therapist”.
  • Have all of your devices set to time out requiring you to sign back in after a set idle time.
  • Keep your computer updated.
  • Use a firewall and antivirus program.
  • Do not record sessions.
  • Do not download or store information off of your client portal. However, if you decide to, only store information on an encrypted file.
  • Use secure video conferencing technology.
  • If texting only use a secure texting application.
  • Notify me if you suspect any breach in your security.
  • When online do not login as an administrator.
  • Using your own Router/Access Point o Only use a secure network for internet access using a WAP2 security key. o Use your own administer ID and password (not the default) for your router or access point. o Choose a custom SSID name, not the default name. o Limit the range of your Wi-Fi by positioning it near the center of your home.
  • For more information on securing your mobile device visit: http://www.healthit.gov/providers-professionals/how-can-you-protect-and-secure-health-information-when-using-mobile-device

The effective date of this Notice is June 2019.