Therapy Ontario online / Toronto therapists and counsellors

Ethical hazards when psychotherapists use technology
updated November, 2016. Another update at the end, February, 2020.

Originally written for PrOSPect, the journal of the Ontario Society of Psychotherapists, by Beth Mares RP with assistance from Liz White, Silvana Bazet and Mike Mares.

OOPS!
Avoiding privacy breaches in the digital age

Because the ubiquity of new technology has made psychotherapists vulnerable to inadvertent breaches of privacy and other ethical breaches, the OSP's 2010 AGM passed some updates to our Standards of Practice to help us minimize our exposure to these hazards. Here is some information to help you with compliance.

Privacy

Telephones: If you or your psychotherapy client, supervisor or supervisee uses a cordless phone, the signal can be picked up by a third party. If you lose your cell phone, any client phone numbers or text messages on it can be accessed by someone else.

Email: Unless you, the client, and anyone to whom an email may be forwarded all use encryption, an email can be read at various points in its journey from sender to recipient.

Data storage: Unless special measures are taken, any stored emails (including your replies in the Sent Mail file), client lists, typed reports, session notes, etc. can be read by someone left alone with your computer (e.g., the computer repairman), stolen by a virus that infects your computer, or read by Google and who knows who else. Deleted data can potentially be recovered from an old computer that has been "wiped clean".

Online sessions by instant messaging or video: Don't use Skype. Use a platform that conforms to legislation regarding the privacy of medical records.

Other potential ethical breaches

Legal issues in distance counselling: Therapists may unwittingly practice without insurance or break the laws of another province or jurisdiction.

Social networking sites: Boundaries could be crossed.

How to stay out of the quicksand?

Here are some suggestions:

Encrypted email can be obtained from www.hushmail.com and several other websites that you will find if you do a search for "free encrypted email". Most potential clients don't have it at this point, but if you have it you could recommend that people who plan to do cybercounselling by email with you get it. Gmail is now also encrypted in transit. Most email providers, including gmail and hushmail, use servers located in the U.S., however, so their email traffic is subject to surveillance by the U.S. government under the Patriot Act.

Don't add "psychotherapist" or your website address to the automatic signature on your emails. Be careful what you say in an email, especially a work email, even if the client says it's totally private. It isn't. If you are sending the same email to several clients, make sure you send separate emails so that you don't disclose anyone's name or email address.

Encrypt your psychotherapy practice data, and keep it separate from personal data (or encrypt both). You can encrypt the hard drive using Bitlocker if you have Windows 7 Enterprise or Windows 10 Pro. (Windows XP is no longer supported by Microsoft and should not be used). Otherwise use free encryption software such as Veracrypt, https://veracrypt.codeplex.com/. (If you are currently using Truecrypt, replace it with Veracrypt, as it is no longer supported). Some people keep client data on a USB (flash drive) instead of on their hard drive, but the data is easily destroyed by static electricity, and a USB is tiny and easily lost.

Maintain control of all client data through an efficient filing system and delete records (e.g., emails), when you no longer need them. Do not retain client material for your own purposes (e.g., teaching, writing a book) without the client's written permission. You may wish to re-read our Standards of Practice document's recommendations about what records to keep for seven years. Check the draft regulations for the College of Psychotherapists, too--the period might be longer.

Don't discard or give away your computer without physically destroying any hard drive that has unencrypted confidential material on it.

If you have to take your computer in for service by the nice young man who might be your client's nephew, therapy client or warring neighbour, you can delete the confidential data off it first--so long as you have carefully backed it up.

Have top of the line, up-to-date virus and malware protection--McAfee, Symantec, Malwarebytes and Kaspersky have good reputations; and be careful about opening attachments, as they could contain malware if they come from an infected computer.

Instead of Skype, use Vsee or another platform that is compliant with privacy legislation.

Professional insurance for distance counselling varies. Some plans do not cover it at all. Our OSP plan covers psychotherapy and counselling by phone, email and instant messaging when the client is located in Canada, or if located elsewhere, is a permanent resident of Canada. Virtually all states in the U.S., and Quebec and Ontario in Canada, require that therapists practicing there be licensed in the state or province. There have been some court cases about this, and in most cases it has been deemed that the therapy takes place where the client is.

If you have a personal page on Facebook or another social networking site, make sure that it is thoroughly privatized and not available to search engines. Then remember that nothing on the internet is totally secure, and don't put up the pictures of your stag or stagette, unless it was an unusually sedate affair. Do not "friend" clients or ex-clients from your personal site. It's fine to have a professional site and accept "friend" requests from clients on that. (This advice comes from the American Medical Association, who kindly allowed us to read their as yet unpublished guideline.)

Some limitations to privacy will remain despite our impeccable vigilance. We need to make the clients aware of them. Some therapists discuss them in the first session, or when arranging the first appointment. Putting it in writing may give added protection. You can add information about the limits to confidentiality to your intake form/ informed consent, and/or you can put it with your contact information on your website. It's also good to let clients know that they are welcome to ask how you handle record-keeping and other matters that affect privacy.

Good luck!

2020 update--now there's another hazard!

If you (or your client) has Siri, Alexa or one of their pals installed, conversations can be unwittingly recorded and conveyed over the internet. There are some third party apps that will use them to eavesdrop on you, too. It won't happen if your phone is turned off--unless there is some malware on your phone that makes it seem to turn off and continue to record. For more information about how to prevent recording, see https://www.groovypost.com/howto/stop-google-assistant-siri-cortana-alexa-active-listening/

Copyright © 2010 Beth Mares, updated November, 2016.