It is a given that confidentiality is essential in the psychotherapy process. Clients share their secrets, embarrassing information, fears, and the like, specifically for the purpose of receiving needed assistance to overcome their stated difficulties.

Without the promise of confidentiality, many individuals might not be able to establish the trusting relationship needed for psychotherapy to be effective and thus, would not receive the help they need (Younggren & Harris, 2008). The APA Ethics Code (APA, 2010) and each jurisdiction’s licensing laws and relevant regulations make it clear that protecting our clients’ confidentiality is one of our primary obligations. In the APA Ethics Code this is made very clear in the aspirational General Principles and in the enforceable Ethics Standard 4, Privacy and Confidentiality (APA, 2010).

Through the informed consent process psychotherapists inform their clients of all reasonably anticipated exceptions to confidentiality that exist. These include:

the requirement to report the suspicion of abuse or neglect of vulnerable individuals,

the possible requirement to breach confidentiality when a client makes a threat to harm an identifiable victim,

parents’ and guardians’ right to access their minor child’s treatment information,

the right of others to access treatment information when the consent to treatment is provided by a third-party or when treatment is court ordered,

in response to a court order for confidential information, and

any other limits to confidentiality that exist in the psychotherapy relationship (Barnett & Coffman, 2015).

Exceptions to confidentiality are not the focus of this brief article and its accompanying quiz. Rather, the focus is on the steps we take (or should take) in our day-to-day activities to protect and preserve each client’s confidentiality. Knowing which steps to take and to what extent we should engage in them can be quite vexing for psychotherapists. But, fortunately, we are not held to a standard to perfection. Rather, we are held to a reasonableness standard.

This means that we should be guided by what is considered to be reasonable in any given situation and that our actions will be judged in comparison to what colleagues might reasonably be expected to do in a similar situation.

Thus, we should each be familiar with prevailing professional and community standards and expectations (to include the APA Ethics Code, the APA Record Keeping Guidelines, etc.).

Additionally, rather than approach confidentiality from a risk management perspective in which we seek to avoid complaints or law suits, we should follow an aspirational ethics approach in which we seek to do the best we can for our clients in every regard (Handlesman, Knapp, & Gottlieb, 2002).

To assess your confidentiality efforts and practices consider the questions that follow. For each, click on the link next to it for desired responses and additional information to consider.

Take the Confidentiality Practices Quiz [1] Do I have a written policy that addresses how I protect each client’s confidential information and ensure that I and all others in my practice follow it? [2] Have I trained all staff members on confidentiality practices, providing them with regular oversight, and with remediation as may be needed? [3] Is there a glass partition in my waiting room that can be closed when office staff members are discussing confidential information? [4] Are client records ever left unattended and unsecured so that unauthorized individuals may have access to them? [5] Are client records stored in a locked file cabinet? Is the key to the file cabinet kept on a hook on the wall right next to the file cabinet? [6] Consistent with the requirements of HIPAA, have I confirmed with each client, both verbally and in writing, if they want to be able to communicate via cell phone, ensuring they understand the potential threats to privacy that this brings? [7] When returning a client’s phone call to their business or home do I identify myself as the client’s psychotherapist? [8] During the informed consent process do I find out where the client prefers to be contacted and if I can leave confidential messages on their voice mail? [9] Do I discuss my interesting clients with friends, family, or others as a way of relaxing after a tough day? [10] Have I ensured that my office has adequate sound proofing so that psychotherapy sessions cannot be overheard in other offices or in the waiting room? [11] Do I use white noise machines or music in the waiting room to protect each client’s privacy? [12] Are all computers used in my practice encrypted and password protected, with firefall, virus, and malware protection to reduce the likelihood of confidential information being inappropriately accessed or disclosed over the Internet? [13] Do I ensure that my password is my pet’s name or my child’s first name rather than using a minimum of eight random symbols, numbers, and both upper case and lower case letters? [14] Because I have so many passwords to remember (bank, e-mail, insurance, etc.) do I keep my passwords on a Post It note on my computer monitor? [15] Do I participate in FaceBook and other social networking sites so that my computer address book can be disclosed over the Internet and clients’ privacy can be violated? [16] Is my cell phone password-protected and encrypted, and have I enabled the tracking feature just in case the phone is lost or stolen? [17] If in my practice I transmit confidential information electronically, have I familiarized myself with HIPAA’s privacy rule and its security rule and do I follow them? [18] Do I have business associate agreements with all entities I transmit confidential information to and who transmit confidential information on my behalf (e.g., billing companies, answering services, transcription companies) in which they guarantee their compliance with HIPAA’s requirements to protect each client’s confidentiality? [19] Do I regularly bring client records home so I can write up reports and complete clinical documentation? [20] When responding to requests for information do I first seek the client’s consent to disclose the requested information? [21] Even with the client’s consent, do I only disclose the minimum information necessary to achieve the goals of the request for information? [22] Do I discuss clients with co-workers while at lunch as long as I am sure not to be speaking too loudly? [23] Do I use a coversheet when sending faxes, stating that this fax contains confidential information and if it has been received in error the recipient should contact me immediately and they should destroy the fax? [24] When getting rid of old client records do I drop them off at the local recycling center? [25] When using clients as case examples in teaching, training, or supervision, and professional writing, do I adequately safeguard their privacy by altering some details and not sharing too much information about them? [26] When using a collection agency or going to small claims court to collect a fee owed by a client do I ensure that I include the client’s name, address, dates of service, fee owed, diagnosis, and treatment records? [27] When a client discloses to me in a psychotherapy session that she or he has broken the law, do I do my civic duty and notify the police? [28] When I see a client in public with their family or friends do I greet them and introduce myself to those the client is with? [29] If I receive a subpoena for a client’s records from an attorney do I immediately comply and send the client’s record? [30] When a minor client’s parent or guardian contacts me after a session and asks for an update, do I disclose details of my client’s treatment? [31] When doing video conferencing sessions with clients do I use Skype because it is free and so readily available? [32] When communicating with clients via e-mail do I use an encryption program to help protect my clients’ confidentiality?

So, How Did You Do?

While there is no specific passing score to achieve, it is hoped that this brief quiz confirms your good confidentiality practices and that it alerts you to any areas of practice where additional efforts are needed. Protecting each client’s confidentiality to the fullest extent possible is our ongoing professional obligation. Giving adequate attention to it on a daily basis and addressing the issues raised in the quiz above will hopefully help ensure that each client’s expectations for the protection of their privacy are met.

Desired Responses

[1] Yes. I have a written policy that is shared with all new employees and they are required to follow it as part of their employment contract. I address their compliance with these policies in their regular performance reviews.[Go Back to the Quiz]

[2] Yes. Training in confidentiality practices occurs when each employee is hired and on an ongoing basis as their performance indicates. I provide them with ongoing oversight and regular feedback on this important aspect of their job performance.[Go Back to the Quiz]

[3] Yes. I ensure that discussions of confidential information such as phone calls with referral sources, the scheduling of appointments, and leaving voice mail messages cannot be overheard by individuals in the waiting room.[Go Back to the Quiz]

[4] No. All client records are returned to the locked file cabinet as soon as I am done with them. If I need to leave my office, even for a few minutes, and I have records on my desk, I place them in a drawer that I lock and I lock the door to my office on my way out.[Go Back to the Quiz]

[5] Yes. Records are stored in a locked file cabinet. No. The key is not kept in an obvious location where it easily can be found. [Go Back to the Quiz]

[6] Yes. I include this in the written and verbal informed consent process with each client.[Go Back to the Quiz]

[7] No. I ensure that I do not identify myself in a way that discloses my identity or profession. For example, I may say “Hi. This is Jeff Barnett returning Ms. Smith’s phone call.” When asked what this is in reference to, I simply state “I am returning her call.” [Go Back to the Quiz]

[8] Yes. I find out where they want to be contacted (e.g., home, office, cell phone) and if a confidential voice message can be left.[Go Back to the Quiz]

[9] No. Relaxing after a tough day is important, but so is protecting each client’s confidentiality and never discussing clients with others unless specifically authorized to do so. Although, with your clients’ consent a peer supervision/consultation group would be most appropriate. Exercise, meditation, yoga, and massage are good self-care strategies to consider as well. [Go Back to the Quiz]

[10] Yes. I have tested this by having a person speak loudly in my office with the door closed and listening from the hallway, the waiting room, and the offices next door to ensure that conversations with clients cannot be overheard. [Go Back to the Quiz]

[11] Yes. Because some sound from my office can be heard in the waiting room, we have white noise machines outside the door of each treatment room. [Go Back to the Quiz]

[12] I have no idea! I’m not a computer expert, but I think my computer has virus protection software that came with it when I purchased it four years ago. Perhaps I should hire a computer consultant or speak with a colleague who has expertise in this area. [Go Back to the Quiz]

[13] No. For everyone who wants to know, here’s my password: Gv49bH21* [Go Back to the Quiz]

[14] Of course. How do you think I can remember such a long and complex password? Alternatively, the use of an online password management site can be very helpful. They store all your passwords securely in a virtual safe and you just have to remember the one password to the safe (see http://www.pcmag.com/article2/0,2817,2407168,00.asp for a listing and reviews of several of these sites). [Go Back to the Quiz]

[15] Yes. Actually, I also post photos of my clients on my FaceBook page as well as my family photos. [Go Back to the Quiz]

[16] Yes. This is essential for protecting all confidential information. [Go Back to the Quiz]

[17] Yes. Actually, I don’t transmit confidential information electronically, but I follow HIPAA standards anyway since this helps maximize the protection of each client’s privacy. [Go Back to the Quiz]

[18] No. But, this is only because I don’t transmit confidential client information electronically (clients pay by cash or check and I don’t use a billing service). [Go Back to the Quiz]

[19] Yes. It’s tough to get all the paperwork done during the workday. I complete all documentation each evening so that I don’t let too much time pass and forget important information. I leave the client records on my dresser and everyone in the family knows that these are client records so they should never touch them. [Go Back to the Quiz]

[20] Yes. Unless of course if the person calling tells me that it is an emergency situation and they need the confidential information right away. Then, I just release it to the requestor, feeling good about how helpful I am being. [Go Back to the Quiz]

[21] Yes. Although, sometimes I have so much interesting information about my clients that I can share that I just tell them everything I know. [Go Back to the Quiz]

[22] No. Never. I whisper when doing this. [Go Back to the Quiz]

[23] Yes. Also, before sending a fax I check and then recheck the phone number I have punched in on the fax machine before pressing the send button. I also call the intended recipient of the fax to be sure they have received it. [Go Back to the Quiz]

[24] No. While being environmentally conscious is important in general, I have all out-of- date records double crosscut shredded using a HIPAA-compliant business such as SecurShred or PROSHRED. Also, I follow my state’s law to ensure that I do not destroy client records prematurely. [Go Back to the Quiz]

[25] Yes. But, this can be so tough to do. I’ve decided to just make up representative case examples rather than using real clients’ information. [Go Back to the Quiz]

[26] No. Information is kept to a minimum. I do not share diagnoses or treatment information. [Go Back to the Quiz]

[27] No. Psychotherapists do not disclose or report past criminal activity. We follow relevant laws applicable to threats to harm others in the future, but this is addressed in the informed consent process (and doesn’t involve past behaviors). [Go Back to the Quiz]

[28] No. Actually, during the first session I ask clients how they would like me to respond if we happen to meet in public in between treatment sessions. I do as they request and follow their lead in these situations. [Go Back to the Quiz]

[29] No. While I am just as scared of attorneys as the next psychotherapist, I do not disclose any confidential information without first contacting my client and receiving her or his permission to comply with the subpoena. If they decline, I inform the requesting attorney of this and refer her or him to my client’s attorney. [Go Back to the Quiz]

[30] No. This is something we negotiate and work out in the informed consent process so that the parent or guardian knows in advance what types of information I will share with her or him and what types will be kept confidential so that the minor client’s trust will not be violated and so that psychotherapy may proceed effectively. [Go Back to the Quiz]

[31] No. Knowing that Skype is not HIPAA-compliant I only use video conferencing software that is (e.g., SecureVideo, VSee, Vyzit). [Go Back to the Quiz]

[32] Yes. While I don’t use encryption when communicating with clients for administrative purposes (e.g., changing an appointment time), when using e-mail to discuss clinical matters with clients I use encryption software such as LuxSci HIPAA Email, Google Gmail HIPAA, and Aspida Mail. [Go Back to the Quiz]