It can be easy to fall into a trap of thinking about digital security concerns as “the HIPAA stuff.” In fact, our professional ethics require us to address digital security just as much as any state or federal law.
The difference is that HIPAA provides extensive standards for accomplishing digital security. Professional associations have, thus far, provided small amounts of guidance in ethics codes. Some have also provided more in the form of official guidance documents. These guidance documents and ethical standards are helpful, but they simply don’t have the depth of standard-setting that HIPAA does.
Here are some small examples of ethics codes addressing digital security in mental health practice:
It is the therapist’s or supervisor’s responsibility to choose technological platforms that adhere to standards of best practices related to confidentiality and quality of services, and that meet applicable laws.
AAMFT Code of Ethics, 2015, 6.3
Counselors use current encryption standards within their websites and/or technology-based communications that meet applicable legal requirements. Counselors take reasonable precautions to ensure the confidentiality of information transmitted through any electronic means.
ACA Code of Ethics, 2014, H.2.d Security
This Ethics Code applies to these activities across a variety of contexts, such as in person, postal, telephone, Internet, and other electronic transmissions.
Ethical Principles of Psychologists and Code of Conduct (“APA Code of Ethics”), 2010, Introduction and Applicability
Social workers should take reasonable steps to protect the confidentiality of electronic communications, including information provided to clients or third parties. Social workers should use applicable safeguards (such as encryption, firewalls, and passwords) when using electronic communications such as e-mail, online posts, online chat sessions, mobile communication, and text messages.
NASW Code of Ethics, 2017, 1.07 (m)
…All electronic therapeutic communication methods shall use encryption and password security.
NBCC Code of Ethics, 2016, 54
The citations chosen above are not a thorough exploration of the ways in which those professional associations cover digital security. However, they illustrate that the associations do address the topic and that they do so at a more “broad strokes” level of guidance than HIPAA does.
Contrast those ethics code citations with this passage from the beginning of HIPAA’s Security Rule:
…Covered entities must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
45 CFR §164.306 (a)
The Security Rule goes on to define an extensive set of standards that covered entities must follow or address in order to be in compliance.