Ethical Electronic Record Keeping

Catherine Biesecker - Ethics Committee Member

During the COVID-19 pandemic, psychologists largely moved to online platforms for telehealth, but their electronic health records (HER) are not necessarily following suit. As of 2021, psychiatric hospitals were using EHRs at a 46% rate, compared to their general medicine and surgical practice peers who use EHRs at a 96% rate (Filbin, 2021). One advantage of moving to EMR is that it can improve the interdisciplinary intersections of health, easily transferring records to other providers (Filbin, 2021). However, sharing electronic records can risk clients’ privacy and confidentiality (Filbin, 2021; Richards, 2009). There are several legal and ethical considerations to keep in mind for both psychologists who are already using EHR systems and those who are considering adding it to their practice.

Legal Considerations

The Health Insurance Portability and Accountability Act (HIPAA) was created in 1996 to both bolster health insurance coverage and prevent fraud and abuse in health care. HIPAA includes the "Privacy Rule,” guidelines for protected health information (PHI). As we know, PHI such as client names, phone numbers, and any identifying information is protected by the provider or entity providing the care, which can be released to other specific groups involved in their care, with client consent (Summary of the HIPAA Privacy Rule, 2003). Therefore, psychologists need to monitor how much information they include in EHRs when collaborating to maintain appropriate privacy and confidentiality for clients.

Ethical Considerations

There are several stipulations in the APA ethics code (APA, 2017) specifically about record keeping relating to both privacy and confidentiality. Each is translated into simpler language in Table 1 below, which generally emphasize that record keeping is an important aspect of ethical duty for psychologists’ practice. However, there are some ethics obligations that may be difficult for balance. Specifically, it is critical for psychologists to both aid in the transfer of records to facilitate the transfer of records later down the road, but also successfully keep the record confidential, a difficult task. Without guidelines, a psychologist may struggle to do so.

In sum, the APA ethics code (APA, 2017) highlights that psychologists have an ethical obligation to carefully consider every step of the record holding process and how they are protecting confidential client information, as confidentiality and privacy are inherently important ethical rights for our clients. While the APA ethics code includes what aspects of record keeping, it does not detail best practices for doing so, and does not delineate how this may look different from one medium, such as paper, to another, such as electronic.

We look to APA published guidelines and applicable publications to consider ethical considerations unique to electronic records management. There is an ethical advantage to using an EHR in that the sharing of client information can improve diagnosis accuracy and quality of care through the coordination of health care providers (APA Practice Organization, 2013). However, the fact that records are being transferred between different organizations inherently increases the risk that the clients’ confidential information is wrongly delivered or stolen (APA Practice Organization, 2013). Therefore, using interdisciplinary electronic systems may increase the risk for clients’ information to be released to parties that they have not consented to, violating ethics code standard 6.02 (APA, 2017; Layman, 2020). There is also an increased risk of mistakes or theft with online records, as psychologists adjust to the new technology (Layman, 2020). Therefore, psychologists need to carefully consider how much personal information should be included in their notes, even if it has been deidentified, and thoroughly take steps to protect their information.

Table 1. Applicable APA Ethics Codes

Ethics Standard

Quote

Code Summary

4.01

Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium, recognizing that the extent and limits of confidentiality may be regulated by law or established by institutional rules or professional or scientific relationship.

Confidential information should be carefully protected no matter paper or electronic.

When doing so, consider limits of confidentiality.

6.01

Psychologists create, and to the extent the records are under their control, maintain, disseminate, store, retain, and dispose of records and data relating to their professional and scientific work in order to (1) facilitate provision of services later by them or by other professionals, (2) allow for replication of research design and analyses, (3) meet institutional requirements, (4) ensure accuracy of billing and payments, and (5) ensure compliance with law.

Records need to be carefully handled in each step of the process for several important reasons. 

6.02(a)

Psychologists maintain confidentiality in creating, storing, accessing, transferring, and disposing of records under their control, whether these are written, automated, or in any other medium.

When considering a records management system, each part of that system such as the control, maintenance, dissemination, storage, retainment, and disposal of confidential information should be considered.

6.02(b)

If confidential information concerning recipients of psychological services is entered into databases or systems of records available to persons whose access has not been consented to by the recipient, psychologists use coding or other techniques to avoid the inclusion of personal identifiers.

Confidential information should be coded when their records are being shared with someone who the client has not consented their access.

6.03(c)

Psychologists make plans in advance to facilitate the appropriate transfer and to protect the confidentiality of records and data in the event of psychologists’ withdrawal from positions or practice.

Make plans to carefully protect confidentiality in case of withdrawal from practice.
 
 

Recommendations

The three pillars to secure protected health information by HIPAA are administrative safeguards, physical safeguards, and technical safeguards (Ives, 2014). Administrative safeguards are focused on security policy compliance and procedures. Physical safeguards include protecting physical access to protected health information on both hardware and software. Technical safeguards are data protection and information systems in the organization’s network. There are several recommendations based on these three pillars in the table below to consider, collated from a narrative review of existing measures (Clemens et al., 2017).

 

Administrative

Policies 
  • Review your organization’s existing protective policies.
  • Attend regular security trainings.
  • Hire a professional to conduct an annual audit.
  • Design contingency plans if protected health information is leaked.
  • Schedule regular password changes for you and your colleagues every 3-6 months.

Minimize information
  • Carefully consider what needs to be included and what doesn’t in PHI.
  • Consider who could access the PHI.
  • De-identify PHI whenever possible.
  • Minimize transfer of PHI off site.
  • Do not use wireless devices to transfer PHI.

Physical 

Computer access
  • Consider how often you leave your unlocked computer unattended.
  • Change your computer settings to auto-lock if inactive after a short period.
  • Consider not bringing your laptop on trips to minimize risk of losing it.
  • Consider installing security cameras.
  • Do not connect to public wi-fi when accessing PHI.

Technical

Safe passwords
  • Ensure your passwords differ from account to account.
  • Leave out any reference to first name, last name, birth dates, and phone numbers.
  • Use a combination of random symbols, upper and lowercase letters and numbers.
  • Use multi-factor authentication.
  • Use a password manager (e.g., a password-locked excel sheet with your passwords).

Protection
  • Use encryption, especially for emails.
  • Use firewalls.
  • Use approved anti-virus software.
  • Do not retain PHI longer than necessary.
  • Ensure you double-delete PHI when possible.

Note. PHI = protected health information 

 

References

Clemens, S.K., Smith, B., Vanderlinden, H. & Nealand, A. (2017). Security techniques for the electronic health records. Journal of Medical Systems, 41(8). 1-9. https://doi.org/ 10.1007/s10916-017-0778-4

Filbin, P. (2021). Behavioral health providers falling behind in HER adoption, critical to participate in value-based care. Behavioral Health Business, accessed on 3/1/2023.

Ives, T.E. (2014). The new 'E-Clinician' guide to compliance. Audiology Today, 26(1). 52–53.

Richards, M. (2009). Electronic medical records: Confidentiality issues in the time of HIPAA. Professional Psychology: Research and Practice, 40(6). 550-556. https://doi.org/10.1037/a0016853

Summary of the HIPAA Privacy Rule. (2003). http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/privacysummary/pdf