Monday, March 20
PROTECT: Telehealth Security, Safety, and Stewardship (Part 1)
This article is intended to help you better understand how to Protect the Profession. If you have insight on legislation and advocacy that supports the social work profession, please consider contributing an article! Submit your article proposal online here.
This is the first of a two-part article on providing telehealth services. To get involved with the formation of a new Telehealth Shared Interest Group (SIG) with the NASW-Illinois Chapter, click here.
The National Association of Social Workers (NASW) and the Association of Social Work Board (ASWB) have Standards for Technology and Social Work Practicethat define the use of technology in social work practice as, “[A]ny electronically mediated activity used in the conduct of competent and ethical delivery of social work services. The use of modern information technology to deliver services (PC, laptop, tablets, cell phones, storage modalities, etc.).”
Telehealth practice—sometimes referred to as telemedicine, tele psych, or e-health—includes any form of distance or Internet-mediated treatment, as well as any use of e-mail, texts, or cell phones to receive, communicate, or store information.
The NASW Code of Ethics and the NASW/ASWB Standards for Technology and Social Work Practice require social workers to provide appropriate informed consent, protect client privacy and confidentiality, and obtain the skills necessary for competent and ethical practice. Due to the fact that telehealth utilizes electronic communication, practitioners must also meet privacy and security criteria under the Health Insurance Portability and Accountability Act (HIPAA). Under HIPAA, a covered entity is any individual, organization, or corporation that directly handles Personal Health Information (PHI) or Personal Health Records (PHR).
The HIPAA Privacy Rule protects most “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or medium, whether electronic, on paper, or oral. The Privacy Rule calls this information protected health information (PHI). Protected health information is information, including demographic information, which relates to the following:
- the individual’s past, present, or future physical or mental health or condition,
- the provision of health care to the individual,
- the past, present, or future payment for the provision of health care to the individual and that identifies the individual, or for which there is a reasonable basis to believe it can be used to identify the individual.
Protected health information includes many common identifiers (e.g., name, address, birth date, Social Security Number) when they can be associated with the health information listed above. (www.HHS.gov)
Covered entities are responsible to ensure compliance with HIPAA when they create, store, maintain, or transmit clients’ individually identifiable health information. (www.HHS.gov) Clinicians may be risking a breach of information if the electronic means of providing telehealth services are not properly safeguarded.
Security, safety, and stewardship are the foundational principles of telehealth practice.
- Security of all information on every device including: computers, lap tops, hard drives, external hard drives, discs, flash/thumb drives, other storage devices, cloud services, tablets, phones, faxes, printers, etc.
- Security of all information with all associates providing services including: billing, scheduling, accounting, data storage, legal, professional consultation, etc.
- Safety of clients: appropriate assessment and treatment, accurate diagnosis, adequate emergency and crisis plans, etc.
- Stewardship:Ethical practice, commitment to clients, appropriate informed consent, competency, fulfilling fiduciary duty.
The following standards outline these principles.
(a) Social workers should provide services to clients only in the context of a professional relationship based, when appropriate, on valid informed consent. Social workers should use clear and understandable language to inform clients of the purpose of the services, risks related to the services, limits to services because of the requirements of a third-party payer, relevant costs, reasonable alternatives, clients' right to refuse or withdraw consent, and the time frame covered by the consent. Social workers should provide clients with an opportunity to ask questions.
(b) In instances when clients are not literate or have difficulty understanding the primary language used in the practice setting, social workers should take steps to ensure clients' comprehension. This may include providing clients with a detailed verbal explanation or arranging for a qualified interpreter or translator whenever possible.
(c) In instances when clients lack the capacity to provide informed consent, social workers should protect clients' interests by seeking permission from an appropriate third party, informing clients consistent with the clients' level of understanding. In such instances social workers should seek to ensure that the third party acts in a manner consistent with clients' wishes and interests. Social workers should take reasonable steps to enhance such clients' ability to give informed consent.
(d) In instances when clients are receiving services involuntarily, social workers should provide information about the nature and extent of services and about the extent of clients' right to refuse service.
(e) Social workers who provide services via electronic media (such as computer, telephone, radio, and television) should inform recipients of the limitations and risks associated with such services.
(f) Social workers should obtain clients' informed consent before audiotaping or videotaping clients or permitting observation of services to clients by a third party.
(a) Social workers should provide services and represent themselves as competent only within the boundaries of their education, training, license, certification, consultation received, supervised experience, or other relevant professional experience.
(b) Social workers should provide services in substantive areas or use intervention techniques or approaches that are new to them only after engaging in appropriate study, training, consultation, and supervision from people who are competent in those interventions or techniques.
(c) When generally recognized standards do not exist with respect to an emerging area of practice, social workers should exercise careful judgment and take responsible steps (including appropriate education, research, training, consultation, and supervision) to ensure the competence of their work and to
Standard 4. Technical Competencies (NASW Standards for Technology and Social Work Practice)
Social workers shall be responsible for becoming proficient in the technological skills and tools required for competent and ethical practice and for seeking appropriate training and consultation to stay current with emerging technologies.
Standard 7. Privacy, Confidentiality,
Documentation, and Security (NASW Standards for Technology and Social Work Practice)
Social workers shall protect client privacy when using technology in their practice and document all services, taking special safeguards to protect client information in the electronic record
(c) Social workers should protect the confidentiality of all information obtained in the course of professional service, except for compelling professional reasons. The general expectation that social workers will keep information confidential does not apply when disclosure is necessary to prevent serious, foreseeable, and imminent harm to a client or other identifiable person. In all instances, social workers should disclose the least amount of confidential information necessary to achieve the desired purpose; only information that is directly relevant to the purpose for which the disclosure is made should be revealed.
(l) Social workers should protect the confidentiality of clients' written and electronic records and other sensitive information. Social workers should take reasonable steps to ensure that clients' records are stored in a secure location and that clients' records are not available to others who are not authorized to have access.
(m) Social workers should take precautions to ensure and maintain the confidentiality of information transmitted to other parties through the use of computers, electronic mail, facsimile machines, telephones and telephone answering machines, and other electronic or computer technology. Disclosure of identifying information should be avoided whenever possible.
The Illinois Mental Health and Developmental Disabilities Confidentiality Act outlines the legal criteria for valid informed consent:
(740 ILCS 110/) Mental Health and Developmental Disabilities Confidentiality Act
(a) Except as provided in Sections 6 through 12.2 of this Act, records and communications may be disclosed to someone other than those persons listed in Section 4 of this Act only with the written consent of those persons who are entitled to inspect and copy a recipient's record pursuant to Section 4 of this Act.
(b) Every consent form shall be in writing and shall specify the following:
(1) the person or agency to whom disclosure is to be made;
(2) the purpose for which disclosure is to be made;
(3) the nature of the information to be disclosed;
(4) the right to inspect and copy the information to be disclosed;
(5) the consequences of a refusal to consent, if any; and
(6) the calendar date on which the consent expires, provided that if no calendar date is stated, information may be released only on the day the consent form is received by the therapist; and
(7) the right to revoke the consent at any time.
It is ethically and legally insufficient to simply approach informed consent as an administrative procedure. Informed consent needs to be conceptualized “as a moral obligation rather than a procedure to meet legal or policy requirements. Informed consent is, at its core, about morality—about reducing or alleviating suffering or harm of people. It should be understood as a duty, an expression of social work values, and an act of advocacy for human rights.” (Reamer, 1993)
“Consent is a process that includes a systemic disclosure of information to a client over time, along with an opportunity to engage in dialogue with the client about forthcoming treatment and service.” It is central to client empowerment, involvement in decision-making, and protection of their rights. (Reamer, 1993)
The ethical responsibility is to provide a full informed consent process as part of a relationship rather than as a checklist to meet policy requirements. A standardized informed consent form completed during intake, a billing office, or a waiting room with administrative staff will not meet the moral obligation of the social worker. (Kaplan & Bryan, 2009)
Providing ethical informed consent in telehealth practice involves the implicit assumption that practitioners must be aware of the following:
- customary technological precautions necessary for privacy and confidentiality, and
- limitations on its use and how to utilize appropriate safeguards to protect clients’ confidentiality and meet clinical needs according to professional standards.
It is the practitioner’s responsibility to have educated themselves and sought out appropriate consultation in order to put in place every safeguard available to protect client confidentiality. How can social workers appropriately discuss the risks and benefits or limits to confidentiality if they do not have a thorough understanding of each system themselves?
Is there the highest level available of encryption on all devices including storage devices? Do all associates have HIPAA Business Associates Agreements (BAA)? Do you understand how and where associates store data? What are the limitations and risks inherent in each device utilized for communicating, receiving, and storing information? Do you know who else has access to the information client’s devices?
Paternalism occurs when a professional: (1) believes that her action is for the client’s good, (2) acknowledges that the action will violate at least one moral rule, thus requiring justification, (3) knows she does not have the client’s permission either in the past, present, or immediate future to take the action, and (4) acknowledges that the client believes (possibly incorrectly) that she knows the best choice for herself. (Abramson, 1985)
Most social workers believe in self-determination and would never intentionally behave paternalistically with clients. Nevertheless, providing services without meeting the necessary criteria for informed consent is paternalistic. The social worker has decided they know what would be “good” for the client without allowing the client to fully understand the risks/benefits and participate knowingly in the decision-making process. The action violates several “moral” rules as well as Illinois law. The client believes she has made “the best choice for herself” while unaware she lacks key pieces of relevant information.
Abramson, M. (1985). The autonomy-paternalism dilemma in social work practice. Social Casework, 66, 387–393
Kaplan, L.E., & Bryan, V. (2009). A Conceptual Framework for Considering Informed Consent. The Journal of Social Work Values and Ethics, 6(3).
Reamer, Frederic G. The Philosophical Foundations of Social Work. 1993.