CE credits: 1
Exam items: 10
Learning objectives: After completing this course participants
will be able to:
1. Explain relevant guidelines and ethical standards affected by
new technological threats.
2. Clarify differences between government, corporate and
individual threats to client privacy and confidentiality.
3. Recognize potential methods to mitigate risk and unintended
breaches of client records.
From pen to keyboard
In 1965, Intel Corporation co-founder Gordon Moore
successfully predicted that circuit technology would double
every two years and lead to exponential growth while reducing
the size of everything. This became known as Moore’s law.
Since then, personal computers and smartphones have
become ubiquitous and nearly 3 billion people have Internet
access. This pervasive accessibility affects both practitioners and
clients. Today, communication with a client can occur via text
and/or email. Metal file cabinets have evolved into encrypted
digital containers. Record keeping can be entirely digital.
In response to this revolution, over the years U.S. agencies
have sought to provide legislative frameworks for the
proper handling of private information. Among them is the
Health Insurance Portability and Accountability Act (1996;
HIPAA), which sought to increase the accessibility of medical
records while maintaining confidentiality. The law calls for
health providers to “maintain reasonable and appropriate
administrative, technical and physical safeguards” when using
electronic health information (HIPAA, 1996).
In 2003, the Department of Health and Human Service
(HHS) provided security standards for health-care providers,
including psychologists, who transmit private health
information. The standards mandate that providers must take
precautions to prevent a breach of data and that they conduct
risk analyses. These regulations also apply to providers’ business
associates — practicing psychologists who operate with insurers
must follow HIPAA’s privacy and security rules and ensure that
their business associates do so as well.
In 2009, The Health Information Technology for Economic
and Clinical Health Act (HITECH) formalized business
associate liability and offered stricter regulations for using
client records. This law placed the burden of security on a
business associate to meet security and privacy requirements.
In addition, business associates are expected to provide
notifications of any breaches to the entities they cover and are
subject to civil and criminal penalties for the misuse and/or
loss of data. For practitioners, this means if they sign a business
agreement with a business associate to store client records or
materials in a cloud environment, the associate must meet
APA’s record-keeping guidelines
While APA’s Ethics Code provides ethical principles and
standards for psychologists, it does not provide specific
record-keeping guidelines. That guidance comes from APA’s
“Record Keeping Guidelines” (2007), which highlight the many
interactions that practitioners have with the health-care system
and federal regulations, such as HIPAA. For this article, we are
particularly interested in guidelines 3, 6 and 9 (of 13), which
focus on the topics of security, privacy and confidentiality:
Guideline 3 deals with confidentiality of client records.
This recommendation states that practitioners should be aware
of the regulatory and legal requirements that involve records.
Guideline 6 outlines the security measures that
psychologists should engage in to protect those records. If
practitioners create physical records, they should protect them
with key and cabinet. If they use digital records, practitioners
should properly secure them.
Guideline 9 informs practitioners on the use of electronic
records. APA analogizes electronic to physical records and states
that practitioners should be concerned with the use of e-mail
and other communication tools because of the possibility that
they can been seen by others.
These guidelines are not enforceable; they only offer
guidance to practitioners.
Unfortunately, neither the federal government nor APA
has proffered specific steps that should be taken to increase
privacy and confidentiality to meet the challenges created
by today’s technology. The current guidelines only state that
practitioners should use “passwords, firewalls, data encryption
and authentication” (APA, 2007, p. 998). Although these
recommendations would better secure systems, they do not
establish directions and specific methods for creating secure
passwords, activating firewalls or using data-encryption
techniques, and they do not explain what authentication
Welcome to ‘CE Corner’
“CE Corner” is a continuing education article offered
by the APA Office of CE in Psychology. This feature will
provide you with updates on critical developments in
psychology, drawn from peer-reviewed literature and
written by leading psychology experts.
To earn CE credit, after you read this article, purchase
the online exam at www.apa.org/education/ce/1360395.
Upon successful completion of the test — a score of
75 percent or higher — you can immediately print your
CE certificate. The test fee is $25 for members and $35 for
nonmembers. The APA Office of CE in Psychology retains
responsibility for the program. For more information, call