Ethics & the Law Review 2012 Jim Brown, Ph.D. Les Kertay, Ph.D., ABPP Tennessee Psychological...
-
Upload
ilene-booker -
Category
Documents
-
view
217 -
download
0
Transcript of Ethics & the Law Review 2012 Jim Brown, Ph.D. Les Kertay, Ph.D., ABPP Tennessee Psychological...
Ethics & the Law Review 2012Jim Brown, Ph.D.Les Kertay, Ph.D., ABPPTennessee Psychological Association Annual ConventionNashville, TennesseeNovember 3. 2012
TPA Ethics Committee
• Jim Brown, Ph.D., Chair•Les Kertay, Ph.D., Chattanooga•Wyatt Nichols, Ph.D., Memphis•Ramsey McGowen, Ph.D., Johnson City•Ed Smith, Ph.D., Chattanooga•Alice Garland, Ph.D., Nashville
2
Standard Disclaimer
•This consultation is provided as a service of the Tennessee Psychological Association Ethics Committee. Please be aware we cannot provide legal advice. The information provided in this consult is accurate, to the best of our knowledge, but is not an official position of the Ethics Committee or the Tennessee Psychological Association. You are not required to accept or follow any recommendations given by the Ethics Committee. Ultimately, as a licensed psychological practitioner, you are responsible for your actions.
3
Agenda
•Federal Laws•State Laws•Rules and Regulations of the Board of Examiners in
Psychology•APA Ethics Code•Technology•Risk Management
4
Resource Materials
•APA Ethics Code•APA website (HIPAA, HITECH)•Tennessee Code Annotated • http://www.tennessee.gov/• http://www.lexisnexis.com/hottopics/tncode/
•BOE Rules and Regulationshttp://health.state.tn.us/Boards/Psychology/
•Assessing and Managing Risk in Psychological Practice:An Individualized Approach. Bennett, Bricklin, Harris, et al.(APAIT) The Trust.
5
ASSESSING & MANAGING RISKEthics and the Law 2012
6
Assessing & Managing Risk
•Assessing and Managing Risk in Psychological Practice: An Individualized Approach
•Reviewed an "old" model for risk management • focused on adherence to rules and laws
• Identifies a "more advanced model" of risk management• affirms the need to know and follow rules / laws • recognizes potential conflicts within the "controlling" rules • focuses on utilizing "moral principles" of ethics code to
resolve conflicts
7
Knapp and VanderCreek (2005)
•Ethics code does not provide answers to every situation / conflict• EC uses terms like "reasonable" or "as appropriate”• EC may be silent regarding emerging areas of
competence• EC does not clearly address conflicts between EC and
laws or organizational policy• EC does not address conflicts between ethics code
standards• EC does not prescribe / forbid any "higher" standards
8
Beauchamp and Childress (2002)
•Principles of Biomedical Ethics (2002)• Recent example of effort to identify underlying ethical
values•APA ethics code development driven by similar
concept of "underlying principles" (values)•Effort to identify basic values / principles
9
Autonomy
•Respect for humans as free moral agents•Right to decide for themselves•Free from control of others (including psychological
practitioners)•With sufficient understanding to allow meaningful
choice
10
Beneficence
•Help others•Do good
11
Non-Malfeasance
• “Do no harm” intentionally•Do not impose risks of harm without permission
12
Justice
•Respect for people's rights•Respect for laws• "Fairness”
13
APA Guiding Principles of the Ethics Code
•Beneficence and Non-Malfeasance•Fidelity and Responsibility• Integrity• Justice•Respect for People’s Rights and Dignity
14
Principle A: Beneficence & Non-Malfeasance
•Psychologists try to:• benefit those with whom they work• do no harm• safeguard the welfare and rights of others• resolve conflicts, seeking to avoid or minimize harm• avoid misuse of professional skills or influence• be aware of effect of personal issues on others
15
Principle B: Fidelity & Responsibility
•Psychologists try to:• establish relationships of trust• be aware of responsibility to society / community• uphold professional standards of conduct• clarify professional roles and obligations• accept responsibility for behavior• avoid exploitation or harm• consult, refer, cooperate with others for best interests of
clients• contribute a portion of professional time pro bono
16
Principle C: Integrity
•Psychologists seek to:• promote accuracy, honesty, and truthfulness• not steal, cheat, engage in fraud, misrepresent fact• keep promises; avoid unwise or unclear commitments• minimize mistrust / harm arising from "ethical" use of
deception
17
Principle D: Justice
•Psychologists:• recognize fairness entitles all persons to access /
benefits of psychology• minimize unjust practices due to bias, limits of
competence
18
Principle E: Respect for People’s Rights & Dignity
•Psychologists:• respect the dignity and worth of all people• respect the rights of privacy, confidentiality, self-
determination• seek to protect rights and welfare of those with impaired
autonomous decision-making• are aware / respect cultural, role, individual differences• try to eliminate biases affecting their work
19
APAIT risk management model
•Focuses on utilizing moral principles when seeking to resolve conflicts between "rules”
•Encourages the process of logical thinking regarding values
• Identifies primary elements of risk management that utilize the principles• informed consent• Documentation• Consultation
•Seek to "maximize adherence to a dominant ethical principle while minimizing harm to competing principles".
20
APA ETHICS CODEEthics and the Law 2012
21
1.02
•1.02 Conflicts between Ethics and Law, Regulations, or Other Governing Legal Authority
• Old: "if… ethical responsibilities conflict with law, regulations, other governing legal authority…• make known commitment to the ethics code…• Psychologists may adhere to the requirements of
law… authority.”
•New: "… clarify nature of the conflict…• take reasonable steps to resolve…• Under no circumstances may this standard be used
to justify or defend violating human rights."22
1.03
•1.03 Conflicts Between Ethics and Organizational Demands
•Old: "… if conflict…• clarify nature of conflict…• make known commitment to the ethics code…• To the extent feasible, resolve conflict in a way that
permits adherence to… ethics code."
• New: "… if conflict…• take reasonable steps to resolve…• Under no circumstances may the standard be used
to justify or defend violating human rights."23
Example 1
•Patient with multiple severe health problems, including a number of potentially lethal ones (if not treated). Patient comes to therapy with depression and poor quality of life. Patient chooses to stop taking medications for those health conditions, seriously threatening her life by the decision.• What are the relevant ethical codes?• What are the relevant laws?• What are the relevant ethical principles?• What are potential good quality of care / risk
management procedures?24
Example 2
•You evaluate and begin to treat a new patient. You belatedly realize the patient is the soon-to-be ex-husband of an existing patient.• What are the relevant ethical codes?• What are the relevant ethical principles?• What are potential good quality of care / risk
management procedures?
25
BOARD OF EXAMINERS RULES & REGULATIONS
Ethics and the Law 2012
26
1180-1-06 Patient Records
• (a) Duty to maintain records• every patient• every service / consultation
• (b) "Notice" to patients• within 30 days of "notice" requirement• publication in a newspaper• OR• posting at practice location
27
1180-1-06 Patient Records (cont)
• (d) Transfer of Records• death or retirement of practitioner• all patients seen in last 18 months/2 visits "notified”• inform patients copies of record can be sent to new
practitioner by patient authorization
• departure from a practice group (death, retirement, departure)• governed by group contract• controller of records must do "notice”• 18 month / 2 visit rule• informed patients of practitioner's new address, opportunity
to transfer treatment/records (unless prohibited by contract)28
1180-1-06 Patient Records (cont)
• (e) Sale of Psychological Practice• ensure transfer of records to practitioner with equal
standards of confidentiality• "notice" to patients regarding sale• patient given opportunity to transfer records to another
practitioner• 18 month / 2 visit rule
• • (f) Abandonment of Records• death is not abandonment
63-11-215 requires provisions for security, transfer, and availability of patient records at death 2
9
1180-1-06 Patient Records (cont)
• (g) Retention of Records• not less than 7 years from last contact• incompetent patient records retained indefinitely• records of minors: 7 years or age 19 (the longer)• no destruction of records while involved in a dispute
• • (h) Destruction of Records• no record "singled out" for destruction• destruction only in the ordinary course of business, by
established policy• destruction by burning/shredding; maintain confidentiality• record time, date, circumstances of destruction• maintain record of destruction
30
1180-1-08 Continuing Education
• 40 hours of CEU's • 9 hours: Type I• 9 hours: Type I or Type II• 22 hours: Type I, Type II, or Type III
• • "Jurisprudence and Ethics": 3 hours• TCA title 63• "AND"• BOE Rules and Regulations• APA ethics code
• • CEUs every 2 calendar years• January 1-December 31 PRIOR to renewal date
31
BOE "policy statement" regarding Jurisprudence and Ethics
• "Jurisprudence" requirement can be met by:• reading and discussing with colleagues• TCA 63, chapter 11 and BOE Rules and Regulations• written statement attesting to "discussion”• date, names of licensed individuals in the discussion• signed by licensee• 1 hour CEU credit (Type III)• still need "ethics" CEU (2 more hours)
32
Documentation of CEU Completion
• keep documentation for 5 years•prepare summary report annually•make documentation available to BOE on request
33
1180-1-15 Advertising and Other Public Statements
•Definition: public statements related to:• professional services, products, publications, or to the
field of psychology• paid or unpaid advertising, printed materials, directory
listings, resumes• interviews / comments to media• statements in legal proceedings• lectures / oral presentations
34
Statements by Others
•Practitioners:• who hire others to create/place public statements retain
responsibility for the statements• make reasonable efforts to prevent others whom they do
not control from making deceptive statements• make efforts to correct deceptive statements by others• do not compensate employees of media in return for
publicity• identify paid advertisements as advertising (or it is readily
apparent)
35
Avoidance of False or Deceptive Statements
•Practitioners:• do not be false, deceptive, misleading, or fraudulent• mislead by what they state, convey, suggest, or omit• regarding research, practice, work, or affiliation
•Examples: training, degrees, credentials, services, scientific basis, fees, research findings
36
Media Presentations
•Practitioners presentations:• based on appropriate literature and practice• consistent with ethics code• recipients not encouraged to infer a professional
relationship
37
Testimonials
•do not solicit from current patients or others vulnerable to undue influence
• In-Person Solicitation• Do not do uninvited solicitation of business from actual or
potential clients (or vulnerable others)
38
1180-1-16 Consumer Right- to- Know Act
•Practitioners must report to BOE if:• malpractice judgment, award, or settlement of $10,000 or
greater• any criminal felony conviction• conviction or adjudication of any misdemeanor involving:• sex, alcohol or drugs• physical injury/threat of injury to any person• abuse or neglect (minor, spouse, elderly)• fraud or theft
39
1180-2-01 Scope of Practice (Psychologist)
•HSP designation for healthcare services•Limit services to competence areas (by training,
education, supervised experience)•HSP services:• psychological evaluation (abilities, personality,
neuropsychological)• Diagnosis• psychological treatment• psychoeducational evaluation, diagnosis, treatment
•Non--HSP services• psychological services to business
40
1180-3-01 Scope of Practice (Senior Psychological Examiners )
•Limit services to competence areas (by training, education, supervised experience)
•HSP services:• psychological evaluation• Diagnosis• psychological treatment• psychoeducational evaluation, diagnosis, treatment
•Non--HSP services• psychological services to business
41
1180-3-01 Scope of Practice (Psychological Examiners)
•Without Supervision:• limit services to competence areas (by training,
education, supervised experience)• psychological testing of abilities, interests, personality• psychological services to business
•With Supervision:• psychological evaluation• Diagnosis• psychological treatment
42
1180-2-01 Standards for Supervision
•Supervision must meet minimum identified standards•Supervisor of record must be made known to the
BOE•Supervisor must:• be qualified by experience and training to perform the
supervised activity• provide supervision on a regular and frequent basis• have HSP if supervising health services• limit number of supervisees• provide supervision separate from administrative
supervision43
Standards for Supervision (continued)
• primarily on 1-to-1 basis• other supervision (group, seminar) may be extra• "considerable" 1-to-1 time for each client• records maintained by supervisor• number of patient therapy hours supervised• hours of supervision given (1-to-1)• documentation of clients discussed
• no dual relationships (supervisor/supervisee)• supervisor responsible to provide adequate time and
availability• supervisee also responsible to obtain supervision• supervision arrangements by mutual agreement• supervisor may reduce intensity of supervision (based on
observed competence) 44
Standards for supervision time
•Provisional Psychologist licensure (new license, seeking one-year supervision for HSP)• 1 hour per week
• "New" Psychological Examiner (less than 5 years experience)• 1 hour per week
• "Experienced" Psychological Examiner (greater than 5 years experience)• "no less than monthly" (based on judgment of
supervisor).
45
Violations of Scope of Practice
•Claiming expertise, using techniques without education or supervised training
•Knowingly permitting unqualified individuals to perform psychological services
•Failing to adequately supervise trainees or employees
•Deliberately assisting others to violate or circumvent Practice laws or rules
•Providing or claiming to provide health services without HSP designation
46
TENNESSEE CODE ANNOTATEDTN LAWS RELATED TO THEPRACTICE OF PSYCHOLOGY
Ethics and the Law 2012
47
63-1-149 Criminal Background Checks
•Any provider under title 63 shall perform a "Registry Check”
• "Do not hire" any offender for "direct patient care”•State-by-state check in any state lived in for previous
7 years• national sex offender Public Registry website• adult abuse Registry
•Links to all websites on Department of Health website•Not applicable to contracted, external staff (no direct
patient contact)
48
63-1-109 Display of License or Certificate of Registration
•Display original / copy of license, conspicuous location
•Sign, 1 inch lettering, name, professional degree, type of license
•Photo ID, name, type of license• OR•Written notification, name, type of license, at initial
office visit•Website: name, type of license
49
63-1-141 Default on Student Loans
•Practitioners defaulting on student loans guaranteed by:• Tennessee Student Assistance Corporation• United States Secretary of Education
•Default to result in suspension, denial, or revocation of license
•Payment or entry into payment plan can result in return of license
50
37-1-605 Child Sexual Abuse Reporting Law
•ANY person (including healthcare professionals) have legal responsibility to report
• "Knows or has reasonable cause" to suspect abuse• "Shall report"… Child Protective Services or police
51
37-1-602 Definition: Child Sexual Abuse
•Describes specific illegal behaviors•On any child under age 13•On any child 13-17, if committed by:• parent, guardian, relative• person residing in child's home• other person responsible for care and custody
•CPS strongly indicates ANY sexual contact by an adult with child under 18 is reportable
52
37-1-403 Reporting of Brutality, Abuse, Neglect, Or Child Sexual Abuse
•ANY person (including healthcare professionals)•Having knowledge of a child suffering / has suffered
injury or harm• Child: under 18 years old• "Injury" can be physical or emotional
• "Shall report"… Child Protective Services, police
53
33-6-403 Involuntary Admission to Treatment Facility
•Mental illness or serious emotional disturbance• Immediate substantial likelihood of serious harm
because of mental illness•Person needs care, training, or treatment•All less restrictive alternatives for treatment are
unsuitable or unavailable
54
33-6-501 Substantial Likelihood of Serious Harm (defined)
•Threat or attempted suicide•Serious bodily harm inflicted on self•Has placed others in fear of violent behavior or harm•Person unable to avoid severe impairment or injury
from specific risks•Substantial likelihood harm will occur if not
hospitalized
55
33-3-206 Duty to Protect
•Duty to warn exists when patient communicates:• actual threat of bodily harm• clearly identified victim• apparent ability to carry out the threat• likely to carry out the threat unless prevented
56
33-3-207
• Identifies options available under "duty to protect”• inform potential victim• voluntary commitment• initiate involuntary commitment• pursue other course of action prescribed by professional
ethics
57
71-6-102 and 71-6-103 Elder Abuse Reporting Law
•ANY person (including healthcare professionals)•Having reasonable cause to suspect abuse of adult• adult defined: 18 years old or more• unable to manage own resources, ADLs, protect self due
to:• age (60 or older)• mental / physical impairment
• "Shall report"… Adult Protective Services, police
58
33-6-504 Persons Who May File for Commitment
•Parent, legal guardian, legal custodian•Spouse or responsible relative•Physician, mental health care provider, police officer•Medical facility currently providing care
59
33-6-402 Detention without Warrant
•For purpose of holding individual for evaluation for commitment
•May take a person into custody without arrest warrant• psychologist authorized to do commitment procedures• police officer• Physician• mandatory prescreening agents of mental health center
60
33-6-404 Certificate of Need for Emergency Tx and Transport
• If patient subject to emergency involuntary admission• complete certificate of need (33-6-403)• assess patient's clinical need for physical restraint or
transportation• consult with mandatory prescreening agent
•For Tennessee state facility• contact facility to verify available resources (bed)• document contact in writing
61
33-6-406 Transportation of Detainee to Treatment Facility
•Completion of Certificate of Need under 33-6-404•Provide Sheriff CON prior to transport•For Tennessee state facility• provide Sheriff CON• provide Sheriff written documentation of hospital
contact/availability
62
33-8-202 Treatment of Minors (16-17 Years Old)
•Persons 16-17 have the same legal rights as adults for Inpatient and Outpatient mental health treatment• Except that:• cannot authorize ECT• cannot override voluntary inpatient admission by guardian
•33-6-201• Persons 16-17 can seek voluntary inpatient treatment• Qualified mental health professional may assist the
application for treatment
63
33-3-112 Minors Access to Records
•Allows access to records for patients 16-17 years old• Provider can deny access if release will result in
substantial risk of harm• limit access only to those parts of record causing risk or
harm
64
36-6-103 Release of Children's Records
•By written request of parent•Custodial parent, noncustodial parent, legal guardian
have access•Practitioner can petition the court to restrain release,
to prevent harm to child•Applies only to children under age 16• HIPAA supersedes for16-17-year-olds
65
24-9-101 Deponent Exempt from Subpoena to Trial
•Psychologist, physician, custodian of medical records, and others
•Exempt from subpoena to trial•Subject to subpoena to deposition
66
33-6-1001 Declaration for Mental Health Treatment
• Identification of patient instructions and preferences•Used when patient is expected to be incapable of
making mental health decisions at later date•Can include instructions re care, refuse /permit
treatment•Requires provider to act in accord with declaration•Provider may withdraw from providing treatment• identifies specific procedure for withdrawal
67
FEDERAL LAWS RELATED TO THE PRACTICE OF PSYCHOLOGY
Ethics and the Law 2012
68
Red Flags Law
•Protection against identity theft•Not applicable to practice of psychology!
69
HITECH
•Breach of Privacy law• "Breach" requires report to:• Patient• Health and Human Services
70
"Breach" Defined
•Acquisition, access, use, disclosure of PHI•Any violation of HIPAA privacy rule IF:• PHI not secured by encryption• "significant" risk of harm
•Requires assessment of risk level• "significant risk": report to patient / HHS• "nonsignificant risk": document, HIPAA, 6 years• tell patient if asked
71
Notification of Patient
•Without unreasonable delay; within 60 days of discovery
• "Discovery": knew or should have known of breach•Language the patient can understand•Description of PHI involved
72
Notification of Patient (continued)
•Recommended steps for patient self-protection•Steps taken to investigate breach, mitigate harm,
prevent repetition•Provider contact information•Contact procedures
73
Notification of HHS
•500 or more patients: notify HHS immediately•Less than 500 patients: notify HHS at end of calendar
year•Report site: www.hhs.gov
74
Miscellaneous Complications
• Involves minors, incapacitated, deceased patients• contact "personal representative”
•No available contact information for patient• 10 or fewer patients: telephone• 11 or more patients: "conspicuous notice”• office website• local media
• toll-free telephone number for 90 days
• "Imminent harm": immediate telephone contact in emergency
75
CPT & ICDEthics and the Law 2012
76
New CPT Codes
•Starting January 1, 2013•All insurance carriers, including Medicare•Services underlying new codes will not change•All health professionals will use same psychotherapy
codes
77
New CPT Codes
•Primary difference:• 30 min., not 20-30 min.• 45 min., not 45-50 min.• 60 min., not 75-80 min
78
ICD 10-CM
•World Health Organization International Classification of Diseases
•Scheduled start: October 2013•Mandatory: HIPAA (and HIPAA penalties)•No "grace period" once implemented
79
ICD 10-CM
• ICD-9 / DSM-IV overlap• ICD 10-CM structure is different• broad categories of disorders similar• category arrangement is different• alphanumeric codes are very different
80
ICD 10-CM
•Training is coming•Similar to HIPAA training process•Transition manuals available at CMS website•http://www.cms.gov/ICD10/Downloads/
ICD10SmallandMediumPractices508.pdf
81
TECHNOLOGY & TELEMEDICINEEthics and the Law 2012
82
Around the World in …
•4 years, 3 months, 15 days – walking - Dave Kunst 1970
•3 years, 10 months, 29 days – sailing – Magellan 1519•19 days, 21.9 hours – ballooning – Jones/Piccard 1999•9 days, 3 minutes – non-stop flight - Yeager/Rutan 1986•96.2 minutes – earth orbit – Sputnik 1957
•0.1336 seconds - Light traveling around the earth•18.1 seconds – an electron traveling around the earth at
the speed at which it circles a hydrogen atom
83
So What’s the Big Deal for Psychology?
84
Telehealth & Health Reform
•Whatever happens, healthcare reform is here to stay•Shift from deficit/disease to strength/health• Innovative approaches• Accountable Care Organizations• Affordable Care Homes• Private & public insurance exchanges• Telemedicine
•Telemedicine is here to stay• Electronic communication is already a part of daily
practice• Telemedicine is big business• 5/10/12, Maryland became the 13th state to mandate
telehealth services 85
Generations
86
APAIT 2/14/2012
•Adventures on the Electronic Frontier: Ethics & Risk Management in the Digital Era, Jeffrey Younggren, Ph.D., ABPP, Knoxville, TN
•The pitch:• Economic realities• Exciting opportunities
•The choice: • Lead, follow, or get out of the way
•The risk:• Boards are conservative by nature• New regulation will be slow to develop• New legal precedent will be even slower
87
A Question of Jurisdiction
•Does the electronic transaction take place• Where the consumer resides?• Where the provider resides?• In cyberspace?
88
What’s the Mission?
•Protect the consumer?•Regulate psychology and other health providers?•Provide access?
•Federal law & rules moving toward increased emphasis on “choice” & increasing access
•BOE (including TN) focus on consumer protection & professional regulation
•Which is “right?”
89
The Trend
•Precedent leaning toward the provider’s intent as the key to jurisdiction• Wright v Yackley (1972), 459 F. 2nd (US Court of
Appeals, 9th Circuit, 1971): the state of patient residence can assert jurisdiction only when the provider has made a deliberate attempt to promote services in the forum state, or has used the forum state’s laws to advantage
• Prince v Urban (1996), 49 Cal App 4th (57 Cal Rptr 2d, 181): the consumer sought out the provider, who was in Illinois. The provider’s residence was incidental; in this case the state’s interest should be in assuring access, not protection
90
The Trend
•Other cases where the forum state has been ruled to have jurisdiction• C. Jones v B Williams (2009), 660 F Supp. 2d 1145;
2009• Bullion v Gilliespie (5th Cir. 1990) 895 F 2d 213• Hageseth v The Superior Court of San Mateo (2007).
150 Cal App. 4th 1399.
91
Tentative Conclusions
•APAIT: • Unless the psychologist is actively promoting services in
an interstate manner, forum state boards will be unable to gain jurisdiction
• Level of marketing unclear; websites probably not promotional
• Extradition is unlikely• “Coaching” clearly defined is probably safer• Psychologists who provide services across state lines
ARE subject to review by their own state BOE•BUT• BOE’s tend to see themselves as consumer protectors,
and may act if another state board registers a complaint92
TECHNOLOGY INTERFACEEthics and the Law 2012
93
A Provider Checklist
•How much do I know about the technolgy?• Benefits?• Risks?• Better or safer alternatives?
•How competent am I?• Used it before?• Trained to use it?• Checked the literature?• Consulted with others?
•Risks to the psychologist?
•Adapted from Jounggren, 2012 - APAIT94
A Consumer Checklist
• Is the consumer competent in the technology?• Is adequate informed consent possible?•Can technical problems be anticipated/managed?•How to manage emergencies?•Risks to privacy?
•Adapted from Jounggren, 2012 - APAIT95
TECHNOLOGY INTERFACE – RECORD SECURITY
Ethics and the Law 2012
96
Record Keeping Issues - Resources
•HIPAA Security Act & Federal Regulations•APA Record Keeping Guidelines•State Regulations• Institutional Policy•Professional Standards
97
Security Rule Basics
•Trigger: electronic transmission in covered transaction
•Applies only to electronically transmitted & stored PHI•Designed to ensure PHI is protected•Provides steps for psychologists • Additional issues for group practices• More complicated when practice has employees
•3 types of security standards• Administrative standards – office policies, training• Physical standards – limiting access to storage• Technology standards – privacy/security standards
98
Implementing Security
•Conduct and document a risk analysis – retain with other HIPAA compliance records
• Identify and document vulnerabilities•Modify procedures to minimize vulnerabilities and
attain compliance•Document how you have complied•Periodically review
99
APAIT Recommendations
•Appoint someone who is responsible (usually the provider)
•Develop specific policies for data access to all devices• Include computers, PDAs, cell phones, backups, any
other wireless devices• Require unique passwords• Procedures related to acquiring, modifying, and
terminating passwords• Limit access to “need to know”
100
APAIT Recommendations
•Updated virus, firewall•Automatic backup, stored in a secure location,
disaster proof•Automatic encryption and decryption advisable•Disk wiping capability•Lock out system after 3 bad password attempts•Store PHI in a form that is unalterable/uneditable
101
APAIT Recommendations
•Screen employees & contractors with access to PHI•Train all employees in the Security Rule•Documented• Specific sanctions in place for security breaches• Specific policies for security breaches• Written plan for emergency/disaster recovery
•Access control• No public access to storage• Specific rules about removing PHI from premises• Workstation controls (locking, screen protectors)• Policies for decommissioning computers & devices
102
Enforcement & Penalties
•Complaint driven• Initial enforcement will be educational•Fines & civil penalties will be used•Risk of civil lawsuit if data is lost, stolen, or otherwise
compromised•Licensing board complaints will probably not be a
major problem for those making a good faith effort to comply
•That said …
103
TECHNOLOGY INTERFACE – RECORD KEEPING
Ethics and the Law 2012
104
2007 APA Record Keeping Guidelines
•Electronic records, like paper records, should be created & maintained to • Protect security, integrity, and confidentiality• Permit appropriate access• Comply with applicable legal and ethical standards
105
The Clinical Record
•Must include• Medication prescription & monitoring• Counseling session start & stop times• Modality & frequency of treatment• Results of clinical tests (including raw data)• Summaries of:• Diagnosis• Functional status• Treatment plan• Symptoms• Prognosis• Progress to date
106
The Digital Record
•Written notes (psychotherapy & clinical record)•Email communications•Text messages•Audio files•Video files
107
Encryption
•Protects provider and clients• If you do not encrypt and you lose PHI, you must
inform your clients and HHS. If this involves more than 500 clients, the media must be notified
108
To Encrypt or Not to Encrypt
•Remember scalable compliance – reasonable?•Do you have your own policy?• Is your policy documented?• Is your electronic data secure?
109
What is Encryption?
•Conversion of data into a form that is not easily understood by an unauthorized person
•Requires a key to read the data•Sources:• TrueCrypt: www.truecrypt.org• BestCrypt Enterprise:
www.jetico.com/data-protection-encryption-bestcrypt-enterprise
• PGP Whole Disk Encryption: www.symantec.com/index.jsp
110
Backup
•Media• External hard drive• Flash drive• Backup devices (tape, disk, flash)
•Off site storage• www.carbonite.com• www.mozy.com• www.backblaze.com• www.ironmountain.com
111
The Business Associate Contract
•Changed by the American Recovery and Reinvestment Act of 2009• Vendors must comply with contracts• Vendors must have HIPAA compliant safeguards in place• Vendors must report all breaches to provider• Vendors must account for all disclosures• Vendors must destroy PHI when contract ends• Vendors can be disciplined for breaches
112
TO BOLDLY GO WHERE NO ONE HAS GONE BEFORE
Ethics and the Law 2012
113
Three Stages of Learning
1. Don’t …2. If you do, be careful …3. When you do, here’s how …
• We are at stage 2, as there is insufficient clarity to give you the “how to.” The best we can offer is:• Increased awareness of potential pitfalls and obstacles• Ideas to consider• Guidance where it exists• Trends to watch
114
“Stage 2” Guidance
•Remember that the area is evolving• Technology is evolving faster than ethics & the law• Changes in health care will drive further innovation• Competing agendas (e.g., consumer protection vs.
consumer autonomy) will drive much of the conversation
•Good risk management is essential in areas where there is lack of clarity
•APAIT: it is in the best interests of psychology to be an active part of the evolution of telehealth
115
Water, Water Everywhere …
•Voicemail•Email•Text messaging•Websites•Blogs•Social Networking•Facebook•Twitter•LinkedIn•The beat goes on …
116
E-Communication Types
Direct Care & Adjunctive Services
• Direct• Teletherapy & e-therapy• Coaching & consulting• Assessment• I/O Consultations• Forensic work
• Adjunctive• Collegial consultation• Supervision• Psychoeducation• Recording of sessions• Homework assignments
Administration
•Billing (insurance & otherwise)
•Scheduling•Record keeping •Other documentation
117
Areas of Concern
• Informed consent•Licensure•Billing•Confidentiality•Application•Technical issues•Training & Competency
118
Video Conferencing
•Skype – is it secure?•Apple Facetime – is it secure?•Technical challenges• Do you know how to provide security?• Resolution/picture & voice quality• Reliability• Costs• Differences from in-person• Privacy
119
Websites
•Benefits• Access to information• Efficient, cost effective exposure• Posting of information for download
•Risk management challenges• Purpose – what do you hope to accomplish?• Boundaries• Blogging is forever• Marketing appropriateness
•TN Law requires identification as “Psychologist”
120
Social Networking
•Professional vs Private Conduct• Are the boundaries blurred?
•Challenges:• Boundaries• Privilege & confidentiality• Security issues (Facebook Fans, Friends, and Friends of
Friends)
121
Managing Virtual Relationships
•Do you have an explicit policy about friending, following, tweeting, blog comments? Why or why not?
•Risk management advice (APAIT)• Informed consent – be explicit• Exchange information only in a secure fashion
(telephone, encrypted electronic communication)• Consider online relationships as similar to in-person ones
with clients and former clients• Do not access clients’ personal information with
permission 122
PROFESSIONAL BOUNDARIES INTHE ERA OF THE INTERNET
Ethics and the Law 2012
123
Boundaries
•Professional boundaries in the era of the internet • Glenn O. Gabbard, Kristin A. Kassaw, Gonzalo Perez-
Garcia• Academic Psychiatry, 35:3, May-June, 2011
•Scope• 64.3% of medical students & 12.8% of residents were on
Facebook• 60% reported incidents of students posting
unprofessional content online• 13% reported violating patient confidentiality• 80% of Facebook users do not actively manage privacy
settings• Multiple examples of blogs representing patients or the
profession in a negative light124
Guidelines
•Psychiatrists and other mental health professionals who use social networking sites should activate all privacy settings
•Web searches should be conducted periodically to monitor false information or photographs of concern.
•Do not include the following items in blogs or networking sites:• Patient information or other confidential information• Disparaging comments about colleagues or patients• Any comments on lawsuits, clinical cases, or
administrative proceedings (compromise defense)• Photographs that might be considered unprofessional 1
25
Guidelines (cont)
• If you look up public information about patients, be prepared to manage the consequences
•Avoid being “Facebook friends” or other dual relationships (consider separate profiles for separate roles – but …)
•Assume that nothing is anonymous•Train students and supervisees in appropriate
behavior online•Develop policies and guidelines – written – including
potential handling of breaches• Include case study examples in training
126
Questions to Consider
• Is anything private? • Do we care?
• Is it possible to avoid dual relationships in a virtual world?• Do we care?
•How will you handle the coming electronic world?• Do we care?
127