Privacy in Therapy

In the last decade, the question, “Is therapy private and confidential?” has been challenged by new technology, new cultural demands, and new standards. In my opinion, old school therapists had it easy: they only accepted cash, they took clinical notes with paper and pen (and ineligible handwriting), and they only had IRL (i.e., in-real-life) friends and families to NOT talk to about their clients. Culture and technology has now expanded therapists’ abilities to use electronic health records, hold virtual sessions, contract with insurance companies, accept credit cards, be searchable on online directories, and have a social media presence, all while complicating the demands on maintaining privacy a priority in therapy.

What is the Difference Between Privacy and Confidentiality in Therapy?

Confidentiality is the duty that medical and mental health practitioners have to keep private health information (PHI) secret. This means that anything you share with a therapist must stay between you and the therapist and will only be disclosed to others with the client’s explicit written permission. (There are exceptions based on emergencies and imminent safety concerns, but this is outside of the scope of this article. See here for the details in Washington state.) Confidentiality is both a matter of ethics and law. The ethical standards of privacy are put out by organizations such as APA and AMHCA and the legal guidelines are primarily through the 1996 Health Insurance Portability and Accountability Act (HIPAA).

In contrast, privacy refers to the spirit of how confidentiality is maintained. It may be within the bounds of confidentiality to share PHI with an insurance company, but it makes the experience less private. It may be legal for a therapist to utilize an electronic health record, but then that EHR company must be trusted to follow the same guidelines with that information. An adult client may have signed a release of information, granting their therapist permission to speak to their parent about their concerns, but by doing so, it opens up that data outside of the therapeutic relationship.

Technically, HIPAA only applies to healthcare providers and their business associates who transmit information electronically in regards to health insurance (claims, benefit eligibility inquiries, referral authorization requests). If your therapist does not contract with insurance companies, they are likely not a covered entity and not required to follow HIPAA laws. HIPAA law also only refers to private health information when it includes individual identifiers; things like your name, dates of service, email address, phone number, etc.

With today’s technology advances, it can be difficult to maintain true protection of client’s private information without conscious awareness of where data is going, how it’s being stored, and who has privilege to access it.

Clinical Implications of Privacy

Confidentiality is a foundation aspect of psychology's code of ethics. Psychologists and mental health therapists hold a core value of privacy so that people feel comfortable talking, with the belief that talking is an element of making unconscious material conscious and engaging with brain processes in a way that leads to insight and emotional/relational change.

It is counter-intuitive to say something out loud for the first time without confidence that your therapist won’t be repeating it to someone else. Here is a list of reasons why confidentiality is so valuable to the exploratory and life-changing work in therapy:

• You can say things you don’t mean.
• You can change your mind.
• You can contradict yourself.
• You can say things that are insensitive, selfish, and rude.
• You can talk about wanting to die.
• You can play with different ideas and land in different places.

• You can criticize your partner or your parents even when you really love them.
• You can be wrong.
• You can be the rightest.
• You can disclose to having different feelings about your therapist.
  

Digital Privacy

You may have heard of your digital “footprint;” how your online activity is documented and tracked so that companies can understand online human behavior and utilize this information for various purposes (e.g., marketing, AI development, profit, etc.). This happens by following your clicks and “likes,” your time spent on each webpage, the actions or purchases you make in conclusion of the journey, and combining these actions for patterns of behavior. As more and more data is accumulated and utilized by large companies, it can be wise to consider how your personal is being used with or without your knowledge.

In regards to your mental health journey, you may have used a search engine to understand your symptoms: What is depression? How to heal from trauma? Then you looked for a specialist in those areas: Anxiety therapist; therapist for relationship issues. Then you clicked through different online profiles: learning about their bio, their fees, and their location. Then, you took the action: You emailed them. You filled out an online booking form. All this information is trackable. And in a lot of ways, that can feel ok. But how is this information used? Does it disappear? Is it used to make a profile about you that is used to sell you products for help with the issues you sought help for? Is this help the best solution for you or are you primarily shown solutions based on who can pay the most money in advertising?

We believe your data is valuable and you should be consenting to how your data is being used and protected. ‍

Questions to Consider About Data Privacy

How is your data used?

For large companies and, specifically, e-commerce, understanding a user’s online journey is crucial to marketing and re-targeting. Websites accrue this data through digital trackers, usually Facebook Pixel or Google Analytics. With these digital trackers, the individual website (and subsequently, the larger company, Meta or Google) can log your anonymized data that is used for marketing purposes. This data isn’t protected under HIPAA law because it’s not technically private health information.

GDPR (European) and CCPA (California) have the strongest existing regulations for and why you may see “accept cookies” requests on new web pages, prompting you to opt-in to this process.  consumers.

Who has access to your data?

When a website uses Facebook Pixel or Google Analytics, the larger company (e.g., Meta, Google) also receive the anonymized data.

When a therapist uses an online service (e.g., EHR, email service, they often have the option of signing a Business Associate Agreement (BAA), which restricts the online company from accessing the data by law (and risk of a large fine). Services like Google allow businesses to sign a BAA, making it HIPAA compliant, but many services don’t offer this or they will charge more for these services. Clinicians may not know to opt into this higher level of privacy, risking client information.

This can also make it risky for practices who use certain Customer Relationship Management systems (i.e., CRM) for new client data or referral onboarding because it is storing  PHI (name, phone number) in a manner that is not HIPAA compliant or protective of the client’s data.

How is your data protected?

Online data can be easily hacked. To better protect online data, consider the following practices:

• Use strong passwords that differ between accounts.
• Use 2-Factor Authentication so that if someone figures out the password, they would need another form of authentication to actually access the account. Surprisingly, many therapy-focused services do not know to prioritize these privacy measures. Many electronic health record services don’t even have the option for 2-Factor Authentication.
• Use end-to-end encrypted communication services

Third Party Privacy - Insurance

There are some instances where a third party may be involved in clinical material. The primary is insurance. In my opinion, there is a big difference between being in-network with insurance companies and submitting out-of-network (OON) claims.

Being in network with an insurance company provides the insurance company with the power to dictate length of sessions, the frequency of sessions, the setting of session (virtual or in person), the length of the therapeutic relationship, the issues that are treated, and the type of therapeutic approach. They also require treatment plans to be created and shared to assess medical necessity for treatment and can require an audit of your clinician’s treatment notes to assess progress. Many clinicians indicate that insurance companies do not abuse their power to control treatment and feel like it provides ethical access to care for many individuals who could not afford treatment without it.

When a clinician is out of network, they can provide you with a superbill that provides the minimal details the insurance company needs to know about the service (e.g., service code, diagnosis code, date of service, clinician’s address and tax information) in order for the client to receive partial reimbursement based on their specific plan. The insurance company is never privy to session content or type of therapeutic approach.

In regards to privacy, the main difference I see between in-network and out-of-network is the level of access an insurance company has to information about the client or the clinical work. When in-network, the insurance company effectively has a right to the content and practice of therapeutic services. It opens up their access to knowing details that, in my opinion, are not necessary for them to know. And from a privacy perspective, now more people have access to the information, begging the above questions about digital privacy - how is this data protected, how is it used, and who can access it? Insurance companies are covered entities under HIPAA but with the degree of power and money involved it can be difficult that they will not be influenced to make decisions without the client’s best interest in mind.

Text and Video Chat Therapy Platforms

If you’ve existed online within the last year, I can nearly guarantee you’ve heard an advertisement for platforms like Talkspace and BetterHelp. These companies are primarily subscription services to provide access to therapists through their website or mobile app for virtual or text-based therapy. While I am glad therapy is becoming less stigmatized and more accessible, I have serious doubt that these platforms are providing more benefit than harm.

My primary concern with companies like Talkspace is privacy concerns and the increasing evidence that they sell your anonymized data to improve marketing. There is precedent for mental health apps transmitting data without disclosure to the user and use this information to market to you. So, theoretically, you may use an app to discuss your depressed mood and then you are targeted by pharmaceutical companies selling your anti-depressants. The studies indicating the range of impact are new and show us that these practices are not well-regulated.

We don’t know for sure what’s happening to your data. But we do know that Cerebral is undergoing a lawsuit for “overprescribing ADHD medications and failing to report patient data breaches.” We know that Talkspace is a publicly traded company valued at 1.4 billion dollars with a primary concern for their shareholders (not the client or therapist) and is being investigated in a class action lawsuit due to fraudulent misrepresentations of business practices. And we know that BetterHelp’s publicly traded parent company, Teladoc, recently partnered with Amazon to integrate telehealth services with Amazon Alexa and Echo devices.

My main concerns with online therapy apps on principle:

• They pay an exuberant amount of money to affiliate partners for referrals to their services.
• They underpay therapists (averaging around $30/hr and extremely dependent on number of text-based clients you take on).

My main concerns with online therapy apps for effective therapy:

• Texting is not the same as talk therapy and is minimally researched. I am not aware of any accredited school or program in the U.S. that provides training on how to provide text therapy.
• Therapy is fundamentally effective due to the therapeutic relationship and it is difficult to develop one without consistency and reliable contact.

Relational Psych Truly Cares About Confidentiality and Privacy.

We believe that your trust in your therapist and the business operations should be earned. There should be high standards, and we should be able to explain to you what we do and why we do it.

Your therapist does not share what you say in session with anyone except for these limitations:

• Your therapist take notes for the clinical record in our EHR (see below). We keep notes general and minimal.
• There is a record of your appointment times, financial record, and paperwork in our EHR.
• If your therapist is under supervision, they do review their cases with their supervisor to provide optimal care. This includes a review of clinical notes and verbal discussion. Sometimes it may include review of video recording, only with your explicit written permission. The supervisor follows the same guidelines of confidentiality.
• Your therapist is in a Relational Psych consultation group to grow as a clinician and get support. They use pseudonyms when talking about you and will change identifying information in order to protect your identity. If additional information may be beneficial to share in consultation, they will seek out your explicit permission. All participants in consultation follow the same guidelines of confidentiality.
• Your therapist may fill out paperwork when you request it. We prioritize giving you documentation directly and empowering you to share it with or keep it private from people based on your discretion.
• We're bound by ethics and law to keep people physically safe, and confidentiality may be broken when there is imminent risk of harm.

Currently, Relational Psych does not contract with any 3rd party for referrals or payment. We are not contracted in network with insurance companies. We do not do single-case agreements. This limits our referrals and also some people’s access to our care, and thus is something that our leadership is persistently contemplating as the right balance of benefits and costs.

We are listed on directory sites like Psychology Today, Good Therapy, and Therapy Den and you are encouraged to consider those privacy policies before messaging directly through directory listings.

While we are not necessarily a covered entity under HIPAA, Relational Psych follows all HIPAA regulations.

We keep client data in as few places as possible. We chose services because they require 2-factor authentication (2-FA), they are HIPAA compliant, and they have the option for end-to-end encryption (in addition to having the functions we need).

• We use PracticeQ (also referred to as IntakeQ) for scheduling, billing, intake paperwork, and documentation. We require 2-FA for all users and have both a BAA (US regulations) and GDPR (EU regulations) signed. We prioritize sending client files and reports within PracticeQ instead of email since it has stronger end-to-end encryption. PracticeQ’s privacy policy is here. We take legally required clinical notes and do not store psychotherapy notes with any identifying information.
• We use Square for credit card processing, integrated with PracticeQ, and clinicians do not receive access to the card information. Square's  privacy policy for consumers is here and their privacy policy for Square sellers and website viewers is here.

• We use Google workspace for email, writing (reports and letters), and internal systems. 2-FA is required for all users and we have a BAA signed. We also use Google Meet for video sessions so that sessions are held within the same privacy standards and we do not involve an additional company for service. Links for how Google manages an organization's security and privacy is here.

• We use Spruce for our client messaging (phone/text/fax). Spruce’s privacy policy is available here. Currently, Spruce messaging is encrypted on our end and clients have the option of downloading the app to make it encrypted both ways. You have the option of using Spruce for video sessions instead of Google Meet if you are more comfortable with their privacy policy.

‍Update 8-30-2022: We do currently use Google Analytics and Plausible for our website analytics. We’d like to move entirely away from Google Analytics to further protect personal data, but at this time in growing our practice, Google Analytics provides invaluable information for our ad campaigns that we currently cannot replicate in Plausible. We do not utilize Facebook Pixel for data tracking on our website.

We’ve installed additional sound protection in our office and use sound machines to decrease sound transfer. We only hold virtual sessions in private spaces and require you do the same.

We have a care coordinator, Virtual Ally, LLC who fields our new client inquiries, schedules new clients, sends out intake paperwork, and supports ongoing clients with administrative concerns like superbills. Ally and her team also provide administrative support for our podcast, blogs, and social media. They do not interact with any clinical material past the first consultation call. We chose to work with Virtual Ally because they value the principles of privacy and client care in the same way we do. Ally and her team use 2-FA, a password manager, and a VPN to add an extra layer of security to their business. By having Ally as our administrator, we are able to maintain more consistent methods (which leads to less chaos and less risks to information breaches) and help more people. If you have reservations about starting therapy because you don’t want to talk to two people when talking to one is hard enough, please let us know. While we do value maintaining consistent procedures, we want to be accessible to people who value privacy like we do.

We have made exceptions for clients who do not want any digital record of their time in therapy. This means in-person sessions, cash transactions, paper notes, and paper intake paperwork. We have limited capacity to do this, but are open to accommodating these concerns if it eliminates a barrier to treatment. Please contact me, Dr. Claney, with this request. I am rarely available to live-answer phone calls and only return calls for those who leave voicemails. I am primarily available via email.

In Summary

There are a lot of wonderful outcomes, a lot of good, from technology and digital advances.

I’m not afraid of new things. But with newness comes the demand to think critically about the meaning, the risks, and the implications of the change. It takes a lot of intention to think well about these ideas and to make decisions for the business that honors our values and supports our practice. I’m proud of the work we do and these policies that prioritize our clients over profit. I hope you feel empowered in the choice you have to opt in to companies that align with your values and opt out of contributing to ones that don’t.

Do you have a suggestion for how we practice or think about these issues? Please email me at drclaney@relationalpsych.group.