Week 6 – Assignment: Develop Public Organizations' Risk Mitigation Practices and Week 7 – Assignment: Develop an Administrative Policy Email

profileFila64
Managingrisk.pdf

13

1 Managing Risk

Aligning Technology Use With the Law, Ethics Codes, and Practice Standards

R isk management may be derived from law, professional standards and the individual institution’s mission, and public relations strategies and is expressed through institutional policies and practices (Brock & Mastroianni, 2013). When it comes to running a technologically and

ethically sound practice, psychologists, psychiatrists and other mental health professionals must do some homework. They must have an up-to-date under- standing of (a) statutes such as the Health Insurance Portability and Account- ability Act of 1996 (HIPAA); (b) codes of ethics and professional guidelines that define the clinical standard of care, as well as how to manage risk; and (c) the specific vulnerabilities associated with all types of eHealth technology used in the practice, from record-keeping to technology-assisted interventions. This chapter provides an overview of some of the fundamental issues to consider when incorporating technology into a mental health practice. Some specific legal issues, such as licensing in multiple jurisdictions, are discussed in Chap- ter 2, which also contains illustrations of how to maintain privacy and a safe environment in the clinic.

http://dx.doi.org/10.1037/0000085-002 Using Technology in Mental Health Practice, J. J. Magnavita (Editor) Copyright © 2018 by the American Psychological Association. All rights reserved.

Steven A. Sobelman and John M. Santopietro

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

14 S o B E l M A n A n d S A n T o P I E T r o

The Challenge of Ethical Practice in the Information Age

Many mental health professionals, especially those trained before the millennium, have often had a head-in-the-sand response to technology, either avoidance or a ten- dency to accept only minimal responsibility for the risks associated with technology use. Although paper records and simple security measures (e.g., locked file cabinets) may work for some, there is a steady march toward more inclusion of technology in our work. For those who have ventured into such advances, the accompanying security risks and concerns are ever more complex. We know that increased use of information technologies has created risks to the privacy of individuals (drummond, Cromarty, & Battersby, 2015). This also applies to the privacy of patients in a mental health care setting. While it’s true that new technologies are always emerging and new vulnerabilities are always being created—and that specific references in this chapter will likely be dated within a year of publication—the approach we recommend to “stay current” provides a steady frame to address a constantly changing ethical and regulatory landscape.

FAlSE SEnSE oF SECurITy

It is easy to get lulled into a false sense of security when it comes to using electronic devices or the Internet for your practice. As software interfaces become better designed and more intuitive, what used to be a steep learning curve has flattened out. Faster Internet speeds and broader bandwidth allow us to effortlessly upload video, eligibility requests, et cetera to the cloud, where data can live until we call it up. our computers don’t “blue screen” often, like they did decades ago; wireless connections work fine most of the time. Thus, we are lulled into thinking that hacks will happen to others and not to us. Some other poor therapist or health system will have to notify the gov- ernment about the breach affecting their patients’ Protected Health Information (PHI; united States department of Health and Human Services, 2013), but we are covered. After all, we had our IT pro install antivirus software when she set up our new system 5 years ago. All we have to do is set it up and forget it, right? Wrong!

Mental health practitioners are increasingly using electronic means for com- municating, recording, and storing data. data breaches should be of concern to all practitioners, especially mental health clinicians who deal with highly confidential and potentially very damaging information. Many health providers, including those who specialize in mental health, keep patient e-mails and text messages, contact information, billing records, and schedules in an environment that is rife for hacking (“largest Healthcare data Breaches of 2016,” 2017).

Are you guilty of this too? Before we get to specifics of the law, ethics, and practice standards, let’s spend a few minutes going over three basic types of security measures that all professional therapists need to put in place for their practice and monitor on a regular schedule. In information security these are known as physical,

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

15Managing Risk

administrative, and technical controls. Within each category there are also preventive, detective, and corrective methods of control.

Physical Controls

Physical security controls are the most basic of security systems and include the locked file cabinet example above. They are what we use to control availability and physical access to sensitive information, ensuring that

unauthorized persons are excluded from physical spaces and assets where their presence represents a potential threat. All types of computers, computing devices and associated communications facilities must be considered as sensitive assets and spaces and be protected accordingly. Examples of physical security controls are physical access systems including guards and receptionists, door access controls, restricted areas, closed-circuit television (CCTV), automatic door controls and human traps, physical intrusion detection systems, and physical protection systems. Administrative and technical controls depend on proper physical security controls being in place. (yau, 2013)

Although it is not likely that the costs of extreme measures such as “human traps” would outweigh the benefits at a typical mental health private practice, many of the other controls listed above are just good common sense.

Administrative Controls

Administrative controls are the practices and procedures around all work that is performed in an office or virtual environment. Some examples include having clear operating hours and after-hours response systems in place for service con- tinuity, an ongoing training and education schedule for all employees, and basic “good housekeeping” such as having clear sign-on procedures, backing up data on a nightly basis, and keeping equipment in working order. Phones should be password protected and any patient names stored in the device’s built-in system should be limited (e.g., to first names and a last-name initial). Examples also include having emergency management plans in place, and screening and alert systems that trigger further assessment (e.g., for suicide risk) or reporting (e.g., mandatory reporting of suspected abuse). Administrative controls additionally spell out expectations for all employees regarding the maintenance of their own health and their daily pre- paredness to work in a patient care environment. Finally, “administrative controls are the process of developing and ensuring compliance with policy and procedures. They tend to be things that employees may do, or must always do, or cannot do” (northcutt, 2013, para. 3).

For the most part, administrative controls are intended to limit the effects of human error on ethical practice. Human error represents the most likely cause of data breaches and computer virus propagation. Many of us have heard stories of laptops or uSB drives with sensitive data being lost or stolen. Sending a fax or an e-mail to the wrong address, clicking on a phishing link, and other mistakes

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

16 S o B E l M A n A n d S A n T o P I E T r o

can lead to data breaches, with potentially harmful results. Avoiding these types of errors requires education and awareness about the potential mistakes that can be made with various devices and software. To minimize mistakes, you might, for exam- ple, implement a system for error interception, such as a buffering system so that there is a delay before information is sent. When an employee is terminated, there should be a clear list of steps that are routinely followed: “disable their account, change the server password, and so forth” (dulaney, 2014, para. 10). All communications should include a statement of the communication’s confidential nature and limits of privacy, which should discourage data breaches that might occur due to a patient’s failure to use secure channels. Although some errors cannot be corrected, practitio- ners still have an obligation to track them to see where there may be faults in the system that need correction.

Technical Controls

Technical controls are those controls implemented through technology, such as fire- walls, intrusion detection and prevention systems (e.g., antivirus, antimalware pro- grams), and encryption. These are the controls that protect Social Security numbers and credit card data. They also protect computer systems from spyware, which allows hackers to access personal information covertly online. In case of device theft, remote wiping technology can be employed to delete sensitive information and/or disable the device altogether. The best security against malicious acts is to employ device encryp- tion, as well as end-to-end encryption for e-mails and messaging systems. one should also carefully evaluate services that help ensure HIPAA compliance when considering apps, videoconferencing services, and cloud storage.

Mining data for patterns is a potential source for a data breach. The Federal Trade Commission (2012) noted that “consumers face a landscape of virtually ubiquitous col- lection of their data. Whether such collection occurs online or offline does not alter the consumer’s privacy interest in her or her data” (p. 18). Summary data can be extracted and inferences made without our knowledge. The Winston law Firm website http:// www.stopdatamining.me reminds us that “collecting, analyzing and selling every aspect of your life for marketing purposes is perfectly legal. Indeed, it’s worth billions of dollars of business. data brokers acquire and rate trillions of transactions per day and their databases contain updated information” on every market transaction that takes place nationwide. Mental health providers should know that

it is therefore relatively easy for those with access to metadata to infer that a private citizen who has regular contact (data) with the professional e-mail address of a mental health professional may be in therapy for some form of mental health issue. (drummond et al., 2015, p. 231)

To prevent mining of confidential data, we recommend the judicious use of stand- alone (i.e., non-Internet connected) systems where feasible. To minimize the effects of data mining online, consider using browser extensions that block data tracking cookies and actively opting out of data broker and direct marketing activities.

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

17Managing Risk

HEAlTH InSurAnCE PorTABIlITy And ACCounTABIlITy ACT oF 1996 (HIPAA)

now that we’ve covered some basics, we can go into more depth about why issues of confidentiality around patient information are a critical aspect to consider in this new technological era. The first reason is simple: It’s the law. HIPAA has become a fixture both in parlance and practice throughout health care and has been at times confusing and misunderstood. The united States legislation that provides data privacy and secu- rity provisions for safeguarding medical information, both the HIPAA Privacy rule and Security rules are triggered when a health care provider (or an entity such as a billing service acting on behalf of the health care provider) transmits health information in electronic form about any designated standard transactions. The American Psychological Association (APA; 2013) in a publication designed to address HIPAA concerns states,

for most mental health and health practitioners, triggering the need to comply with HIPAA and the Privacy rule occurs when they do all the following: Electronically transmit Protected Health Information (PHI) in connection with insurance claims or other third-party reimbursement. (p. 2)

This APA publication continues:

the most common form of electronic transmission for practitioners is via the Internet (for example, sending e-mail to a patient or an insurance carrier or making transactions on an insurance company website). Electronic transmission also includes transmitting electronic information: to cloud storage, from a mobile device, such as a smart phone or tablet, via Wi-Fi networks and flash drives, as well as via websites where patients submit PHI. (p. 3)

It is important to note that PHI includes any past, present, and future information that is generated or received by a health care provider, an employer, a school, a life insurance policy, or a health insurance company.

The HIPAA Privacy rule ensures that all covered entities keep patients’ PHI secure and properly educate their patients about their rights under HIPAA. Proper educa- tion involves providing patients with a written statement that describes how health care providers and other covered entities can use or share their PHI. This should be included in the initial consultation both verbally and in a written format. The HIPAA Security rule details the steps health care providers must take to keep patients’ elec- tronic PHI secure. Providers are required to continually assess the security of their electronic health record systems and then put specific physical, administrative, and technical safeguards in place (as described above) to protect against the risks that were revealed during the assessment.

It is very important to note that

the Privacy rule specifically does not preempt a narrow range of state laws, such as laws giving or denying parents access to their children’s records, regardless of how stringent they are. The result of the complicated preemption analysis is that the law you must follow is a mixture of Privacy rule and state privacy law provisions. (APA, 2013, p. 4)

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

18 S o B E l M A n A n d S A n T o P I E T r o

As HIPAA became more engrained in the everyday practices of health care providers, in 2009 the u.S. Congress passed the Health Information Technology for Economic and Clinical Health (HITECH) Act. With the initiation of HITECH, regulations and guidelines were enacted and directed toward protecting PHI in the digital age. This act was the start of “a major shift in the enforcement strategy of the office of the national Coordinator for Health Information Technology (onC). Because of the HITECH Act, non-compliance resulted in financial and professional standing losses for businesses” (“What is Protected Health Information?”, 2017, para. 12).

In January, 2013, the HITECH-HIPAA final rule was announced, which implemented all the HIPAA modifications mentioned in the HITECH Act. one notable change was the direct application of HIPAA to business associates, which were previously governed by their contract with a covered entity. However, after the modifications from the HITECH Act, business associates became subject to HIPAA sanctions as well as enforcement. (“What is Protected Health Information?”, 2017, para. 13)

Business associates are entities that extend a practitioner’s ability to use patient data in an efficient way. They may perform a variety of functions, such as processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, practice management, and repricing. Business associate services include legal, actuarial, accounting, consulting, data aggregation, management, administra- tive, accreditation, and financial services. Examples of business associates can be found online (https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/business- associates/index.html). As of 2013, it was business associates that caused more than 20% of all security breaches reported to the HHS; such breaches affect approximately 12 million patients each year (Solove, 2013).

numerous resources are available from the APA Practice organization (http:// www.apapractice.org; and http://www.apapracticecentral.org/business/hipaa/hippa- privacy-primer.pdf, which offers more specifics on HITECH-HIPAA).

Professional Ethics Codes

Although professional organizations have always provided guidance and guidelines on technology, change is so rapid that it becomes a challenge for them to keep the guidelines current. Thus, part of the burden of risk management falls to ethical deci- sion making on the part of practitioners, extending to the training they provide their staff (Sobelman & younggren, 2016). unfortunately, simply using new technologies can sometimes expose underlying vulnerabilities or misuses, such that a new guideline is required; however, the goal thus far has been to write guidelines more broadly and in such a way as to enable them to be applied to multiple, even unforeseen, circum- stances. The APA’s Ethical Principles of Psychologists and Code of Conduct (2017; hereinafter, APA Ethics Code) states the following:

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

19Managing Risk

4.01 Maintaining Confidentiality

Psychologists have a primary obligation and take reasonable precautions to protect confidential information obtained through or stored in any medium, recognizing that the extent and limits of confidentiality may be regulated by law or established by institutional rules or professional or scientific relationship.

4.02c discussing the limits of Confidentiality

Psychologists who offer services, products or information via electronic transmission inform clients/patients of the risks to privacy and limits of confidentiality.

The more recent APA Guidelines for the Practice of Telepsychology (American Psychological Association, Joint Task Force for the development of Telepsychology Guidelines for Psychologists, 2013) recommend that psychologists become knowledgeable and com- petent “in the use of the telecommunication technologies being utilized” and make sure that client/patients are made aware of the “increased risks to loss of security and confidentiality when using telecommunication technologies” (pp. 791–799).

Sometimes ethical guidelines can even sound like an alert and strike a caution- ary tone, as in the following from the American Psychiatric Association (2013): “Growing concern regarding the civil rights of patients and the possible adverse effects of computerization, duplication equipment, and data banks makes the dis- semination of confidential information an increasing hazard” (p. 6). Additionally, the American Psychiatric Association (2016) recently warned that “the advent and expansion of the use of electronic medical records and the increasing use of care coordinators and integration of medical care present challenges to traditional notions of patient confidentiality” (p. 4). An abundance of caution is appropriate, given the weight of the u.S. Health and Human Services mission to “ensure that people have equal access and opportunities to participate in certain health care and human services programs without unlawful discrimination” (see https://www.hhs. gov/ocr/).

In other words, it is incumbent upon us as practitioners to understand that we are responsible for the security and confidentiality of our client and patient records, no matter what method or technology we use. Compliance with the law and with the enforceable ethics codes of our professional associations resides with us, and we cannot pass the buck to office managers or our IT support staff. It is we who must inform our patients of the limitations. A thorough informed consent process, includ- ing documentation thereof, should be a standard part of practice. Specific risks spelled out in informed consent forms may include e-mail and text messaging risks.

In the APA Ethics Code, the General Principles, as opposed to Ethical Standards, are aspirational in nature. As noted in the text,

Their intent is to guide and inspire psychologists toward the very highest ethical ideals of the profession. General Principles, in contrast to Ethical Standards, do not represent obligations and should not form the basis for imposing sanctions. relying upon General Principles for either of these reasons distorts both their meaning and purpose.

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

20 S o B E l M A n A n d S A n T o P I E T r o

The APA Ethics Code Task Force attempted to address a possible conflict between law and ethics by allowing psychologists to adhere to a legal obligation in the face of a competing ethical obligation, by stating the following:

1.02 Conflicts Between Ethics and law, regulations, or other Governing legal Authority

If psychologists’ ethical responsibilities conflict with law, regulations, or other governing legal authority, psychologists clarify the nature of the conflict, make known their commitment to the Ethics Code and take reasonable steps to resolve the conflict consistent with the General Principles and Ethical Standards of the Ethics Code. under no circumstances may this standard be used to justify or defend violating human rights.

In the next section, we offer a technology-infused mental health care scenario that presents various low-level and higher level risk management challenges. As you read, reflect on the ethical principles and laws cited above, as well as the information security control examples presented. For each technology-related action in the case study, try to identify specific ways the practitioner can manage risk while still offering direct benefits to the patient in terms of access to care and treatment that meets high standards, and/or indirect benefits to the patient in the form of professional develop- ment for the clinician.

Case Study

A young man is concerned about how much he is worrying about starting graduate school. Worrying is starting to pervade his mind to the point where he is having trouble sleeping and even remembering to eat. He decides to look up his symptoms on the Internet. He types some key words about his symptoms into a search engine and discovers a mental health informational site that provides a symptom checklist. After he completes a brief symptom checklist, the site returns a result that suggests that he might be suffering from an anxiety disorder. The site provides psychoeducation— information about various anxiety disorders, possible causes, and evidence-based treatment approaches, as well as some stress reduction suggestions. He tries some of the stress reduction exercises and experiences a degree of relief in the fact that he is experiencing symptoms that are not uncommon. Still, his symptoms trouble him.

He returns to the informational site and clicks on a link that brings him to a mental health clinician referral site, and then to a therapist locator site providing listings for mental health professionals. He searches through a number of profiles and decides on a professional nearby that he believes is qualified. He is able to click on a link to a professional website and the clinician’s Facebook page and Twitter account, and after reviewing the therapist’s credentials decides to proceed with scheduling an initial session. Through the therapist’s website, he is able to review the practice policies and insurances accepted. He completes a comprehensive intake questionnaire and symp- tom description online. He schedules an appointment online too.

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

21Managing Risk

The practitioner is notified of the new patient and is able to review the intake form and symptom checklist to derive an initial sense of the clinical issues and patient characteristics. The pretreatment data are automatically uploaded and stored in an encrypted database to be used to monitor progress and serve as baseline criteria to measure outcomes. All of this is done with the patient’s informed consent.

After the patient’s first office visit, the intake information, pretreatment data, and initial clinical evaluation are used to formulate an initial treatment plan. The clinician accesses the Internet and uses a search engine for the latest clinical practice guide- lines (Hollon, 2016) to determine the recommended evidence-based treatments and to keep abreast of the most current findings. At this time, any needed information can be discovered using PICoT (Patient/population, Intervention, Comparison inter- vention, outcome, Time frame) questions which are formulated to help clinicians discover the most current evidence (new york university libraries, 2017). Based on the evaluation and pretreatment data, a diagnostic formulation is made. Clinician and patient discuss various treatment options by phone and agree on an approach to try, starting with the patient’s next appointment. The patient is invited to use his smartphone to download some apps he can use to keep track of mood and anxiety, so that a better picture of the triggers can be identified. Another app using biometric sensors via his smartphone is used to gather some physiological concomitants of his anxiety, such as heart rate variability and patterns of movement. These data can be uploaded from the patient’s smartphone to the clinician’s portal site, where she is able to monitor trends and also utilize the physiological parameters to assess treatment response. The patient is also provided with links to various sites that offer supportive and accessible adjunctive psychoeducation.

In another office in her suite, the clinician has a room devoted to helping patients learn how to make state changes—represented by optimal balance between the sym- pathetic and parasympathetic nervous systems, called coherence. For our patient, in this example, the clinician prescribes adjunctive heart rate variability biofeedback, which is overseen by a technician. For other patients, other treatments are considered, such as neurofeedback, virtual reality therapy, electrocranial therapy, and transcranial mag- netic stimulation (TMS). While she does not have the resources for TMS in her practice, when appropriate, she refers to another clinician who does.

during the course of treatment, the patient arrives 5 minutes early for each ses- sion and is asked to complete a scale on a tablet that links to the clinician’s computer. A summary of the treatment alliance and patient progress is available to the clinician before she meets with her patient. during the session, the patient reports that he will be unable to attend face-to-face sessions for a month, and after discussing the advan- tages and limitations of teletherapy, and providing informed consent, the patient and clinician decide that during this period they will conduct teletherapy sessions. These sessions prove to be a relief to the patient as a break in treatment seemed untimely.

As part of the clinician’s continuing professional development, she has signed up for some online webinars on the latest evidence-based strategies for working with anxiety disorders. during the webinar she hears of additional training, including an online supervision group that she decides to join. As part of the training, she is required

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

22 S o B E l M A n A n d S A n T o P I E T r o

to have videotape supervision of her patients. She asks her patient if he would allow his sessions to be videotaped for this purpose. He agrees, and she uses a digital video camera and saves the video on a password-protected site. using an encrypted video communication service, she meets virtually with her supervisor, and together they are able to view the videotape of her patients providing shared clinical material as opposed to self-report.

As you read this case study, did any red flags present themselves? Maybe you identified some areas where you would like more detailed information on both the benefits and risks—social media policies, for example (for a list of articles for cli- nicians about social media, see http://drkkolmes.com/clinician-articles/). or maybe you were able to articulate some questions to ask your staff or business associates about how best to safeguard patient data and take calculated risks with technology. Additionally, you might ask the following:

❚❚ In which parts of the scenario does the clinician’s responsibility to comply with HIPAA/HITECH come into play?

❚❚ Was informed consent obtained at every juncture when it is needed? ❚❚ What physical, administrative, and/or technical vulnerabilities has the clinician accounted for, and how might those controls be reinforced?

❚❚ Aside from specific security vulnerabilities, what boundary challenges need to be considered? (Kolmes & Taube, 2014)

Conclusion

online mental health programs have a strong evidence base. APA defined evidence-based as “the integration of the best available research with clinical expertise in the context of patient characteristics, culture and preference” (APA Presidential Task Force on Evidence- Based Practice, 2006, p. 273). Their role in population health strategies needs further exploration, including the most effective use of limited clinical staff resources. Turvey and roberts (2015) reminded us that patient portals and personal health records serve to enhance mental health treatment also, though concerns specific to mental health must be addressed to support broader adoption of portals. user-friendly, well-designed, patient-centered health information technology may integrate many functions (connect- ing patient records or e-mails or treatment enhanced technologies) to promote a holistic approach to care plans and overall wellness. The security needs of using this technology will require that providers and patients be well informed about how best to use these technologies to support behavioral health interventions (Turvey & roberts, 2015).

It is an intimidating and possibly consuming task to stay up-to-date with all the advances in technology in the mental health field. And with the changes in the tech- nology landscape, mental health practitioners will continually need to adhere to high standards of care. Therefore, it should be abundantly clear that keeping data secure must be of paramount importance. But even encryption companies have been hacked, as in the case of TrueCrypt (Constantin, 2015). So, what are we supposed to do if even those systems that meet the highest industry standards can be compromised by

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

23Managing Risk

hackers? let’s be clear: There will never be a perfect security and privacy solution to any electronic medical record, health-related electronic communication, telehealth program, or mobile health app. on some level, our efforts to follow HIPAA standards, professional standards, and ethical standards, and to maintain a risk-managed prac- tice setting, will always be aspirational. The best we can do is to accept and own our responsibilities as professionals and adopt practices that help us to stay current.

References

American Psychiatric Association. (2013). The principles of medical ethics with annota- tions especially applicable to psychiatry. retrieved from https://www.psychiatry.org/ File%20library/Psychiatrists/Practice/Ethics/principles-medical-ethics.pdf

American Psychiatric Association. (2016). APA commentary on ethics in practice. retrieved from https://www.psychiatry.org/File%20library/Psychiatrists/Practice/Ethics/ APA-Commentary-on-Ethics-in-Practice.pdf

American Psychological Association. (2013). The privacy rule: A primer for psychologists. retrieved from http://www.apapracticecentral.org/business/hipaa/hippa-privacy- primer.pdf

American Psychological Association. (2017). Ethical principles of psychologists and code of conduct (2002, Amended June 1, 2010 and January 1, 2017). retrieved from http:// www.apa.org/ethics/code/index.aspx

American Psychological Association, Joint Task Force for the development of Telepsychology Guidelines for Psychologists. (2013). Guidelines for the practice of telepsychology. American Psychologist, 68, 791–800. http://dx.doi.org/10.1037/ a0035001

APA Presidential Task Force on Evidence-Based Practice. (2006). Evidence-based practice in psychology. American Psychologist, 61, 271–285. http://dx.doi.org/10.1037/ 0003-066X.61.4.271

Brock, l. V., & Mastroianni, A. (2013). Ethics in medicine: Clinical ethics and law. retrieved from the university of Washington School of Medicine website: http:// depts.washington.edu/bioethx/topics/law.html

Constantin, l. (2015). Newly found TrueCrypt flaw allows full system compromise. retrieved from https://www.csoonline.com/article/2987148/data-protection/newly-found- truecrypt-flaw-allows-full-system-compromise.html

drummond, A., Cromarty, P., & Battersby, M. (2015). Privacy in the digital age: Impli- cations for clinical practice. Clinical Psychology: Science and Practice, 22, 227–237. http:// dx.doi.org/10.1111/cpsp.12105

dulaney, E. (2014). Picture this: A visual guide to security controls [Web log post]. Certification Magazine. retrieved from http://certmag.com/picture-this-visual-guide- security-controls/

Federal Trade Commission. (2012, March). Protecting consumer privacy in an era of rapid change: Recommendations for businesses and policymakers. retrieved from https://www. ftc.gov/reports/protecting-consumer-privacy-era-rapid-change-recommendations- businesses-policymakers

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .

24 S o B E l M A n A n d S A n T o P I E T r o

Health Insurance Portability and Accountability Act of 1996, Pub. l. no. 104-191-110 (1996).

Hollon, S. d. (2016). developing clinical practice guidelines to enhance clinical deci- sion making. In J. J. Magnavita (Ed.), Clinical decision making in mental health practice (pp. 125–146). Washington, dC: American Psychological Association. http://dx.doi.org/ 10.1037/14711-005

Kolmes, K., & Taube, d. o. (2014). Seeking and finding our clients on the Internet: Boundary considerations in cyberspace. Professional Psychology: Research and Practice, 45, 3–10. http://dx.doi.org/10.1037/a0029958

largest Healthcare data Breaches of 2016. (2017). HIPAA Journal. retrieved from https://www.hipaajournal.com/largest-healthcare-data-breaches-of-2016-8631/

new york university libraries. (2017). Framing the research question: PICO(T). retrieved from https://guides.nyu.edu/c.php?g=276561&p=1847897#1733240

northcutt, S. (2013). Security controls. retrieved from https://www.sans.edu/cyber- research/security-laboratory/article/security-controls

Sobelman, S. A., & younggren, J. n. (2016). Clinical decision making and risk man- agement. In J. J. Magnavita (Ed.), Clinical decision making in mental health practice (pp. 245–271). Washington, dC: American Psychological Association. http:// dx.doi.org/10.1037/14711-010

Solove, d. J. (2013). HIPAA turns 10: Analyzing the past, present and future impact. Jour- nal of AHIMA, 84(4), 22–28. http://library.ahima.org/doc?oid=106325#.WgB8r1tSzIV

Turvey, C. l., & roberts, l. J. (2015). recent developments in the use of online resources and mobile technologies to support mental health care. International Review of Psychiatry, 27, 547–557. http://dx.doi.org/10.3109/09540261.2015.1087975

united States department of Health and Human Services. (2013). Breach notification rule. retrieved from https://www.hhs.gov/hipaa/for-professionals/breach-notification/ index.html

What is protected health information? (2017). retrieved from the uSF Health website: https://www.usfhealthonline.com/resources/key-concepts/what-is- protected-health-information-or-phi/

yau, H. K. (2013). Information security controls. Advances in Robotics & Automation, 3:e118. http://dx.doi.org/10.4172/2168-9695.1000e118

Co py

ri gh

t Am

er ic

an P sy

ch ol og ic al A ss oc ia ti on . No t fo r fu

rt he

r di

st ri

bu ti

on .