Safeguard the privacy of behavioral health apps

Whether professional association ethical codes or state laws explicitly address how to use behavioral apps in the clinical setting, clinicians and their employers are squarely held responsible for problems that result in the violation of a client/patient’s privacy. Clinicians need to be trained to think through their ethical and legal duties related to confidentiality, that is, their duty to protect the patient’s privacy when using any app.

Security is crucial not only in terms of clinical processes but also technical security of the device or app.

Security requirements related to apps include the need to safeguard the privacy of the client’s protected health information (PHI), as per state and federal laws, such as HIPAA and HITECH.  Professionals and employers are encouraged to engage in these activities:

• Review whether or not an app has been tested for privacy by searching for that information in the product descriptions.
• Contact the app developer to clarify unanswered questions related to data collection, storage, sharing features and HIPAA compliance.
• Read comments in reviews to search for security complaints.

• Advise patients to be thoughtful about agreeing with requests from app developers to be contacted to “report bugs” or access private information such as location, photos or contacts. Such “features” will need to be carefully weighed against security threats if the app developer does not keep its agreements (which happens more frequently than imagined).
• Show patients where to toggle off such permissions within the app when privacy is desired.
• Only recommend apps that have privacy protections (passwords or other biometric identifiers).
• Suggest that the patient carefully consider potential privacy breaches when loaning the smart device to children or others.
• Install the app with the client in session and demonstrate how to use it safely and effectively for the intended goal(s).
• Be aware that recommending apps can have clinical repercussions. Making poor app suggestions can have a deleterious effect on the therapeutic relationship if mishandled. Not all patients will bring up their experience with an app, particularly if it is frustrating or embarrassing. Clinicians would do well to check with patients about their experiences with suggested apps on a regular basis.

Asynchronous telehealth

Some apps connecting a patient to the clinician in real time (synchronous) or delayed (asynchronous) technology is considered telehealth by some state licensing boards. For example, if the client lives in Georgia and travels to visit her mother in Florida, any app used to transfer information to or from the therapist can involve the illegal practice of telehealth over state lines if the clinician is not licensed in Florida at the time of data transfer. Therefore, clinicians would be wise to check with their licensing boards before suggesting asynchronous communication through apps with patients who travel out of state.

Informed consent

Further, if an app involves telehealth, the clinician is also advised to be apprised and compliant with all HIPAA, HITECH and related laws, and to make mention of such compliance in the informed consent document when working with U.S. citizens. When working with clients/patients located in different countries, be aware of and adhere to laws in the location of the client.

Other security-related informed consent topics to include are risks and benefits of communicating through technology, such as the risk of missed communications, errors in delivery. Set realistic expectations of response times by discussing office hours, after-hour alternatives, data interception and breach protocols, and the lack of negative repercussions for stopping the use of the app. Client responsibilities with technology should be discussed, such as the need to use passwords or to avoid recording indiscretions that could conceivably be seen by a spouse or child in the home.

Additionally, the patient has the right to know who else in the clinician’s circle might be seeing information being transmitted via an app. Such people could include information technology professionals servicing the app; administrative or other office staff working with the clinician, supervisors, etc. Of course, document all the above at any time such discussions occur.

Lastly, it bears mentioning that the clinician may also want to be clear about the types of messages that are sent when using apps. For example, messages requesting assistance for suicidal or homicidal ideation are not appropriate to send through apps for obvious reasons. Clinicians must be clear that such situations are emergencies and should be managed by first responders or crisis teams. Provide the appropriate contact information for such cases.

More online

Find out more from the TeleMental Health Health Institute.