Confidentiality is the foundation of my work and I take it very seriously. This means:
- I will not talk about your story with anyone else
- If someone calls me asking if I know you or asking if you’re a client, I politely say, “I cannot confirm or deny an individual is coming to my office.”
- If we come across one another in public, I will not approach you or start a conversation
- If you do not approach or greet me in public, I do not take it personally and understand your need for privacy
- I will not put you in a situation where you have to explain to someone else how you know me
- If we are introduced by a mutual acquaintance I will act like it’s the first time we’ve met
Limits to Confidentiality
I do have limits to confidentiality, however, if:
- You are a danger to yourself
- You are a danger to someone else
- You are a danger to someone’s property
- Abuse of a minor or elder
I have an obligation to ensure safety and can break confidentiality in the above situations.
Also, in order to maintain my skills as a counselor or to get specialized insight for a particular issue, I will occasionally consult with other trusted clinicians who are also held to confidentiality standards. When consulting with other clinicians I change any identifying information. For an extra layer of confidentiality, I do not consult with any clinicians in Okinawa, with exception to safety issues.
My intention is to be very transparent with you. This means that if a client begins talking about a subject that sounds like it may lead to me having to break confidentiality, I will stop the conversation and remind the person about my obligations.
If a client discloses something that requires me to break confidentiality, I will let that person know that I have to break confidentiality and be transparent about the next steps.
When working with families or couples, I have a no-secrets policy. This means if one person tells me information that the other person(s) is unaware of, generally my response will be, “How are we going to let the person(s) know about this secret.” That is, I cannot hold secrets for anyone.
I do this for two main reasons. When working with a family or couple, my commitment is to the “unit,” rather to one person in particular. Refusing to hold secrets allows me to maintain this commitment. The second reason is that a big part of the work in counseling is approaching and talking about difficult subjects. My job is to support families and couples in approaching and having these challenging, but usually necessary conversations.
Military, SOFA and Confidentiality
Currently, in order to eliminate any potential conflict of interest with my current employer and the DoD, I cannot see any military members or their dependents (for a list of providers on Okinawa, please go here).
For civilians who fall under SOFA, it’s important to know that being in Okinawa and on SOFA presents a very unique situation. Because the military is responsible for SOFA status individuals, SOFA individuals fall under more restrictions than they would back at home. As a result, there is quite a bit of overlap between one’s professional life and personal life in Okinawa. And it’s important for SOFA individuals to understand how this may impact our work together.
In a situation where I’m mandated to break confidentiality (e.g., risk to self-harm, suspected child abuse, etc.), I report to military agencies (military police, Family Advocacy, etc.) in order to ensure safety. Though I do not report any issues directly to your employer, it’s almost certain, because of SOFA status, that the report, will quickly make its way to your employer.
Though I hope we can talk about anything during our sessions together, it’s important for clients to weigh the risk between the benefits of being completely open about certain subjects and the possible consequences of a mandated report.
It’s not uncommon that a client wants more clarification on my limits to confidentiality and examples of situations where I would break it. Some clients may be hesitant with expressing concern for appearing suspicious or “guilty.”
I always encourage clients to express any concerns they may have. There are many ways to discuss my limits without disclosing details of your situation and while still maintaining your confidentiality. This way you can make the most well-informed choice.
Records & Data Security
Records at Minato Counseling
After careful consideration, consultations with IT professionals, and taking courses in mental health record storage, I’ve determined the best way to maintain client confidentiality in my practice is to store records offline. This means that all records containing the contents of our conversations during sessions or records that contain diagnosis information, are stored offline, do not touch the Internet, and are never stored on a device that regularly connects to the Internet. In addition, all notes are encrypted, password protected, and secured in locked safes.
There is one exception to this.
As a clinician, I’m often put in situations where I’m weighing the risk between someone’s confidentiality and their safety. And if someone is in immanent danger, safety trumps confidentiality. This doesn’t mean I release all of the client’s records. Instead, I will disclose only the information that is needed to keep the person safe.
I say this because It’s very likely that a client may have an emergency while I’m away and unable to access my physical records. And It’s crucial that I have a plan for this. As a result, I’ve determined that by keeping basic client information online, I can substantially decrease the risk of potential injury to clients, with very little negative impact to client confidentiality.
This all means, I do store a list of active client names and important related contacts (i.e., emergency contacts, physical addresses and other key providers for the client) online with a third-party that is HIPAA compliant. And for an extra layer of security, the account I’ve created with this third-party is under a pseudonym; that way, in the case that the data is breached, it will not be associated with mental health services, Minato Counseling, or myself.
In order to meet the standard of care consistent with California law and my field’s ethical guidelines I:
- Take brief notes for every session with every clients
- Maintain records for 7 years after our final session
And as explained below:
- I keep records offline, encrypted, and physically locked
- I keep only essential contact information online with HIPAA complaint third-party under a pseudonym account
Cloud Storage vs Physical Records
It’s becoming common practice for clinicians to store their clients’ records with third-party, cloud-based services. That is, all their records are stored online. Though there are strict security standards they follow (i.e., HIPAA), there are still a number of security and ethical concerns I have.
The most obvious concern is technical failures. There’s no 100% risk-free way to store data, and if a technical failure happens online, sensitive data could be at risk. Another security concern I have with third-party providers is the fact that they have employees. By keeping data with these providers, I’m putting a lot of trust in people I’ve never met before. People make unintentional mistakes and it’s not unheard of that a disgruntled employee leaks data intentionally.
On the ethical side, the concern is that it’s legal for third-party services to de-identify client data and sell it to other organizations, with little transparency to how they de-identify the data and to which organizations they sell it to. There are also questions to who actually owns the data when it’s stored with a third-party: the clinician or the third-party provider.
Even though there are ethical and security concerns with online record storage, doesn’t mean that counselors or agencies who use them are being careless or unethical. It’s a matter of considering all risks that uniquely present for a practice and managing them as best as one can.
Large Agencies vs Small Practices
For larger counseling agencies with many clinicians, storing data online makes a lot of sense. Larger agencies have a large amount of records to store and secure, and they have many employees that need to be on the same page when it comes to managing these records. That can become complicated, which creates a security risk itself. Also, it’s common for agencies to have several physical locations, sometimes spread across large distances. If files are stored physically, this becomes a huge challenge
It’s far safer to keep client records in the cloud than to be constantly transporting physical records to different sites. Lastly, storing records on the cloud allow supervisors easy access to files to ensure clinicians are providing the best care to clients.
In short, for larger agencies, there’s probably more of a risk to storing data offline than online. Rather than trying to train all their clinicians in data security and storage, they can simply outsource that to professionals who spend millions and focus all day on securing data. Regardless, they still have an ethical obligation to disclose to clients from the beginning to how their data is being stored, who technically owns it, and if their data is being sold or not.
For small practices like myself, we don’t have the complexities of larger agencies and so, the risks of storing records online, in my judgement, outweigh the risks of offline storage. By storing records physically, I can visually see if client records have been tampered with or have gone missing. Versus online storage, where I’m trusting a third-party to disclose to me if there’s been a breach or not (assuming they found out about it). Also, in my practice, I’m the only person who handles records. If I outsource record storage, I’ve don’t know how many people are handling or have access to the data. And by bringing more people into the equation, security risk increases.