Professional Psychology: Research and Practice © 2015 American Psychological Association

2015, Vol. 46, No. 3, 154 –160 0735-7028/15/$12.00 http://dx.doi.org/10.1037/pro0000018

Emerging Ethical Threats to Client Privacy in Cloud Communication

and Data Storage
Samuel D. Lustgarten
University of Iowa

In June 2013, Edward Snowden released top-secret intelligence documents that detailed a domestic U.S.
spying apparatus. This article reviews and contends that current APA ethics and record-keeping
guidelines, the Health Insurance Portability and Accountability Act, and the Health Information Tech-
nology for Economic and Clinical Health Act do not adequately account for this new information and
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.

other emerging threats to client confidentiality. As psychologists bear the responsibility for being
This document is copyrighted by the American Psychological Association or one of its allied publishers.

informed, protecting and maintaining client records, and preventing breaches, it is vital that the field
establish specific best practices and present regular security updates to colleagues.

Keywords: privacy, confidentiality, risk management, NSA, cloud storage

The NSA has built an infrastructure that allows it to intercept almost electronic medical records (EMRs; Devereaux & Gottlieb, 2012).
everything . . . . I can get your emails, passwords, phone records, Clinicians are increasingly using text messaging (Norcross, Pfund,
credit cards. & Prochaska, 2013) and e-mail (Shapiro & Schulman, 1996) for
—Edward Snowden (MacAskill, 2013) extended client care. In the interest of maintaining records and
providing digital backups, many practitioners have moved to dig-
Psychologists have asserted that confidentiality is needed to
ital solutions. Each shift in technology has tested practitioners,
develop therapeutic alliances with clients (Donner, VandeCreek,
who are tasked with maintaining record and communication secu-
Gonsiorek, & Fisher, 2008; Fisher, 2008; Glosoff, Herlihy, Her-
rity.
lihy, & Spence. 1997). Likewise, clients rely on confidentiality and
Unfortunately, new technology threatens practitioners’ abilities
privacy when sharing personal concerns (Rubanowitz, 1987; Van-
to adequately maintain client privacy. In June 2013, information
deCreek, Miars, & Herzog, 1987). In 1996, psychotherapist–
provided to Glenn Greenwald by the whistleblower Edward
patient privilege was strengthened by the U.S. Supreme Court case
Snowden outlined numerous U.S. governmental surveillance ca-
and judicial interpretation of Jaffee v. Redmond (1996). The Court
pabilities to access information on cloud storage centers (Gellman
ruled in favor of client confidentiality and protections against
& Soltani, 2013; Greenwald, 2013). Leaked information suggested
being legally compelled to disclose most records. Without this
that the National Security Agency (NSA) was capable of accessing
privilege, it is unclear whether clients would feel comfortable
Google’s entire cloud platform (i.e., Gmail, Calendar, and Drive;
talking to mental health practitioners.
Gellman & Soltani, 2013). If a practitioner stored any protected
Because of the inherent risks associated with disclosing private
health information (PHI), mentioned identifiable cases, and/or
information to another individual, the American Psychological
contacted a client through these servers, the government could
Association (APA) included components within its “Ethical Prin-
have accessed and downloaded that information.
ciples of Psychologists and Code of Conduct” (APA, 2010; here-
The 21st century is one of technological growth and increasing
after referred to as Ethics Code) and “Record Keeping Guidelines”
vulnerability of client privacy. Recent news suggests that the land-
(APA, 2007) aiming to minimize accidental or targeted disclosures
scape for data protection is changing, which necessitates ethical
of confidential information. Both documents place the ethical
considerations and precautions. This article presents current record-
responsibility for protecting client data with practitioners.
keeping and communication regulations and guidelines, emerging
These obligations come at a time of vast technological progress.
threats to client data, and ethical considerations and advocates for the
Record keeping has largely moved from paper-and-pen methods to
foundation of best practices.

From Pen to Keyboard: Evolving Regulations

This article was published Online First April 27, 2015.
SAMUEL D. LUSTGARTEN received his BS in psychology from Colorado and Guidelines
State University and is currently completing a PhD in counseling psychol- In 1965, Gordon Moore, cofounder of Intel Corporation, out-
ogy in the Department of Psychological and Quantitative Foundations at lined a theory for technological growth that successfully predicted
the University of Iowa. His research focuses on suicide prevention, client
the rise of household computers. This was at a time when com-
privacy, and technology.
THANKS ARE DUE TO Elizabeth Altmaier, Daniel Elchert, and Micah Lee.
puters filled rooms. Moore (1965) predicted that circuit technology
CORRESPONDENCE CONCERNING THIS ARTICLE should be addressed to would double every 2 years and lead to exponential growth while
Samuel D. Lustgarten, Department of Psychological and Quantitative reducing the size of everything. This became known as Moore’s
Foundations, University of Iowa, 361 Lindquist Center, Iowa City, IA, law. Since then, personal computers have become commonplace,
52242-1529. E-mail: Samuel-Lustgarten@uiowa.edu and smartphones are increasingly gaining market share. Devices

154
 CLIENT PRIVACY AND CLOUD COMMUNICATION DATA 155

are smaller and more powerful than ever. Further exemplifying this entity and PHI. For example, a practicing psychologist who oper-
trend, 2.7 billion people had access to the Internet in 2013 (Inter- ates with insurers would need to follow HIPAA’s privacy and
national Telecommunication Union, 2013). security rules while ensuring that business associates also operated
This pervasive accessibility and evolution of technology affects within the legal framework.
both practitioners and clients. Today, it is as simple as a text HIPAA helped to provide a framework for business associates
message or e-mail to communicate with a client. Record keeping and third-party businesses to serve as electronic transfer agents for
can be entirely network based and digital. Devereaux and Gottlieb the storage of PHI. But the Health Information Technology for
(2012) posited that all record keeping would eventually be digital. Economic and Clinical Health Act (2009; HITECH) formalized
Although some groups do not embrace changes in the direction of business associate liability, offered stricter regulations for the use
digital records (Richards, 2009), evidence suggests growing inter- of client records, and it further aided in client access rights.
est in, and the possibility of reduced medical errors when using, HITECH (2009) placed the burden of security on a business
EMRs (Institute of Medicine, 1999), Harrison and Palacio (2006) associate to meet security and privacy requirements. In addition,
added evidence that organizations such as the Department of business associates are expected to provide breach notifications to
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.

Veterans Affairs and Kaiser Permanente were benefiting in patient covered entities and are subject to civil and criminal penalties for
This document is copyrighted by the American Psychological Association or one of its allied publishers.

encounters with universal, real-time information. Richards (2009) the misuse and/or loss of data. This act codified the legal regula-
found that EMRs were associated with increased screening, coun- tory authority to prevent data loss and punish corporate service
seling, medication use, and management of risk. providers. For instance, if a practitioner decided to sign a business
With each evolution toward more digital services, organiza- agreement with a business associate to store client records or
tions and governments have contributed to the protection of materials in a cloud environment, said business associate would
clients’ welfare. Federal regulations have been created to aid in need to meet HITECH requirements.
the development, use, and protection of confidential data and
communications. Likewise, APA released information for
APA’s Record-Keeping Guidelines
record-keeping guidelines. The following two sections outline
some of these changes. The APA (2010) Ethics Code provides ethical principles and
standards but does not specify exact record-keeping guidelines;
Health Insurance Portability and Accountability Act instead, these were provided in a different publication (APA,
(HIPAA), Security Rule, and Health Information 2007). The Ethics Code (APA, 2010) distinguishes principles as
Technology for Economic and Clinical Health guidelines for conduct, whereas standards may inform judicial
proceedings. APA’s formal “Record Keeping Guidelines” docu-
(HITECH) Act
ment establishes guidelines to protect clients and practitioners in
The method, medium, and content for writing and storing notes legal and ethical proceedings. This document highlights the many
shifted in the 21st century. Simple pen-and-paper methods moved interactions that practitioners have with the greater health care
to electronic ones. Physical file cabinets became encrypted digital system and federal regulations (i.e., HIPAA). Of interest in the
containers. These technological advances prompted U.S. agencies present study are Guidelines 3, 6, and 9 (of 13). Each of these
to provide legislative frameworks for the proper handling of in- guidelines converges on the topic of security, privacy, and confi-
formation. Demand for transmission and portability of electronic dentiality. Guideline 3 deals with confidentiality of created client
records prompted a cooperative effort between government, pro- records. This guideline echoes much of the Ethics Code’s require-
viders, insurers, and payment providers. ments and asserts that practitioners should be aware of current
The Health Insurance Portability and Accountability Act (1996; regulatory and legal requirements that hold regarding records.
HIPAA) aimed to increase accessibility of medical records while Guideline 6 outlines the security that psychologists should engage
maintaining confidentiality. The framers intended it to “simplify in to protect said records. If practitioners create physical records,
the administration of health insurance” (HIPAA, 1996). HIPAA they should protect them with key and cabinet. Should digital
also contained expectations for practitioners and health providers records be used, practitioners are expected to properly secure
with regard to electronic health information. The act stated that them. Drogin, Connell, Foote, and Sturm (2010) pointed out that if
providers must “maintain reasonable and appropriate administra- practitioners use personal mobile devices to communicate, PHI
tive, technical, and physical safeguards” (HIPAA, 1996). might be accessible. Lastly, Guideline 9 informs practitioners
In 1998, the Department of Health and Human Services (HHS) regarding the use of electronic records. APA analogizes electronic
proposed specific security rules to aid in the regulation and main- to physical records, adding that practitioners should be concerned
tenance of PHI (HHS, 1998). HIPAA-related materials would then with the use of e-mail and other communication tools because they
be required to be shared privately. HHS (2003) provided a “final may suffer from confidentiality concerns. These guidelines are not
rule” for the security standards in 2003. These security rules apply enforceable; rather, they were formulated to provide guidance to
to a health plan, health care clearinghouse, and any health care practitioners.
provider (e.g., psychologists who transmit PHI electronically; Together, federal regulations and APA record-keeping guide-
HHS, 2013). The security standards mandate that any providers of lines provide a framework within which to understand the move-
these services take security precautions to prevent a breach of data ment to digitized records and communication. Unfortunately, nei-
and that they conduct risk analyses. In addition, these regulations ther federal regulations nor APA have proffered specific steps that
apply to business associates. This term of art requires those in should be taken to increase privacy and confidentiality. The cur-
cooperation with health plans, clearinghouses, and providers to rent guidelines only state that practitioners should use “passwords,
maintain the same security standards that are appropriate for an firewalls, data encryption and authentication” (APA, 2007, p. 998).
 156 LUSTGARTEN

Although these recommendations would better secure systems, Their privacy policies and terms of services can be inherently
they do not establish directions and specific methods for creating complex. This can place a significant burden to understand and
secure passwords, activating firewalls, or using data-encryption verify the safety of certain corporations on the practitioner. Face-
techniques, and they do not explain what authentication protocols book uses social profiles for marketing purposes and to provide
are. Providing specific guidelines that are constructed and updated users with related information (Facebook, Inc., 2014). Google
regularly might alleviate part of the burden on practitioners to (2014c) and Yahoo Inc. (2014), common e-mail and cloud storage
prepare for and understand growing threats to client privacy. providers, both have expansive privacy policies to enable them to
provide “relevant” advertising and learn about user habits. Across
these platforms, PHI may be communicated, at which point the
Individual, Corporate, and Governmental Threats
corporate entity would have knowledge of client contact. Certain
to Client Privacy
companies provide stronger privacy policies for communication.
In a poll of 70 psychotherapy experts, many participants ex- For example, Apple’s iCloud service encrypts e-mails in transfer
pressed increased interest in smartphone applications and social (Apple Inc., 2014a) and does not mine for content (Apple Inc.,
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.

networking interventions (Norcross et al., 2013). Similarly, prac- 2014c). Shapiro and Schulman (1996) critiqued e-mail-based men-
This document is copyrighted by the American Psychological Association or one of its allied publishers.

titioners appear to see telemental health therapy (TMHT) as a tal health services, which suggested that questions and help would
potential intervention and therapeutic delivery method in the future be provided privately. E-mails are not traditionally encrypted at
(Colbow, 2013). As psychologists choose to accommodate com- rest (on cloud servers), nor are their texts encrypted (Apple Inc.,
munications outside of sessions (i.e., via e-mail and text messages) 2014a); however, leading e-mail providers (e.g., Google, Yahoo,
and write notes in EMRs (using local, network, and/or cloud Apple’s iCloud) encrypt messages in transit.
storage), the risk to client privacy increases (Drogin et al., 2010; Unfortunately, on top of data-mining practices, most cloud
Richards, 2009). storage and communication providers do not provide adequate
Regrettably, advances frequently test practitioners’ abilities to information about data-retention policies. Google’s Drive cloud
meet the principles and standards outlined in the Ethics Code. As storage service for personal users (not Google Apps) offers no
practitioners increasingly embrace the movement to cloud-based specific data-retention policy (Google, 2014c). This amorphous
communication and storage, the growing threats to confidentiality data-retention policy stands in contrast to APA’s (2007) record-
should be considered. Technological advances in record keeping keeping guidelines, which suggest that client records and data may
and communication bring costs and benefits to client confidentiality. be destroyed after 7 years in the absence of superseding legal
As Benefield, Ashkanazi, and Rozensky (2006) surmised, these ad- requirements. It also calls into question a practitioner’s ability to
vances are also open to new attacks on clients’ data. The following maintain and provide confidentiality and proper informed consent
sections outline a few of the risks associated with individual, corpo- when using certain corporate providers. Moreover, it is question-
rate, and governmental actors. able whether practitioners could ever believe that records had been
deleted if the cloud provider did not clearly and publicly state its
data-retention standards.
Individual
Individual and collective actors can threaten client confidenti-
Governmental
ality. On September 1, 2014, The Guardian reported that an
individual or small group of people “exploited” celebrity Apple There are a variety of governmental actors and organizations
iCloud accounts, which stored phone data including e-mails, ad- that interact with client data. In June 2013, journalist Glenn Green-
dress books, and photos (Arthur, 2014). Although celebrity data wald collaborated with NSA whistleblower Snowden to publish
were the main targets, hackers could have compromised individ- the first article of “The NSA Files” (Greenwald, 2013). This
uals’ accounts using similar methods. Again, if a practitioner had collection of intelligence reports, briefings, and presentations cat-
chosen to communicate or store any records on Apple’s iCloud alogued a covert surveillance apparatus (Greenwald, 2014).
platform, that information could have been compromised. Leaked reports told of a specific program—MUSCULAR—that
Information that is stolen via digital storage services and private enabled NSA analysts to have access to private cloud data centers
information is frequently available. In the “dark Web”— hidden from Google and Yahoo (Gellman & Soltani, 2013). Any user of
Web sites that are inaccessible to most Internet users—this infor- Gmail, Google Drive, or various other cloud products was affected
mation is regularly sold. This portion of the Internet is not by the attack as the NSA found a weak point in international
accessible via Google or traditional browsers (Thompson, operations. The ramifications of these technological abilities affect
2014). CNBC’s Cadie Thompson (2014) highlighted some com- various professionals, from lawyers to nurses to mental health
mon prices for private identity information. If psychologists practitioners, because PHI and client data may not be completely
communicate with a client via smartphones and similar devices, protected. Cloud storage centers are vulnerable to NSA analysts
those communications could be compromised with mobile mal- and nongovernmental actors.
ware for about $150. Similarly, some medical records can be Public universities generally provide e-mail addresses to every
purchased for about $50. faculty member and student. These addresses provide a common
method for communication while individuals are at the school.
Many college counseling centers operate on campuses of public
Corporate
institutions, which are held accountable to state and federal stat-
Companies that provide cloud storage, e-mail, and communica- utes. Although counselor contact e-mails are considered confiden-
tions services generally make money from mining personal data. tial communications at my public institution, anybody can request
 CLIENT PRIVACY AND CLOUD COMMUNICATION DATA 157

the e-mails of university staff members (University of Iowa, 2013) that accepting new technologies without critical, expert analysis
through a Freedom of Information Act (1966) request (FOIA; 5 might test practitioners’ boundaries of competence. Similarly,
U.S. Code § 552). Because universities and colleges differ in their Standard 2.03 outlines an expectation that psychologists will con-
policies, it is important to understand whether a respective insti- tinue their educations. Taken together, Section 2 considerations
tution would defend against open access to communication. Un- suggest that practitioners, who operate within the bounds of
fortunately, e-mail-based consultations between providers (that do HIPAA and/or may use electronic services for the storage and
not contain PHI) might not be as protected as messages conveyed communication of client information, are expected to gain com-
through patient files and EMRs. petence or support in using privacy and security tools. Ethically, it
The Stored Communications Act (1986) was created before the may also be expected that practitioners continue to read and be
Internet, e-mail, and personal computers were common household informed about the various threats to client data.
items. In particular, it asserted that e-mail left on Web servers for Standard 4 may be the most relevant to the issue at hand,
over 180 days would be considered abandoned. Today, this law is because it explicitly outlines privacy and confidentiality expecta-
still in effect, and “abandoned” data can be requested without tions (APA, 2010). As this article’s epigraph warns, digitalization
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.

formal judicial review. People no longer delete e-mails as regularly of records and communications also provides greater threat to
This document is copyrighted by the American Psychological Association or one of its allied publishers.

as they used to, opting to archive and save them for later use outside entities that may unlawfully infringe on client privacy and
(Google, 2014a). Legally, subpoenas and prior notice are required confidentiality. In turn, this threat primarily affects two standards:
to search e-mails. For communications that have been left on cloud 4.01 (Maintaining Confidentiality) and 4.02 (Discussing the Limits
storage providers over 180 days, the Stored Communications Act of Confidentiality). For providers, the Ethics Code outlines a series
may limit confidentiality. of obligations regarding data, which involve the expectation of
In placing communications in the cloud for storage, one may be confidentiality regardless of medium. Much like Section 10.01
seriously compromising one’s ability to prevent government ac- (Informed Consent to Therapy), Section 4.02 establishes an ethical
cess. Beyond general attack measures that the NSA engages in, the obligation to explain how certain record-keeping and communica-
Federal Bureau of Investigation is permitted to investigate in tion practices may limit confidentiality. When using text messag-
certain situations without first notifying the person under investi- ing and e-mail with a client, it might be ethically appropriate to
gation (Counterintelligence Access to Telephone Toll and Trans- talk about how these technologies may result in intrusions on
actional Records, 2012). Therefore, despite a practitioner’s respon- privacy. In discussing the limits, it is important to consider the
sibility to tell a client about limits to confidentiality, these current threats to a client’s privacy and how obtained information
investigations hamper positive efforts toward informed consent. could be used against him or her. Practitioners should abstain from
Colloquially, these are known as “national security letters,” and using less secure technologies (e.g., e-mail and text messaging)
they may conflict with the current APA (2010) Ethics Code. with higher-risk populations. However, psychologist-led discus-
sions should facilitate evaluation of the appropriateness of certain
disclosures on the basis of foreseeable client risk.
Ethical Concerns
Section 6 specifies ethical obligations for record keeping and
The APA (2010) Ethics Code outlines a variety of principles and fees. The standard of interest is 6.02 (Maintenance, Dissemination,
standards for practitioners and researchers. As Glosoff et al. (1997) and Disposal of Confidential Records of Professional and Scien-
suggested, psychologists have “fundamental ethical obligations” to tific Work). The Ethics Code (APA, 2010) explains that within any
defend client confidentiality. Various principles and standards are medium, record storage and creation must be kept confidential.
being imperiled by today’s threats to electronic storage and com- Moreover, if a practitioner needs to use shared records (e.g., in
munications. Unfortunately, practitioners might be at greater risk hospital settings), he or she should minimize the use of PHI when
than they understand. Even APA (2007) noted that technological possible to improve client privacy. Today’s therapeutic interven-
advances, including electronic record keeping, test practitioners’ tions are performed in a variety of settings, and as technology
abilities to maintain security. Considering these emerging con- becomes an important part of these, maintenance of confidentiality
cerns, this section focuses Principle E and Sections 2, 4, 6, and 10 in record keeping comes into question.
of the Ethics Code. Lastly, Section 10 deals specifically with concerns regarding
In the creation and management of client records, Principle E therapy. According to Standard 10.01 (Informed Consent to Ther-
(Respect for People’s Rights and Dignity) provides a foundation apy), clients are to be informed of limits of confidentiality and
for privacy and confidentiality (APA, 2010). This principle recog- communication methods available during treatment. Brendel and
nizes the necessity of protecting these rights and the welfare Bryan (2004) proposed talking about the services available in
afforded to those who trust providers. Principle E informs much of initial, informed consent meetings. For instance, should practitio-
the subsequent standards to follow. Because of emerging threats to ners be interested in providing e-mail and text message accessi-
privacy, client data may currently be underprotected, regardless of bility, clients should be informed about these methods. Without a
current policies. thorough informed consent process that covers these factors, client
Section 2 focuses on ethical questions regarding competence confidentiality cannot be properly founded (Everstine et al., 1980).
(APA, 2010). Of specific interest are Standards 2.01 (Boundaries
of Competence) and 2.03 (Maintaining Competence.) Standard
Best Practices
2.01 posits that psychologists must practice and provide services
within their area of competence. Psychologists have an obligation Inadequate client privacy/confidentiality standards may be met
to obtain training and/or support in areas that they are not familiar with disciplinary and monetary consequences (Benefield et al.,
with, including technology. Shapiro and Schulman (1996) warned 2006; Glosoff et al., 1997). Between the Ethics Code (APA, 2010)
 158 LUSTGARTEN

and the “Record Keeping Guidelines” (APA, 2007), APA provides encryption, and (c) file/folder encryption. Full-disk encryption
specific and enforceable standards and guidelines for the use of provides protection for an entire system, but once a password is
client data. Use of these documents may inform counseling and used, the entire file system is accessible. Virtual-disk encryption
record keeping, but there are additional practices that should be is an encrypted container that acts like a digital flash drive and is
considered to further prevent breaches of confidentiality. I now protected from access through encryption. These containers re-
turn to how practitioners can proactively prevent privacy infrac- quire a password after logging into the computer. The last file
tions and breaches and maintain client confidentiality in this in- system encryption option regards individual files. For instance, a
creasingly technological time. The following are six best practices Microsoft Office Word file can be password protected. Through a
for practitioners. combination of all three of these methods, a stolen computer would
be protected at multiple levels and virtually inaccessible.
The chief technology officer of the Freedom of the Press Foun-
1. Threat Models
dation and technologist for The Intercept suggests disk encryption,
In the interest of protecting client privacy, practitioners should firewalls, strong passwords (never renew or use the same), and
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.

develop a threat model to assess each client and his or her prac- cryptology to communicate when possible (M. Lee, personal com-
This document is copyrighted by the American Psychological Association or one of its allied publishers.

tice’s associated risk (Barrows & Clayton, 1996; Lee, 2013). munication, September 28, 2014). For example, Apple computers
Threat models serve to protect against those who would likely come with built-in full-disk encryption via FileVault. In addition,
compromise client and/or practitioner confidentiality (Barrows & by using a strong, 8 –10 character password with special symbols,
Clayton, 1996). More specifically, threat models can reduce un- varied capitalization, and avoidance of dictionary words, practi-
lawful or accidental disclosures of PHI. tioners can have an encrypted and well-protected computer.
Although it is challenging to do so, an efficacious threat model
should incorporate the various actors that may harm client confiden-
3. HIPAA-Compliant Cloud Providers
tiality and group clients into low-risk, moderate-risk, and high-risk
categories. With particularly high-risk populations (i.e., political dis- Any provider of storage for PHI should publicly document their
sidents, politicians, celebrities), low-tech methods may be advisable privacy policy, terms of service, and information-handling restric-
(i.e., pen-and-paper record keeping or air-gapped computers [detailed tions. For instance, Google Apps uses various standardized secu-
later], which have no Internet access capabilities, for notes). rity certificates to ensure data safety and retention (Google,
The Electronic Frontier Foundation (2014) has suggested that 2014b). Even if practitioners choose to be responsible and HIPAA
threat models contain five questions: (a) What do you want to compliant, files should still be encrypted as per Best Practice 2.
protect? (b) Who do you want to protect it from? (c) How likely is Devereaux and Gottlieb (2012) recommended that if cloud pro-
it that you will need to protect it? (d) How bad are the conse- viders encrypt data, this process should meet the need for “rea-
quences if you fail? (e) How much trouble are you willing to go sonable conduct” and protection of records. This argument is
through to try to prevent those? Practitioners could, for instance, predicated on trust. A cloud provider that encrypts data but still has
answer with the following five responses: (a) “I want to protect access to encryption keys would be forced to decrypt this infor-
client records and communications.” (b) “I want to protect it from mation if compelled by the federal government. Likewise, if a
unauthorized government access and individual hackers.” (c) “I am private employee or contractor was given the signing key, they
currently working with public, political figure, who has expressed could potentially decrypt data unlawfully. Any cloud storage used
concerns regarding unauthorized disclosures and leaks of data.” (d) should already be backed up locally and completely encrypted
“Considering the public nature of this client, my practice could be prior to upload. There are a variety of encryption software pack-
threatened and culpable for damages.” (e) “I am willing to spend ages available; an example, cross-platform option is TrueCrypt.
an additional hour per week to secure this individual’s client
records on an external, air-gapped computer.” In general, the
4. Two-Factor Authentication
Ethics Code (APA, 2010) and the “Record Keeping Guidelines”
(APA, 2007) emphasize stronger protections. By asking these five This method of authentication requires psychologists to first
questions, practitioners can reduce accidental and/or targeted at- enter a password and then a special token (Google, 2014a). Two-
tacks on client information. factor authentication uses a six-digit, time-based token that is
automatically encrypted, which prevents access to cloud-based
accounts. These tokens typically change at 30-s intervals. If a
2. Encrypt Everything
password were lost or stolen, an attacker would still need access to
If possible, every client record and communication should be the token to login. Without the token, the stolen password would
encrypted. When mobile devices are used for client contact (i.e., be of no use. Mobile devices can often receive two-factor tokens
text messages and/or e-mails), it is important to consider the via text message. Google (2014d), Dropbox (Louie, 2014), and
phone’s encryption capabilities. Currently, iPhones, with a good Twitter Inc. (2013) are all examples of companies that afford users
password, can be encrypted and protected from password attacks the ability to activate two-factor authentication.
for about 5.5 years (Apple Inc., 2014b). It is also possible for
iPhones to encrypt iMessages (text messages between iPhones),
5. Air-Gapped Computers
which would only be accessible between sender and recipient.
Older phones cannot generally engage in encrypted messaging. With the most sensitive cases and clients, greater data protection
The APA Practice Organization (2014) separated computer en- may be necessary. Similar to locked and local file cabinets, an
cryption into three parts: (a) full-disk encryption, (b) virtual-disk air-gapped computer provides separation from networked data
 CLIENT PRIVACY AND CLOUD COMMUNICATION DATA 159

(Electronic Frontier Foundation, 2014). Such a computer is parti- bility for confidentiality and privacy, a unified message from APA
tioned from Internet access—Ethernet cables and Wi-Fi antennas might help and prevent data storage and communication concerns
are disabled and potentially removed. In fact, the NSA (2010) has resulting from poor and/or naïve risk management. Although the
recommended that Apple/Mac users disable Bluetooth and AirPort APA (2010) Ethics Code and “Record Keeping Guidelines” (APA,
devices by having “an Apple-certified technician remove [them].” 2007) place the responsibility for client confidentiality—in any
This would likely necessitate the purchase of a separate computer, medium—with practitioners, it is important that an organization
which stays permanently disconnected from the Internet and only provide constant, up-to-date guidance for members. Future record-
provides access to files. Client notes and communication details keeping guidance would likely benefit greatly from the inclusion of
would need to be manually moved via USB-based external drives best practices. In addition, APA should consider appointing privacy
to share files with another computer, thus lessening the risk of data officers—much as health care organizations have—who can dissem-
leaks. The use of air-gapped computers should only be considered inate security and privacy updates. Future work should explore the
with the most sensitive client populations as data loss (e.g., addition of this position, but such a consideration goes beyond the
through a failed hard drive) is more likely. scope of this article. Lastly, many practitioners work in agency set-
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.

tings that use shared EMRs and might not be able to use the suggested
This document is copyrighted by the American Psychological Association or one of its allied publishers.

best practices. Individuals in these environments should consider

6. Modify Informed Consent
talking to appointed privacy officers about their current best practices.
Informed consent should incorporate a method for securing, pro- Moore’s law spoke to an atmospheric rise in technology and
tecting, and handling data (APA, 2010). As Devereaux and Gottlieb predicted the personal computer movement. As a cofounder of Intel,
(2012) suggested, it is important that an informed consent document Moore, in his work, catalyzed great advances. Psychologists should
properly explain, justify, and present accurate risks to data storage and not fear these changes, but they should prepare for the unexpected. By
communication. Should an expectation for phone, text, and/or e-mail synthesizing the various individual, corporate, and governmental ac-
communication be established, it is important to inform clients of the tors that threaten client privacy, practitioners should have a newfound
increased risk and methods for reducing leaks. In the interest of client understanding and appreciation for security concerns.
privacy and autonomy, it may be appropriate to suggest pen and paper
if worries about privacy concerns are present.
References
Conclusions American Psychological Association. (2007). Record keeping guidelines.
American Psychologist, 62, 993–1004. http://dx.doi.org/10.1037/0003-
The 21st century has brought with it significant increases in tech- 066X.62.9.993
nology and advances in accessibility. More than ever, practitioners are American Psychological Association. (2010). Ethical principles of psy-
considering digital means for client records and communication. As chologists and code of conduct. Washington, DC: Author. Retrieved
mentioned, this field shows interest in TMHT (Colbow, 2013; Zur, from http://www.apa.org/ethics/code/principles.pdf
2012), which compels clients and practitioners to secure devices, read APA Practice Organization. (2014, Spring/Summer). ABCs and 123s of
encryption. Good Practice, Spring/Summer, 10 –18.
privacy policies, and maintain confidentiality.
Apple Inc. (2014a). iCloud security and privacy overview. Retrieved from
This movement to embrace technological advances has been http://support.apple.com/kb/ht4865
met with severe, emerging threats. Individual hackers have more Apple Inc. (2014b). iOS security. Retrieved from https://www.apple.com/
power than ever to buy and sell private information, corporate privacy/docs/iOS_Security_Guide_Oct_2014.pdf
entities are scanning data by default for advertising and marketing Arthur, C. (2014, September 1). Naked celebrity hack: Security experts
purposes, and governmental actors are collecting massive amounts focus on iCloud backup theory. The Guardian. Retrieved from http://
of data (even when protected) for further analysis. With each step, www.theguardian.com/technology/2014/sep/01/naked celebrity-hack-
important ethical obligations have been threatened. icloud-backup-jennifer-lawrence
There are consequences to every data-storage and communication Baker, D. C., & Bufka, L. F. (2011). Preparing for the telehealth world:
decision. Paper, physical records at a local site could be broken into Navigating legal, regulatory, reimbursement, and ethical issues in an
electronic age. Professional Psychology: Research and Practice, 42,
and/or damaged during a disaster. Cloud communications and storage
405– 411. http://dx.doi.org/10.1037/a0025037
do not carry this threat, but outside entities beyond local concerns Barrows, R. C., Jr., & Clayton, P. D. (1996). Privacy, confidentiality, and
could potentially access such files. After considering some of the electronic medical records. Journal of the American Medical Informatics
NSA revelations to date, it is vital to approach all cloud-based client Association, 3, 139 –148. http://dx.doi.org/10.1136/jamia.1996
work with caution. By following best practices, practitioners can .96236282
significantly reduce the chance of breaches. At a time when programs Benefield, H., Ashkanazi, G., & Rozensky, R. H. (2006). Communication
such as MUSCULAR threaten data stored in “secured” locations, and records: HIPPA issues when working in health care settings. Pro-
psychologists should consider the appropriateness of current informed fessional Psychology: Research and Practice, 37, 273–277. http://dx.doi
consent practices within the United States. Moreover, practitioners .org/10.1037/0735-7028.37.3.273
should question whether electronic-transmission surveillance laws are Brendel, R. W., & Bryan, E. (2004). HIPAA for psychiatrists. Harvard
Review of Psychiatry, 12, 177–183. http://dx.doi.org/10.1080/
compatible with this field’s support for privacy.
10673220490472436
Baker and Bufka (2011) acknowledged that health care provid- Colbow, A. J. (2013). Looking to the future: Integrating telemental health
ers are increasingly entering a digital world in which legal and therapy into psychologist training. Training and Education in Profes-
ethical concerns are vague, suggesting that there is “a lack of sional Psychology, 7, 155–165. http://dx.doi.org/10.1037/a0033454
uniformity and clear guidance” (p. 405). Ultimately, although Counterintelligence access to telephone toll and transactional records, 18
individual practitioners should and do bear the ultimate responsi- U.S. Code § 2709 (2002).
 160 LUSTGARTEN

Department of Health and Human Services. (1998, August 12). Security www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/
and electronic signature standards; proposed rule. Federal Register, 63, hitechact.pdf
43242– 43280. Health Insurance Portability and Accountability Act of 1996, Pub. L. No.
Department of Health and Human Services. (2003, February 20). Health 104 –191, 110 Stat. 1936. (1996). Retrieved from http://www.hhs.gov/
insurance reform: Security standards; final rule. Federal Register, 68, ocr/hipaa
8334 – 8381. Institute of Medicine. (1999). To err is human: Building a safer health
Department of Health and Human Services. (2013). HIPAA administrative system. Retrieved from https://www.iom.edu/~/media/Files/Report%20
simplification. Retrieved from http://www.hhs.gov/ocr/privacy/hipaa/ Files/1999/To-Err-is-Human/To%20Err%20is%20Human%2019
administrative/combined/hipaa simplification-201303.pdf 99%20%20report%20brief.pdf
Devereaux, R. L., & Gottlieb, M. C. (2012). Record keeping in the cloud: International Telecommunication Union. (2013). ICT facts and figures.
Ethical considerations. Professional Psychology: Research and Prac- Retrieved from http://www.itu.int/en/ITU-D/Statistics/Documents/facts/
tice, 43, 627– 632. http://dx.doi.org/10.1037/a0028268 ICTFactsFigures2013-e.pdf
Donner, M. B., VandeCreek, L., Gonsiorek, J. C., & Fisher, C. B. (2008). Jaffee v. Redmond, 518 U.S. 1 (1996).
Balancing confidentiality: Protecting privacy and protecting the public. Lee, M. (2013). Encryption works: How to protect your privacy in the age
This article is intended solely for the personal use of the individual user and is not to be disseminated broadly.

Professional Psychology: Research and Practice, 39, 369 –376. http:// of NSA surveillance. Retrieved from https://freedom.press/sites/default/
dx.doi.org/10.1037/0735-7028.39.3.369
This document is copyrighted by the American Psychological Association or one of its allied publishers.

files/encryption_works.pdf
Drogin, E. Y., Connell, M., Foote, W. E., & Sturm, C. A. (2010). The Louie, C. (2014, October 1). Have you enabled two-step verification?
American Psychological Association’s revised “Record Keeping Guide- Retrieved from https://blog.dropbox.com/2014/10/have-you-enabled-
lines”: Implications for the practitioner. Professional Psychology: Re- two-step-verification/
search and Practice, 41, 236 –243. http://dx.doi.org/10.1037/a0019001 MacAskill, E. (2013, June 10). Edward Snowden, NSA files source: ‘If
Electronic Frontier Foundation. (2014). Keeping your data safe. Retrieved they want to get you, in time they will.’ The Guardian. Retrieved from
from https://ssd.eff.org/en/module/keeping-your-data-safe http://www.theguardian.com/world/2013/jun/09/nsa-whistleblower-
Everstine, L., Everstine, D. S., Heymann, G. M., True, R. H., Frey, D. H., edward-snowden why
Johnson, H. G., & Seiden, R. H. (1980). Privacy and confidentiality in Moore, G. E. (1965). Cramming more components onto integrated circuits.
psychotherapy. American Psychologist, 35, 828 – 840. http://dx.doi.org/
Electronics, 38, 114 –117. S0018-9219(98)00753-1
10.1037/0003-066X.35.9.828
National Security Agency. (2010). Hardening tips for Mac OS ⫻ 10.6
Facebook, Inc. (2014). Information we receive and how it is used. Re-
“Snow Leopard.” Retrieved from https://www.nsa.gov/ia/_files/
trieved from https://www.facebook.com/about/privacy/your-info
factsheets/macosx_10_6_hardeningtips.pdf
Fisher, M. A. (2008). Protecting confidentiality rights: The need for an
Norcross, J. C., Pfund, R. A., & Prochaska, J. O. (2013). Psychotherapy in
ethical practice model. American Psychologist, 63, 1–13. http://dx.doi
2022: A Delphi poll on its future. Professional Psychology: Research
.org/10.1037/0003-066X.63.1.1
and Practice, 44, 363–370. http://dx.doi.org/10.1037/a0034633
Freedom of Information Act of 1966, 5 U.S. Code § 552 (1966).
Richards, M. M. (2009). Electronic medical records: Confidentiality issues
Gellman, B., & Soltani, A. (2013, October 30). NSA infiltrates links to
in the time of HIPAA. Professional Psychology: Research and Practice,
Yahoo, Google data centers worldwide, Snowden says. The Washington
40, 550 –556. http://dx.doi.org/10.1037/a0016853
Post. Retrieved from http://www.washingtonpost.com/world/national-
Rubanowitz, D. E. (1987). Public attitudes toward psychotherapy– client
security/nsa-infiltrates-links-to-yahoo google-data-centers-worldwide-
confidentiality. Professional Psychology: Research and Practice, 18,
snowden-documents-say/2013/10/30/e51d661e-4166 11e3-8b74-
d89d714ca4dd_story.html 613– 618. http://dx.doi.org/10.1037/07357028.18.6.613
Glosoff, H. L., Herlihy, S. B., Herlihy, B., & Spence, E. B. (1997). Shapiro, D. E., & Schulman, C. E. (1996). Ethical and legal issues in e-mail
Privileged communication in the psychologist– client relationship. Pro- therapy. Ethics & Behavior, 6, 107–124. http://dx.doi.org/10.1207/
fessional Psychology: Research and Practice, 28, 573–581. http://dx.doi s15327019eb0602_3
.org/10.1037/0735-7028.28.6.573 Stored Communications Act of 1986, 18 U.S. Code § 2703 (1986).
Google. (2014a). Archive messages. Retrieved from https://support.google Thompson, C. (2014, October 3). Selling stolen card info online? That’s
.com/mail/answer/6576?hl⫽en the least of it. Retrieved from http://www.cnbc.com/id/102053257
Google. (2014b). HIPAA compliance with Google Apps. Retrieved from Twitter Inc. (2013). Getting started with login verification. Retrieved from
https://support.google.com/a/answer/3407054?hl⫽en https://blog.twitter.com/2013/getting-started-with-login-verification
Google. (2014c). Privacy policy. Retrieved from https://www.google University of Iowa. (2013, September). Acceptable use of information
.com/policies/privacy/ technology resources. Retrieved from http://www.uiowa.edu/~our/
Google. (2014d). 2-step verification. Retrieved from https://www opmanual/ii/19.htm
.google.com/landing/2step/ VandeCreek, L., Miars, R. D., & Herzog, C. E. (1987). Client anticipations
Greenwald, G. (2013, June 6). NSA collecting phone records of millions of and preferences for confidentiality of records. Journal of Counseling
Verizon customers daily. The Guardian. Retrieved from http://www Psychology, 34, 62– 67. http://dx.doi.org/10.1037/0022-0167.34.1.62
.theguardian.com/world/2013/jun/06/nsa phone-records-verizon-court- Yahoo Inc. (2014). Yahoo privacy center: What this privacy policy covers.
order Retrieved from https://info.yahoo.com/privacy/us/yahoo
Greenwald, G. (2014). No place to hide: Edward Snowden, the NSA, and Zur, O. (2012). Telepsychology or telementalhealth in the digital age: The
the U.S. surveillance state. New York: Metropolitan Books. future is here. The California Psychologist, 45(1), 13–15.
Harrison, J. P., & Palacio, C. (2006). The role of clinical information
systems in health care quality improvement. The Health Care Manager,
25, 206 –212. http://dx.doi.org/10.1097/00126450-200607000-00003 Received November 23, 2014
Health Information Technology for Economic and Clinical Health Act of Revision received February 15, 2015
2009, Pub. L. No. 111 5, 123 Stat. 226. (2009). Retrieved from http:// Accepted February 15, 2015 䡲