CLINICIANS COURT/CYBER SECURITY | nationalpsychologist

Articles: Clinicians and the court &
Make Cyber Security a Priority {Below}

Clinicians and the court

Leisl Bryant, Ph.D., ABPP

and Julie Jacobs, Psy.D., J.D.

Many clinicians dread being pulled into their patients’ legal or administrative matters and often make considerable efforts to avoid them. Nonetheless, it is not uncommon for treating psychologists to find themselves unexpectedly involved in such matters.

Two very common scenarios like this include receiving a subpoena and requests from patients to write third-party advocacy letters. The following is a broad overview of risk management considerations and strategies for these situations.

Subpoenas

A psychologist may receive a subpoena in various situations (e.g., when a patient is involved in a personal injury or wrongful termination lawsuit or a custody/visitation dispute). Psychologists who receive a subpoena must respond to, but will not always comply with, the request.

It’s important to note that how one responds to a subpoena depends on multiple factors and requires an understanding of relevant federal and/or state law. Consultation on the specifics of the subpoena and situation is always recommended.

Here are some general steps to consider, but these should not be taken to be appropriate in all situations or to take the place of necessary consultation.

* Consider the subpoena's validity (things like proper service, jurisdiction and adequate response time are all relevant.)

* Identify exactly what is being requested (e.g., full records, records from a specific time period or testimony.).

* Reach out directly to the patient. Discuss the request and inform them about the content of the record so they can make a fully informed decision about disclosure. Explicitly discuss any possible risks of authorizing the disclosure (e.g., the clinician will not be able to control how information is used or interpreted following release, the information may possibly harm the patient’s legal case, or the release may negatively impact any ongoing therapy relationship.)

* Document all discussions carefully.

* If the patient chooses to allow the disclosure, obtain written authorization from the patient (including what will be released, to whom and for what purpose) and send only the information authorized for release.

* The clinician must assert privilege if the patient does not authorize release.

* In situations of complexity (e.g., subpoena for a minor’s record, when it’s unclear who can authorize disclosure, the patient can’t be located, or if limitations to the subpoena are being sought), consultation with an attorney or liability insurance carrier may be necessary.

Requests for advocacy letters

Requests for these letters arise in many different contexts (e.g., a parent seeking a

statement about parental fitness, visitation or child custody, requests for Emotional

Support Animal letters, and statements about disability, accommodations or

educational safety) and raise multiple potentially problematic issues that clinicians

should carefully consider before proceeding.

Writing such a letter may place the clinician in a forensic (as defined by the APA Specialty Guidelines for Forensic Psychologists) or quasi-forensic role, which raises concerns about inherent conflicts of interest and/or potentially impairing multiple relationships that occur when a clinician acts as both an evaluator and treating clinician for the same patient.

Other potentially problematic issues include: boundaries of competence; lack of important collateral data; reliance primarily or solely on patient self-report; potential for unevaluated exaggeration or malingering and in some cases a lack of guidelines and standards. As a result, it is important to consider these role shifts with an abundance of caution, and in many instances, it is prudent to refrain from writing such a letter for one’s patient.

The following inquiries can help guide decision-making:

* Am I competent to offer relevant information on this topic?

* Are there relevant ethics guidelines, regulations or laws of which I should be aware?

* Have mental health providers been sanctioned for writing letters of the sort being requested?

* Would writing a requested letter put me in an impairing multiple role or a forensic/quasi-forensic role with concomitant conflicts of interest?

* What are the potential consequences of both providing or not providing the information?

* Does writing the letter further involve me in the patient’s external matter? If so, how should I deal with it?

If after careful consideration, a clinician decides to provide a letter, the following risk management strategies can be helpful:

* Consultation with experienced individuals is always a valuable step.

* Stay within the scope of one’s role as a treating clinician by providing the facts of treatment only, declining to provide an opinion or conclusion about the ultimate legal/administrative matter.

* Clearly outline any limitations of the data upon which the letter is based (e.g., patient self-report only or psychologist’s observations in sessions.)

In addition, it’s essential to talk openly with the patient about the limits of the clinician’s role as a treating provider and any potential risks of involving the clinician in the matter. It is possible that a patient may disagree with the letter or its conclusions or may feel betrayed by the disclosures. If the patient does not get the desired outcome because of the letter, this could cause a rupture in the therapeutic relationship. This possibility should be explicitly discussed with the patient ahead of time.

Finally, remember that declining such requests in most situations is OK.

The above is a general overview of risk management considerations in court or administrative situations. Clinicians are strongly encouraged to seek specific consultation if such situations arise in their practices.

Leisl M. Bryant, Ph.D., ABPP, is a New England-based psychologist who is in private practice in clinical, forensic and consulting psychology. She is also a risk management consultant for The Trust.

Her email address is: leisl.bryant@comcast.net.

Julie Jacobs, Psy.D., J.D., is an attorney and psychologist in Colorado who provides risk management consultations to psychologists insured by The Trust and assists mental health providers in Colorado with setting up and maintaining their practices through her firm, Julie A. Jacobs, PC. Her email is julie.jacobs@colorado.edu.

Make cyber security a priority

By Trish Sheehan

With all the news of cyber-attacks, ransomware, and data breaches involving the healthcare industry, it is still shocking to read the number of records that have been exposed. According to HIPAAJournal.com, between 2009 and 2022, more than 5,000 data breaches involving 500 or more records were reported to the HHS Office for Civil Rights.

Add up the number of records exposed (382,262,109), which is more than 1.2 times the population of the United States. But, the most important number to know is the number one; it only takes one point of vulnerability for a hacker to gain access.

The healthcare industry is a prime target for attacks because Protected Health Information (PHI) is very valuable to cyber criminals as it has a long shelf life on the black market. Unlike financial data that can be locked or shut down quickly, PHI contains social security numbers and other personal identifiers that make it an attractive purchase for identity thieves.

A PHI may include: Social Security numbers, health insurance numbers, medical records, phone numbers and biometric identifiers, such as fingerprints or retinal and facial patterns.

While attacking large healthcare operations is quite lucrative for cyber thieves, smaller organizations are also prime targets because smaller enterprises, such as a psychology practice, often lack the formal infrastructure to ward off an attack.

According to Forbes.com, 64 percent of Americans would place the blame on the business that was attacked, not the cyber attacker. In a profession such as psychology, trust is obviously the cornerstone of the relationship. Eroding that trust would have devastating effects.

A business that stores sensitive client data or communicates with clients virtually, should take extra precautions to secure systems, and this means all your tools and potential vulnerable points of entry. Are you confident that all your software, hardware, and firmware are up to date?

Are you asking yourself, “What’s firmware?” If so, then it’s time for you to get serious about cyber security. Prevention is key and education is key to prevention. The types of attacks possible include disabling your system, stealing data and even using a compromised computer system to launch additional attacks. This last one can be especially harmful if your practice is connected to a bigger organization, such as a health insurance provider. Your system may be used as an entry point to attack the entire chain.

The most vulnerable point of any computer system is the human element. Phishing attacks are the most prevalent form of attack and come in many forms. In the simplest of terms, phishing usually occurs when a target is contacted via email, phone, or text by someone posing as a trusted individual or entity.

To prevent phishing attacks, train employees and get in the habit of questioning every link.

Before clicking a link in an email, or via text, do some research. If you believe someone is

impersonating a trusted vendor, reach out to the vendor and ask if they sent a message.

The extra step is worth the time.

If you don’t already have it, invest in trusted anti-malware and anti-virus protection software,

and once installed, keep it up to date. Complacency becomes a problem quickly when we are

talking about computer safety. Conducting due diligence on vendors before their products and services are implemented is crucial. Monitoring existing vendors for HIPAA Security Rule compliance is also necessary.

Other security measures you should put in place to keep yourself and your practice safe: Secure your devices; laptops, desktop PCs, smartphones, tablets, home networks or major enterprise systems. Install a Multi-Factor Authentication system (MFA) on any device and program where it is available. MFAs add another layer of protection and may include but are not limited to voice recognition, SMS confirmation codes or fingerprint verification. Don’t leave laptops, tablets or other devices in places accessible to the public, including a personal vehicle.

Be proactive. Take these steps now:

1. Install firewall and anti-malware programs. (If you already have them, are they up to date?)

2. Check the health of your security systems regularly.

3. Sign up for cyber awareness training; the best practice is to find one that simulates attacks, testing your team and your systems.

4. Don’t ignore security patches to update software and firmware. Firmware is data stored on a device’s ROM (read-only memory) that provides that particular device with instructions on how to operate.

5. Implement a password system, ensuring that every device, every system and every user has unique passwords.

6. Use Behavioral Health Software that is trusted. Does your supplier demonstrate the ability and commitment to update the application regularly, especially in response to any new and emerging security threats?

7. Encryption of PHI is the best way to help mitigate a breach. Encrypting information will render it unusable, indecipherable or unreadable in the event of a ransomware attack.

8. Make sure your liability insurance includes Cyber Suite coverage.

When in doubt, ask an expert.

For more resources visit www.StopRansomware.gov For HIPAA Compliance information, visit Healthcare Data Breach Statistics (hipaajournal.com)

References available from authors

Trish Sheehan is assistant vice president for digital marketing at American Professional Agency, a liability insurance provider for mental health professionals.

She may be reached by email at: TSheehan@AmericanProfessional.com