Consider for a moment the consequences of mistakenly e-mailing a patient's 500-page medical record to 1,000 people who aren't authorized to see it. With the click of a mouse, someone's private medical history could become a kind of digital chain letter. The potential threat to privacy is astounding.

This is not to imply that psychology has only now, as a result of Internet technology, "discovered" assaults on the privacy and security of health information, said APA's Executive Director for Practice Russ Newman, PhD, JD. Rather, "it is the potential magnitude of the problem that is to be underscored."

Speaking at a Town Hall meeting for practitioners at APA's 2001 Annual Convention, Newman said that technology's benefits to health care are many and varied--creating, for example, an integrated record-keeping system that enables a patient receiving treatment in Washington, D.C., to be cared for in an uninterrupted, appropriate way on a visit to San Francisco.

But, he said, these technological developments are a considerable threat to patient privacy. "Will technology thwart successful psychological interventions because patients fear for their privacy?" asked Newman. Or, will the Internet bring together patients and providers, efficiently handle all administrative transactions and, thus, eventually cut out "middleman" managed-care companies?

Proponents of using information technologies to remedy the ills of the current health-care system believe that shared standards for data communication will speed up the administrative processes related to health care.

Enter the Health Insurance Portability and Accountability Act. Passed in 1996, the privacy rule implementation is mandated for 2003. For psychologists and other health-care providers, HIPAA calls for them to comply with a new set of standards for managing patient information and safeguarding privacy. First and foremost, the rule will require that providers obtain patients' written consent before they disclose any health information for the routine uses of treatment, payment or health-care operations.

The rule prohibits health-care providers from disclosing health information for purposes unrelated to health care without explicit patient authorization, such as for employment or non-health insurance purposes. According to Newman, this provision protects psychotherapy notes to a certain extent: "General consent alone is insufficient to enable disclosure of the notes related to the content of psychotherapy sessions." Specific authorization by the patient is required for the release of these notes. And, managed-care companies can't base treatment, eligibility for benefits or payment of claims on the patient's authorization to disclose psychotherapy notes. Yet the definition of psychotherapy notes excludes information pertaining to medications, modalities and frequencies of treatment, results of clinical tests, summary of diagnoses, functional status, treatment plan, prognosis and progress.

APA worked to expand the definition because, said Newman, "at least some of this information, such as test data results, is as sensitive in the mental health treatment process as is the information currently included in the definition of psychotherapy notes."

In a nutshell, the rule will also require psychologists to:

  • Designate a person responsible for the development and implementation of privacy policies and procedures and a contact person for receiving complaints (solo practitioners would serve in this role themselves).

  • Have in place administrative, technical and physical safeguards to protect the privacy of identifiable patient information.

  • Provide a process for patients to make complaints about the policies and procedures and a procedure for documenting those complaints.

  • Mitigate, where possible, any damage done by a violation of policies.

  • Limit health information disclosures to the minimum necessary to achieve the purposes of the use or disclosure (except for disclosures to a treatment provider for treatment purposes).

  • Give patients adequate notice of the uses and disclosures of their protected health information.

  • Give patients the right to request restrictions on the use and disclosure of their protected health information.

  • Give patients the right to access, inspect, amend and copy protected health information (with the exception of psychotherapy notes).

So, in effect, there are certain components of psychological practice HIPAA won't protect. "While the new rule is good for psychologists and patients, it's not ideal," Newman said. But it is a step forward in helping to stop the erosion of patient privacy, he said.

"It's important to understand that the learning curve leading to HIPAA compliance will be a process extending over the next two years and beyond," said Newman.

Psychology's challenge is to maximize the opportunities information technology provides, while also mitigating its threats. "We must be creative and flexible while maintaining our integrity in the face of continuing change and transition in both health care and technology," he said.

Further, he added, "As psychologists, whose very work depends on privacy, we have a special responsibility to not only work together but to take a leadership role in safeguarding privacy and confidentiality in the digital age."