Licensed Professional Counselor Roy Huggins was the first person that ever talked to me about that gray-green feeling I get whenever someone talks to me about HIPAA and IT stuff and, frankly anything that remotely addresses digital security for mental health professionals.
I’m embarrassed to admit it but . . . [sighhhhh] it’s still true.
He’s also the only person that has ever talked to me about those things in a way that really speaks to my (client-centered) values . . . in my (warm and fuzzy) language and . . . that doesn’t scare me half to death.
And, that’s why I continue to listen to this guy.
When he started talking to me last year about “tech countertransference,” I totally got what he was talking about.
And, if you don’t already . . . , I’m betting by the end of this blog post you will!
I’ve invited Roy to join you today to talk about how your personal history impacts your ability to keep your clients and your relationship with your clients safe.
___________________
A Guest Post by Roy Huggins, LPC, NCC
“How Does That Make You Feel?”
Consider the following statement for a moment and then . . . I’d like to ask you a very familiar question . . . .
The Federal Office of Civil Rights, which is the agency within Health and Human Services that oversees HIPAA, recommends that all health care providers employ encryption to safeguard the confidentiality of protected health information.
So . . . how does that make you feel?
Not everyone gets the same feeling from that purposefully obtuse and subtly frightening statement.
Most clinicians, however, get nervous reading it.
And just because I can’t leave well enough alone . . . .
Email is not a secure means of communication, and you cannot protect the confidentiality of emails.
Once again . . . how does that make you feel?
Unless you’re one of the ~ 5% of clinicians we [at Person-Centered Tech] have surveyed who find statements like the ones above to be comforting or motivating (yes, really!), you probably experienced one or more of the following gut-level mobilizations when reading those statements:
Neutral. You did not feel mobilized in any direction at all.
Avoidant.
Frozen.
Ready to fight . . . something.
At Person-Centered Tech trainings, we’ve done the “how does that make you feel” exercise with hundreds of clinicians.
And, we’ve learned some very useful things about how clinicians respond to statements like the ones above and what our responses mean to our ability to leverage tech for our clients’ wellness and our practices’ wealth.
Leveraging Our Responses
It is clear to us that most clinicians don’t respond in adaptive ways to implications of punishment.
But we do respond adaptively when we face the risk of ruptured relationships with important people in our lives, e.g. our clients.
As proof, I offer a different example. Please be aware that this may make you feel even worse than the first ones!
If you are unable to keep your files, emails, and other records safe from third parties who may want to see them – e.g. a client’s abuser or a child client’s estranged and aggressive non-custodial parent – then harm may befall that client.
Furthermore, both ethics and the law would call on you to tell the affected client that the information you keep about them has been stolen.
Now how did that make you feel?
I’m sure it didn’t make you feel good (sorry about that!)
Which of these mobilizations did it get you experiencing?
Neutral. You did not feel mobilized in any direction at all.
Avoidant.
Frozen.
Ready to fight . . . something.
Motivated to improve security, especially in digital technology.
We can’t predict how every reader will be mobilized by any of these evocative statements.
However, based on our survey experience, we can predict that the vast majority of mental health professionals will be adaptively motivated to improve your security by sharing this last example.
Why Is This Mobilization Important?
Therapists are not trained to engage with digital technology.
But, we are quite well trained to engage with the security of tangible things like paper records, locks, doors, and noise machines.
Those are no problem.
Encryption and email security are an entirely different beast.
Obtuse statements about their security carry with them the implications that, whether we intend to use them or not, we may commit some heinous act of unprofessional conduct without having any clue what the heck happened!
In those cases, most of us experience resistance to the idea of examining email or examining encryption in ways that empower us to use them properly.
We know this story well.
The traumatized client does not simply decide to turn and happily face their triggers just because tell them to.
In the same way, the clinician does not hear triggering statements about “encryption” and then go right out and enroll in a course on cryptography.
(Well, most of us don’t, at least…)
While the motivation to protect client relationships may not be quite enough to get us registering with the computer science department at the local community college, it certainly can provide a more life-affirming and human reason to tackle a difficult task.
And that can make all the difference.
Why Should I Care About Tech At All?
Is it because you’re required by law to use electronic records?
No, the vast majority of people reading this are not required by law to use electronic records.
However, some mental health professionals in Minnesota (and possibly other jurisdictions) are compelled by law to use them.
Others may be compelled because they work in an integrated environment with physicians, who actually are pushed by Medicare and other legal-political forces to use electronic records.
For most of the readers of Private Practice from the Inside Out, electronic records are purely a tool that can help you meet and exceed both your needs and your clients’ needs.
The same goes for email.
And, also for texting, online video, health care apps, and the list goes on.
All of these tech tools can potentially be leveraged to streamline your practice and help you make more money or to help you see more clients with the time you save.
They can help you meet clients where they’re at in ways that we couldn’t have dreamed of before the Internet.
And while you think of those inspiring ideas about tech in your practice, consider what happens to our vision of a futuristic utopia when I say something like . . . .
You are required by law to employ technical, physical, and administrative safeguards to protect the confidentiality, integrity, and availability of electronic protected health information.
What a party pooper!
Why Do These Ideas Make Us Feel So SICK ?!
I’m glad you asked!
Cognitive Psychology describes a number of inherent cognitive biases / heuristics that we engage in as human beings.
Because these are hard-wired, we can only overcome them by overriding them with more conscious thought and consideration.
I like to phrase it in terms of the “Wise Mind” from Dialectical Behavior Therapy.
When our logical / verbal mind is in integrity and in sync with our emotional mind, we are in Wise Mind.
Wise Mind can make use of emotions and cognitive biases as important sources of information that improve our wise actions, rather than allowing us to be tossed about by moods.
The security researcher, Bruce Schneier, wrote a lengthy essay called The Psychology of Security.
In it, he describes a number of cognitive biases that maladaptively impact the ways we assess risks in our lives.
I will describe a couple of them here:
- Affect Bias: A tendency to downplay risks when we feel good and vice versa.In other words, discussions about technology that make you feel incompetent, threatened, or otherwise bad will likely result in you suffering an incorrectly enhanced sense of “riskiness” in regards to that technology.
- Control Bias: There are two things here.The first thing is that as humans we can fool our selves into thinking that there is ever a time in our lives when we can control what is going on.That is a cognitive bias that can really help us in certain survival situations, but it’s ultimately a self-delusion.The second aspect of control bias is that we downplay risks when we feel we’re in control and vice versa.Because therapists are not trained on digital tech and are not familiar with most of its nuances, discussions of its impact on our practices can make us feel out of control.That feels bad enough by itself.And, it’s made worse by the fact that control bias means that feeling out of control also activates a vague sense that we are facing some kind of elevated risk.
Dealing with affect and control bias is not a matter of suppressing or stopping them.
Unless you’re ready to become the next resident of Nirvana, that’s not really something we’re capable of as humans.
Instead, we need to work with them the same way we work with countertransference – we practice awareness of these feelings and the action mobilizations they bring to us.
We engage Wise Mind to help us know what is the right course of action when these feelings arise.
When you hear vague statements about email being “unsecured” and someone says “you need to dump some encryption all over your stuff” and none of it makes any sense, take a step back.
Check in with yourself to see how you feel about what’s going on and how you’re responding to it emotionally.
Well, I’m Pretty Sure These Tech Things Actually Are Risky . . . Whether I Feel Good Or Not, Aren’t They Dangerous?
The world is full of risk and no risk can be eliminated.
Once again, if we feel like we have no control over the risk in front of us, we are bound by neurological wiring to elevate our assessment of that risk.
This idea is better illustrated than explained so let’s examine some comparisons of things that we know to be risky.
Check both your emotional and your logical / verbal responses to these examples of risk.
There are all kinds of risk in using tech in our practices, just like there are risks all around us in life.
I played football in high school (as a defensive lineman, in fact.)
It did leave my body with injuries and I also credit it with a huge portion of what has made me a disciplined and effective adult.
Taking risks is a necessary part of growing up and of living.
Not every risk is right for everyone, just like not every tech is right for every client or for every clinician or practice.
However, if we respond to technology risks with the same discernment and wisdom with which we respond to other ethical risks, we can empower ourselves to reduce potential harms and nurture potential benefits.
But The Law Is The Law – Why Does It Matter What I Think Or Feel?
If the laws in your state or under your licensing board outright ban something, then you’re somewhat right.
You do need to obey the law (but that doesn’t mean you can’t fight to change it.)
However, I can tell you that most of the HIPAA Security Rule is simply about applying good risk management principles.
In other words, it’s about responding to technology risks with the same discernment and wisdom with which we respond to other ethical risks, thus empowering ourselves to reduce potential harms and nurture potential benefits.
Does that sound familiar?
For most of us, the important missing piece is specific knowledge of technology and of the risk management process that HIPAA requires.
The majority of us are missing that knowledge . . . so we’re in good company.
This is why Person-Centered Tech offers our fundamental CE courses on HIPAA Security and risk management for free.
Education on these points is important to us.
If you are a therapist who is committed to minimizing your clients’ risks and to empowering yourself and you want to understand it better, click here to register for these free CE courses.
We also encourage you to take the process of technology adoption at your own pace.
Just like when we work with clients who are learning to manage trauma or anxiety, we also need our own time to come to terms with technology-related issues that generate our own anxiety.
Trust me when I say that in most cases, HIPAA will wait for you.
_____________________
About this Author
Roy Huggins, LPC NCC is Director of 
Person-Centered Tech, a consulting and continuing education firm that serves the mental health community. Click here to register for Digital Confidentiality According to Professional Ethics & HIPAA, 2016 Edition. “Tamara says it’s the best investment she’s made yet in HIPAA training!”
Thanks for this. I’m one of the clinicians that likes to discuss HIPAA.
Roy, I believe it was you who taught me that I can allow my clients to use their non-compliant e-mail to contact me (mine is hushmail, so it is compliant) as long as they consent in writing to understanding that what they are using is not compliant. That has been really helpful to me. Thank you.