Whether professional association ethical codes or state laws explicitly address how to use behavioral apps in the clinical setting, clinicians and their employers are squarely held responsible for problems that result in the violation of a client/patient’s privacy. Clinicians need to be trained to think through their ethical and legal duties related to confidentiality, that is, their duty to protect the patient’s privacy when using any app.
Security is crucial not only in terms of clinical processes but also technical security of the device or app.
Security requirements related to apps include the need to safeguard the privacy of the client’s protected health information (PHI), as per state and federal laws, such as HIPAA and HITECH. Professionals and employers are encouraged to engage in these activities:
- Review whether or not an app has been tested for privacy by searching for that information in the product descriptions.
- Contact the app developer to clarify unanswered questions related to data collection, storage, sharing features and HIPAA compliance.
- Read comments in reviews to search for security complaints.
- Advise patients to be thoughtful about agreeing with requests from app developers to be contacted to “report bugs” or access private information such as location, photos or contacts. Such “features” will need to be carefully weighed against security threats if the app developer does not keep its agreements (which happens more frequently than imagined).
- Show patients where to toggle off such permissions within the app when privacy is desired.
- Only recommend apps that have privacy protections (passwords or other biometric identifiers).
- Suggest that the patient carefully consider potential privacy breaches when loaning the smart device to children or others.
- Install the app with the client in session and demonstrate how to use it safely and effectively for the intended goal(s).
- Be aware that recommending apps can have clinical repercussions. Making poor app suggestions can have a deleterious effect on the therapeutic relationship if mishandled. Not all patients will bring up their experience with an app, particularly if it is frustrating or embarrassing. Clinicians would do well to check with patients about their experiences with suggested apps on a regular basis.
Some apps connecting a patient to the clinician in real time (synchronous) or delayed (asynchronous) technology is considered telehealth by some state licensing boards. For example, if the client lives in Georgia and travels to visit her mother in Florida, any app used to transfer information to or from the therapist can involve the illegal practice of telehealth over state lines if the clinician is not licensed in Florida at the time of data transfer. Therefore, clinicians would be wise to check with their licensing boards before suggesting asynchronous communication through apps with patients who travel out of state.
Further, if an app involves telehealth, the clinician is also advised to be apprised and compliant with all HIPAA, HITECH and related laws, and to make mention of such compliance in the informed consent document when working with U.S. citizens. When working with clients/patients located in different countries, be aware of and adhere to laws in the location of the client.