Welcome to the Nexus of Ethics, Psychology, Morality, Philosophy and Health Care

Welcome to the nexus of ethics, psychology, morality, technology, health care, and philosophy

Thursday, August 18, 2011

Confidentiality and Suicide


Rachael L. Baturin, MPH, JD
Professional Affairs Associate

Samuel Knapp, EdD
Director of Professional Affairs

So, you are reading the newspaper or watching the news, and you find out that one of your patients has committed suicide. The next morning you go to your office and there is a message from the patient’s family or the executor of the estate, asking to speak with you. What do you do? Can you call the family or executor and tell them that you have seen the patient? Can you give them information about therapy and help shed light on why the patient may have done this? Can you provide a copy of the patient’s medical record?

According to a legal opinion of the State Board of Psychology, you may not break confidentiality after a patient dies. Confidentiality continues after the grave. Therefore, you can release information only if you have a signed release from the patient before death or a court order from the judge. In Pennsylvania, a subpoena from a coroner serves as a court order.

The psychologist-client privilege is derived from the Judicial Code and is limited in scope to the question of whether evidence is admissible in a civil or criminal proceeding. 42 Pa. C.S. § 5944 states, in pertinent part, that:
No… person who has been licensed… to practice psychology shall be, without the written consent of his client, examined in any civil or criminal matter as to any information acquired in the course of his professional services in behalf of such client. The confidential relations and communications between a psychologist… and his client shall be on the same basis as those provided or prescribed by law between an attorney and client.
A psychologist’s ethical responsibility to safeguard the confidentiality of information obtained during the course of a professional psychological relationship extends beyond the testimonial privilege found in 42 Pa. C.S. §5944. Ethical Principle 5 of the Code of Ethics (49 Pa. Code. §41.61) for psychologists in Pennsylvania states, in pertinent part:

Principle 5. Confidentiality
(a) Psychologists shall safeguard the confidentiality of information about an individual that has been obtained in the course of teaching, practice or investigation. Psychologists may not, without the written consent of their clients or the client’s representative, or the client’s guardian by order as a result of incompetency proceedings, be examined in a civil or criminal action as to information acquired in the course of their professional service on behalf of the client. Information may be revealed with the consent of the clients affected only after full disclosure to them and after their authorization.
The Commonwealth Court of Pennsylvania has held that this duty is absolute and can be waived only after there has been full disclosure and written authorization by the client. (See Rost v. State Board of Psychology, 659 A. 2d, 626).

Thus, because a psychologist must obtain the written authorization of a client prior to the release of confidential information to a third party, it follows that, without written consent, a psychologist may not release to the deceased client’s family any information obtained during the course of a professional psychological relationship.

The rationale for this can be found in an excerpt in The Psychologist’s Legal Handbook (Stromberg et al., 1988):

Although “privacy” as an individual right normally ends at death, the same is not true of confidentiality. This is because it would seriously undermine confidence in the therapeutic relationship while it was occurring if the patient knew that confidentiality would not be preserved following his death. (p. 402)
Therefore, if you received a call from the family or the executor of the estate after a patient commits suicide, you cannot break confidentiality unless you have a signed release from the patient before death or a court order from the judge. Therefore, you would not be able to identify their loved one as a patient and you could not release any medical records.

Reference

Stromberg, C. D., et al. (1988). The psychologist’s legal handbook. Washington, D.C: National Register of Health Service Providers in Psychology.

Wednesday, August 17, 2011

What to Do With a Drunken Patient?


Samuel Knapp, EdD, ABPP
Director of Professional Affairs

How should psychologists respond if they have a patient who has been drinking and who intends to drive home after a therapy appointment? After reasonable efforts to dissuade the patient from driving have failed, does the psychologist have an obligation to warn the police about the potential danger? Alternatively, does confidentiality prevent the psychologist from doing so?

This dilemma arises intermittently for practicing psychologists. Of course, psychologists have a legal duty to report impaired drivers to the Pennsylvania Department of Transportation (Baturin, Knapp, & Tepper, 2003). However, this requirement does not help resolve the immediate safety issue. Nuances in the interpretation of this mandated reporting law are covered in the article cited above on that topic on the PPA website.

In dealing with the immediate problem of a drunken patient who wants to drive home, much of the decision-making of the psychologist will account for situational factors. The extent of the patient's impairment from alcohol may be difficult to determine. This may be similar to evaluating pornography, in that it can be hard to define, but easy to recognize. In many cases, individual psychologists may observe the same patient and differ in their interpretation of their degree of impairment. I know of no rule of thumb or quick evaluation tool for psychologists to rely upon. However, in many other cases, everyone would agree that staggering, slurred speech, affect, and other behaviors would indicate that this person is too drunk to drive.

Psychologists should try to dissuade an impaired patient from driving, and consider options such as getting a taxi for the patient, calling a relative or friend to drive the patient, or other alternatives. Another option might be to inform them that you will call the police if they drive away from your office drunk. Furthermore, this behavior needs to be a part of the calculation in a decision to notify the Department of Motor Vehicles concerning their competency to drive.

The true dilemma arises when a patient you determine to be too drunk to drive insists upon driving anyway. What are the ethical or legal obligations that you have? Are you legally liable if the patient harms others?

In discussions with different psychologists on this exact question, I have learned that several psychologists have called the police on a drunken patient who insisted upon driving home from a therapy session, and no complaints were filed against them. Others have worked with patients who were too cognitively impaired with neuropsychological problems and have similarly notified the police.

There is not, to my knowledge, any court case in Pennsylvania that deals specifically with the legal liability of psychologists in these situations. However, the regulations of the State Board of Psychology permit such disclosures “when there is clear and imminent danger to an individual or to society, and then only to appropriate professional workers or public authorities” (49 Pa. Code §41.61, Principle 5 (b) (1)). I think this can be interpreted to justify notifying the police when a patient is too drunk to drive. In addition, when there is ambiguity in laws or regulations, psychologists should interpret them in light of overarching ethical principles that, in this case, would mean notifying the police if we thought a driver was dangerous to the public. Safety trumps privacy and we do need to live with ourselves. Of course, drug and alcohol facilities in Pennsylvania are governed by special federal and state regulations that have a stricter level of confidentiality.

Reference

Baturin, R., Knapp, S., & Tepper, A. (2003, November). Legal and practical issues related to the treatment of impaired drivers. Pennsylvania Psychologist, 5-6.

Tuesday, August 16, 2011

Can We Talk?

Colleague Assistance Committee

Civic Virtue: Behavior that promotes the good of the community
Pro-Social Behavior: Caring about and acting on behalf of others

Why are these things important for psychologists? Are they important? How can such behavior improve our profession and our professional lives?

The members of PPA’s Colleague Assistance Committee work to promote self-care among the mem­bership. Last fall we found ourselves talking about what our obligations might be, as psychologists, to one another and our profession — and how such pro-social behavior is really an extension of good self-care (and vice versa). As we care for one another, we also support and nur­ture ourselves and our profession. We found ourselves wondering…

  • Do we, as psychologists, have an obligation to support one another, to reach out to one another?
  • As psychologists, have we made a commitment to one another?
  • How can we support our fellow psychologists?
  • How can we promote a culture of professional collegiality and support?
  • How can we demonstrate care for one another in our places of employment?
  • Do we promote transparency, trust and open communication at work and when working with other members of PPA? Or do we engage in split­ting, triangulation, one-upmanship, and gossip?
  • When we need to correct a colleague, do we do so in a manner which is affirming of his or her value as a fellow human being? Do we take the oppor­tunity to teach, or do we belittle and punish?
  • Do we have an obligation to mentor younger psychologists and those new to the profession?*
  • Do we ask for help when we need to?

Are there things that we, as psychologists, don’t talk about with our colleagues? Are there things that you wish that you could talk about? Why don’t we talk about these things?

What do you think?

* Did someone act as a mentor to you? If not, what kind of mentor do you wish you’d had? Whom can you mentor? Please consider serving as a mentor for one of PPA’s early career psychologists. If you are interested, contact Dr. Michelle Herrigel, chair of the ECP committee.

Monday, August 15, 2011

Ten Best: Preventing Privacy and Data Breaches



The antics of groups like Anonymous and LulzSec over the past few months have made data breaches seem inevitable. If information security vendors like HBGary and RSA Security aren't safe, what hope does an average SMB have? It is true that there is no silver bullet, and no impervious network security, but there are a variety of things IT admins can do to prevent network breaches and protect data and privacy better.

The Web safety and online identity protection experts at SafetyWeb.com and myID.com helped put together a list of ten different data and privacy breach scenarios, along with suggestions and best practices to avoid them.

1. Data Breach Resulting From Poor Networking Choices. Names like Cisco and Sun are synonymous with enterprise-level networking technologies used in large IT departments around the world. Small or medium businesses, however, generally lack the budget necessary for equipment like that. If an SMB has a network infrastructures at all, it may be built around networking hardware designed for consumer use. Some may forego the use of routers at all, plugging directly into the Internet. Business owners can improve network security and block most threats by using a quality router, like a Netgear or Buffalo brand router and making sure to change the router password from the default.

2. Data Breach Resulting From Improper Shredding Practices. Dumpster diving identity thieves target businesses that throw out paperwork without shredding it. Most home shredders will suffice for small businesses in a pinch, but a commercial shredder is a wise investment if private information is printed and shredded daily. Make sure that documents with sensitive information or personally identifiable data are thoroughly shredded before disposal.

3. Tax Records Theft Around Tax Time. On a similar note, businesses need to pay extra attention to incoming and outgoing information related to taxes. Businesses must ensure that tax returns are dropped off at the post office and refunds are collected promptly from the mailbox. Identity thieves often steal tax returns from an outbox or mailbox.

4. Identity Theft Resulting From Public Databases. Individuals, especially business owners, often publish lots of information about themselves in public databases. It is a sort of catch-22 because a small business owner wants to maximize exposure while still protecting individual privacy. Businesses are registered with the county clerk, telephone numbers are in the phone book, many individuals have Facebook profiles with their address and date of birth. Many identity thieves can use information searchable publicly to construct a complete identity. SMBs need to think carefully about how and where to gain exposure for the business, and consider the consequences of sharing sensitive information publicly.

5. Identity Theft Resulting from Using a Personal Name Instead of Filing a DBA. Along those same line, sole proprietors that do not take the time to file a Doing Business As application are at a far higher risk of identity theft due to their personal name, rather than their business names, being published publicly.

The rest of the story is here.

Computer theft impacts 400K S. Carolina patients

by Angela Moscaritolo

In one of the largest health care data breaches this year, a computer containing hundreds of thousands of patient records was stolen from South Carolina's Spartanburg Regional Healthcare System.

How many victims? 400,000.

What type of personal information? Social Security numbers, names, addresses, dates of birth and medical billing codes.

What happened? A desktop computer containing the sensitive data was stolen from an employee's car on March 28. The employee was authorized to have the computer.

Details: The health care system posted a notification about the breach on its website in late May, though it did not reveal how many patients were affected. The U.S. Department of Health and Human Services last week revealed the number of impacted individuals.

There is no evidence that the information has been misused.

What was the response? Spartanburg reported the theft to authorities. An investigation was launched. The company also took unspecified steps to enhance its security procedures. Affected individuals have been notified and offered a free subscription for identity theft consultation and credit monitoring services.

Letter to patients can be found here.

HHS.gov site that documents breaches of unsecured protected health information affecting 500 or more individuals can be found here.

ISU Breach Exposes Medical Information




A breach in an Idaho State University server's firewall has exposed private medical information from patients of Pocatello Family Medicine to anyone on the Internet.

But, the clinic said, there is no evidence that any of that medical information has been stolen or even accessed. They say the firewall was taken down in August of 2010 for maintenance, but an employee noticed that it still was not back up in May.

Some hackers did access the server and used the space there to store some movies, but Medical Practice Director Amy O'Brien said, patients do not need to worry.

"I don't think there's a big cause for concern but we just wanted to be proactive and let them know and try to take care of them," she said.

O'Brien said a call center has been established for patients with questions and anyone affected is being offered free credit monitoring for the next year.


Wellpoint Reaches Settlement on Data Loss


WellPoint has reached a preliminary settlement in a class-action lawsuit filed in California Superior Court for the potential exposure of data belonging to more than 600,000 health insurance applicants on a company-run website.

Under the settlement, WellPoint agreed to offer credit monitoring services for two years to all affected individuals, according to a report by amednews.com.

The company agreed to reimburse affected individuals up to $50,000 for any identity theft losses; individuals have until May 31, 2016, to file an identity theft loss claim. The company also agreed to donate a total of $250,000 to two nonprofit organizations whose efforts are directed at protecting consumers' privacy on the Internet, according to the report.

The situation came to light when an applicant to WellPoint-owned Anthem Blue Cross of California sued the company in March 2010, according to a report by amednews.com. The applicant said he was able to manipulate the web address within the site and gain access to other applicants’ information, including names, addresses, dates of birth, social security numbers, and health and financial information.

When the class-action lawsuit was filed, the company said an upgrade to its system caused the information to be exposed. A third-party vendor had said that security measures were in place, when if fact they were not.

A hearing is scheduled for November at which time the court will decide whether to approve the settlement, the report noted.

Last month, WellPoint agreed to pay $100,000 in fines for delaying notification to 32,000 Indiana customers affected by a possible data breach in a settlement with the Indiana Attorney General.

BC/BS of Tennesse: $6 million to encrypt data


BlueCross BlueShield (BCBS) of Tennessee has invested $6 million to encrypt all data at rest within the organization in response to a 2009 data breach that affected one million members.

The company encrypted 885 terabytes of mass data storage; 1,000 Windows, AIX, SQL, VMWare, and Xen server hard drives; 6,000 workstation hard drives and removable media drives; 25,000 voice call recordings per day; and 136,000 volumes of backup tape.

BCBS of Tennessee said it undertook the effort in response to an October 2009 data breach, in which 57 unencrypted hard drives were stolen from a BCBS facility. The hard drives contained audio and video recordings related to customer service phone calls from providers and members, including personal information on around one million members.

BCBS notified all affected members and provided free credit monitoring services to members at a higher risk of identity theft. Next, the company launched an effort to encrypt more than 885 terabytes of data at rest.

The company began by completing an inventory of all the points where data resides within the company, from computer hard drives to servers and removable media devices, such as USB drives and CD/DVD burners. BCBS divided the encryption efforts into six areas of focus and completed the project, which took 5,000 hours of work, in just over a year.

“We searched the country and were unable to find another company that has achieved this level of data encryption,” said Michael Lawley, vice president of technology shared services for BCBS. “In addition to world-class information security technology, we have adopted even stricter policies and procedures that support our ongoing commitment to security. Our members can rest easier knowing we implemented this process to better protect their privacy.”

Sunday, August 14, 2011

Strong Beliefs About Vaccines Work Both Ways

By Kristina Fiore, Staff Writer, MedPage Today
Sometimes, Dr. Andrew Lieber has to tell his patients' parents that it just isn't working out.
When parents refuse to vaccinate their children in spite of his efforts to convince them of the benefits of immunity, he reluctantly cuts the cord.
"By four months, if I can't help you come to terms with the scientific fact that vaccines are helpful, then I've done about all I can do to educate you," Lieber, a pediatrician with Rose Pediatrics in Denver, told MedPage Today.
At that point, he'll tell them to find another doctor -- something he has to do "a couple times a year."
"I feel like I have a bigger responsibility to all the other kids walking through my waiting room," Lieber said.
Pediatricians appear to be increasingly taking this hard-line approach as parents make greater efforts to screen doctors for one whose vaccination philosophy matches their own.
According to a 2001 American Academy of Pediatrics survey, 23% of physicians reported that they "always" or "sometimes" tell parents they can no longer be the child's pediatrician if they won't get the proper shots.
The Academy doesn't have more recent survey data, but physicians say that they see plenty of their colleagues joining the ranks.
Lieber will sometimes work with parents to adjust the vaccination schedule -- "I'm willing to separate some vaccines by two weeks, whatever I can do to increase vaccination rates is good" -- but if an interviewer comes along wanting to cross all vaccines off the list, Lieber says No.
Few physicians question the ethics of this practice, especially in light of recent outbreaks such as pertussis in California and in certain communities within Brooklyn.
Indeed, the American Academy of Pediatrics has deemed it ethical to dismiss patients who refuse to get their children vaccinated, and offers a clinical guideline as well as an online toolkit on how to handle the pertinent issues.
"Physicians, like their patients, are moral agents," says Felicia Cohn, PhD, director of bioethics for Kaiser Permanente in Irvine, Calif. "Any physician may refuse an individual for moral reasons or may conscientiously object to providing particular treatments."
David Cronin, MD, a pediatrician with Medical College of Wisconsin in Milwaukee, says it's "entirely appropriate for a physician to refuse elective treatment to any patient. Being a physician does not obligate one to provide care to 'all comers.'"
Yet others say refusing to treat because of vaccine preference is indeed unethical because it punishes the wrong party. Samuel Katz, MD, of Duke University, says it's not right to refuse seeing a child "because it is the parent who is the problem, whereas the child merits medical care."
The entire story can be read here.  You may have to sign up for the free services.