Bernard McDowell, lcsw
Psychotherapy & Couples Counseling    
2700 SE 26th Avenue Suite D, Portland, OR  97202
503-234-9904

 Confidentiality:  Therapeutic Importance, Legal Definitiions, and Loopholes
by Bernard McDowell, lcsw copyright 2003
    Regarding therapy, the term confidentiality once meant that anything a client told a therapist remained strictly between the two of them.  Absolutely no identifying information was revealed about the client to anyone else--no exceptions.  This article elaborates why that policy served as a cornerstone for the practice of psychotherapy both for each individual client and the whole institution of therapy.  Unfortunately over the course of decades, many laws and the orthodox practices of the insurance industry effectively eroded the original value of "confidentiality" beyond recognition.  Today there are many different operational definitions of confidentiality from state laws, licensing boards,
professional associations, a new federal "privacy" law, and a US Supreme Court ruling in 1996.  This article offers a general overview of these issues.  Other related articles include my "Privacy Notice" consistent with new Federal Law and a general disclosure statement about my practice.  Though   written to be read as a whole, each of the sections below hold up on their own--so you may click on any sub topic to the right or simply begin reading directly below.
Contents of This Article

"Whatsoever things I see or hear concerning the life of Whatsoever I see or things I hear from a man, in any attendance on the sick or even apart therefrom, which ought not to be voiced about, I will keep silent thereon…"
Hippocratic Oath
 The Importance of True Confidentiality In a Therapeutic Relationship
     The word, confidentiality, derives from the Latin meaning to keep faith with or to maintain "fidelity" with another person.  One dictionary defines fidelity as "implying the unfailing fulfillment of ones duties and obligations and strict adherence to vows or promises."  Modern research supports the wisdom of strict confidentiality and historical archetypes underscore its value.  Dr. Joan Boresynko, a noted medical researcher on the intersection of mind/body phenomena, reports on a number of experiments done on confidentiality and the value of sharing.  For example, one experiment simply asked subjects to speak their secrets to a shower curtain hung up against a wall. The T-cell count in their blood went up indicating a strengthened immune system.  The preamble to the so called "privacy standards" issued by the Health and Human Services Department in December 2000 cites research that adolescents avoid treatment or withhold important information if they can't count on privacy.

     However, modern experiments with statistical analyses aren't necessary to appreciate confidentiality.  The famous psychologist, C.G. Jung, proposed that the practice of confession in Catholicism prefigured psychotherapy.  Priests' vow to keep all confessions a complete secret created a safe place for people to seek forgiveness.  Other religions and healing practices guard private consultations.  Until recently by the Hippocratic Oath, medical doctors were held to confidentiality.  Issues related to confidentiality show up in literature, myth, and fairy tales.  Allen Chinen, M.D., a Jungian analyst, collected old teaching tales from around the world about depressed men.  Across cultures, similar themes appear.  For example, in a tale about an Italian peasant depressed over a lost wheat harvest, a key element in his healing revolved around the struggle to open emotionally to his wife while remaining selective with the landlord.  So, confidentiality is important, but why? how does it work?
     The therapy process conducted in strict confidentiality serves as a sacred trust for the client's inner life.  Therapy offers a deep invitation to a person to explore the whole range of his or her experience including the most sensitive, fragile aspects--without fear of judgment or reprisals.  Provided iron clad privacy, clients are freer to begin unearthing parts of themselves they don't like or don't want to admit to--to themselves not just the therapist; that's often a crucial step to free ourselves from outworn, painful patterns.  (Much more could be added about how the very formation of psychological identity develops and how that relates to confidentiality--but that is beyond the scope of this brief article.)

 Court Rulings and Legislation


     The 1960's ushered in much state legislation requiring doctors and therapists to report child abuse.  In 1976, a California court issued the "Tarasoff" decision mandating therapists to break confidentiality if a client shared their plans to physically harm somebody.  By the late 70's, insurers began covering mental health.  Diagnostic codes became standardized encapsulating a great deal of information which insurers insisted on having to an ever increasing degree.  With the advent of managed care in the '80's & '90's, HMO's demanded routine detailed access to symptoms, "multi-axis" diagnoses, treatment plans, progress, medications, substance use or abuse history not only of the client but "family history", etc..

     These trends were slowed by a 1996 Supreme Court case, Jaffee v. Redmond.  The Court held that statements made to a therapist during a counseling session were protected against civil discovery under the Federal Rules of Evidence.  Recognizing that a breach in confidentiality in one case compromises the whole institution of therapy, the Court ruled in favor of a client's rights to have records kept confidential even in a case where a violent death occurred.  The Court wrote it "serves the public interest by facilitating the appropriate treatment for individuals suffering the effects of a mental or emotional problem. The mental health of our citizenry, no less than its physical health, is a public good of transcendent importance.''  To date there have only been a few tests of Jaffee, so it has yet to be determined how much influence it will have on similar cases or whether it may be used to stop the intrusions of managed care or a new Federal law on "privacy".

     Unfortunately legislation, managed care practices, and insurance companies' demands to audit information continue to severely distort the meaning of confidentiality as it was once conceived.  Furthermore, over the last decades there are numerous examples of entire data bases of medical records being left in garbage cans, in discarded computers at a thrift store, or posted on line for anyone to view.  Therefore people seeking therapy may do well to investigate what will happen to information shared with a therapist or doctor.  It is certainly still possible to gain a high degree of confidentiality with a psychotherapist but only by educating oneself and carefully considering whether to use insurance or not.
 The New Federal  "Privacy Rule"--A Few Practical Cautions
     There is a new Federal Law--so called "privacy law", Health Insurance Portability and Accountability Act [HIPAA].  Though citing the Supreme Court's "Jaffee" decision, HIPAA proceeded to leave the notion of confidentiality in shreds.  Originally HIPAA was planned as protection against electronic transactions only given how information is increasingly vulnerable to interception on the net, hack attacks into medical files, etc..  The law now covers information shared electronically but also written records and "oral communications".  Under intense lobbying pressure from major corporations, the Health and Human Services Department, authors of HIPAA, also institutionalized access to information traditionally kept between doctor and patient.    For instance, most of what used to be considered psychotherapy records is now specifically defined as part of the "medical record" which can be released for many different purposes without a client's consent.  But what does that mean? does it have implications for the average citizen?

     Reasonable people might wisely prefer to not have certain information in their "medical record" in numerous circumstances--including anyone divorcing and anticipating a child custody conflict, anyone in the public eye such as a politician or someone with minor celebrity status, anyone planning on going into business or applying for life insurance, doctors or therapists when they are in the role of patients, and on and on.   Drugs and sexual matters are particularly sensitive concerns.  Under HIPAA, law enforcement agencies have the right to examine your records without your consent.  Wow, the list is beginning to grow!  Following are a few illustrations; but first, on a positive note, under HIPAA, a more stringent state law takes precedence.  In Oregon, there are still state laws that require consent as do professional ethics though there are different requirements for different licensure categories and a number of exceptions.  Some of these--court orders, child abuse, potential harm to self or others--are elaborated at Confidentiality In My Practice.  Later, we'll consider how to best protect your privacy.  Also, HIPAA distinguishes between a consent and an authorization.  A consent is not needed for release of information for "treatment, payment, or health care operations" while an "authorization", a document with specific requirements, is used for most other disclosures.

     On the side of caution and informed consent, consider a few examples of increasing infringements on medical records.  Prior to HIPAA, a specific written authorization would be needed for a therapist to talk with a client's family doctor. Now, a consultation is defined as part of "treatment" so a therapist and doctor (or a referring provider) may share any and all clinical information they deem necessary without the client's consent or even bothering to inform him or her.  Nor is consent needed when information is used for "health care operations"; but that includes everything from "quality control" to the "business" meetings of insurers to fundraising for hospitals.  Consents aren't required for "payment" which includes many functions allowing for exchanges with "consumer reporting agencies" and debt collection companies which are specifically given permission to approach spouses and parents with some information (formerly protected as a sacred trust).  Therapists may use all client information for training programs.  This short list doesn't begin to enumerate the range of "disclosures" which HIPAA permits formerly regarded as strictly under the control of the client!  Again, while some rationalization is proffered for each of these "exceptions", taken as a whole it's clear that confidentiality can hardly be taken for granted.  Let's review a few more examples before charting what a client might do--in lieu of, what used to be, a simple matter of trusting that information about their most private lives will be respected.               Back to Top
     One insurer, the Hawaiian Health Plan, covers about 70% of the population there.  But recently that health plan, a corporate enterprise, required all doctors doing business with them to agree to let the insurer examine the doctors' personal medical records at the insurer's bidding.  Presumably, that's to protect the insurer from doing business with fraudulent, incapacitated, or otherwise impaired doctors.  But that requires most doctors to drop 70% of their business or give up the confidentiality between themselves and their doctors--a centuries old value!!  But remember a great deal of psychotherapy information is now considered part of the medical record under Federal Law.  So if those doctors ever went to a therapist, they will be giving their permission for the insurer to read "any summary of diagnosis, progress, treatment plan, functional status, prognosis, results of clinical tests, modalities and frequency of treatment, medication: prescription and monitoring", and "any other information necessary for treatment or payment”.  That list is verbatim from the law.  In another passage in the Federal Register, HIPAA adds "themes of psychotherapy" sessions to items belonging to the medical record .  

     Note that scenario isn't confined to Hawaii.  In recent times, many if not most managed care panel applications ask therapists if they've ever had a "psychiatric diagnosis" and to supply details if they had.  In effect, that meant that any therapist who ever had therapy paid for by insurance (because insurance only pays for treatment with a diagnosis).  Keep in mind that many graduate programs require their students in fields related to therapy to do therapy themselves.   These examples cited doctors and therapists but bear in mind that the whole medical field comprises a significant percentage of the entire workforce of the country.

     So OK? Still, so information is released but how will that be a problem? Certainly, there is the potential humiliation for a doctor on a relatively small island to do business with executives at an insurance company that know all about his or her depression over a divorce or a case of herpes or an affair or a thousand and one other things.  Not just for these Hawaiian doctors but for virtually anyone, the mere fact of having received one of the mildest mental health diagnoses (called "adjustment disorders") may result in getting turned down for both health and life insurance for up to a year or longer.  As painful as it is, divorce is quite common these days.  People often have depressive reactions going through divorce with agonizing decisions about child custody arrangements.  Therapy may prove very helpful yet such a person may do well to carefully evaluate what records will be kept on them and the conditions under which they may be released.  Workers compensation, numerous other examples and for each the laws may be complex.

     There are many other giant loopholes in HIPAA as well.  It requires all providers and health plans to give each client a "Privacy Practices Notice" on the first visit as the cornerstone for assurance of privacy.  The Notice supposedly describes how the client's information will be protected; but if that notice contains a clause reserving the right to change it, it may be changed at any time--and those new changes apply retroactively to information the client gave the doctor or therapist based on the old privacy practices.  This set up so lacks in integrity that to begin therapy by giving a client a Privacy Practice Notice without pointing out this loophole makes a joke of the client's trust from the very first contact.  Well, the list of problems is lone and this forum is too small to do justice to the topic.  So, it is time to put the question, what is the best way to protect your confidentiality?
 Ways To Protect Your Confidentiality

     If you are looking for a quick formula to best ensure confidentiality, it might simply be 1) do not use insurance or any third party payer, and 2) find a therapist in a solo private practice who only keeps notes on paper, doesn't engage in any electronic transmissions, and satisfies you about their attitude and practices about confidentiality (there are a number of questions suggested below).  If you do use insurance, as explained below, a PPO plan is better than an HMO with regard to your confidentiality. If you do use an HMO, you may, at least, tell your therapist that you'd like to explore together what information your therapist sends to them.

    If you do choose to use insurance, you may never have a problem!  However, there are plenty of potential concerns and they're not all that rare.  Know that once your therapist sends information to an insurer the therapist no longer has any control over how it is disclosed.  There are a number of circumstances in which insurers send information to the Medical Information Bureau in Massachusetts which in turn sends that info to other insurers--e.g.,  when someone has been turned down or is applying for health insurance.  Some states have laws mandating that if you file a workers compensation claim, the insurer and the employer have the right to examine your records.  Many companies are self insured--in fact, a common example are hospitals or HMOs themselves--typically large employers.   By HIPAA those companies are supposed to separate information obtained in their function as an employer from their function as an insurer.  But that begs the question of whether someone wants to trust the employer with their most private information (and if that is psychologically healthy).  

     Indemnity insurance or a PPO [preferred provider] health plan generally intrudes less than an HMO or an insurer with a managed care company handling its mental health coverage.  Preferred Health plans typically require a therapist to file a HCFA form, a standard Federal billing form used by doctors and therapists.  The only intrusive information that form requires is a diagnostic code.  However, those codes, though just a few digits, do sum up quite a bit of information.  For example, 296.32 refers to Major Depression recurrent with moderate severity.  That in turn means that the person had 5 or more from a list of 9 depressive symptoms for two weeks or longer.  That list of 9 includes "suicidal ideation", "feelings of worthlessness", and difficulty concentrating.  That's all very much in the normal range of a reactions to normal developmental challenges at one time or another in our lives.  But not the type of info you'd want a prospective employer to know!  You certainly wouldn't  put it on your resume.  Yet under HIPAA an employer is allowed to ask for your authorization for the release of medical record--information that will be in your record if you used insurance.
     To assess a prospective therapist's reliability concerning confidentiality, I'd suggest asking questions before sharing any personal information.  You might start off with a broad question like, "how do you keep your records confidential?".  But bear in mind that capsule replies such as "I keep your records strictly confidential" or "we offer strict confidentiality according to the law" don't really mean much as the above examples make clear.  Most therapists will give you information in writing at the first session about confidentiality.  But that's generally a boilerplate required by law or professional organizations.  You might wish to  inquire further to get a sense of the therapist's attitude about keeping your confidence.  Relevant concerns include whether records are kept on computers or on paper.  If on computer, whether they go on-line with that same computer?  Is it a lap top? do they take it out of their office? do they have their access to their files protected?

     Of course, after a few of these questions you get a sufficient sense of the therapist's attitude to satisfy you.  For those who are interested, here are some other areas to be aware of.  Many therapists belong to consultation groups with their peers who discuss cases together.  While that has important benefits, it also entails the issue of whether the therapist shares any information that identifies clients--under HIPAA that's allowed but not necessarily under state laws and professional practice.  Does the therapist freely discuss cases with their spouse or partners?  The answer to this should be a quick clear, resounding "no"..  By the way, it's normal practice for a therapist to have a Professional Will naming another professional to take possession of the therapist's records in an emergency or they may name some one to call you to cancel an appointment in the case they are incapacitated.  Notice whether the therapist let's you know that upfront?  Those are all indications of a therapists detailed attention to what maintaining confidentiality entails.