Posts Tagged ‘encryption’

I recently read an article entitled Google’s Email Security Change does not make Online Counseling Secure. I was interested in the article because I was aware of Google’s recent change to an HTTPS default setting for Gmail. And I agree with the writer of the article that this is not a HIPAA compliant service since the HTTPS simply means that when you login to your Gmail account, you are more secure, particularly if you are logging in from a wifi hot spot. It does not mean however, that emails sent from a Gmail account are encrypted as explained in this WIRED article entitled  Google Turns on Gmail Encryption to Protect Wi-Fi Users.

So I thought I would go to the source- at least the most accurate source I know of- to give us all  the answers.

For years I have used Hushmail email services with clients to ensure my email exchanges are encrypted. The service is easy and affordable. In fact Hushmail offers a free account too. That can be handy if a client only needs an account temporarily while working with a therapist online.  The service is HIPAA compliant and Hushmail is willing to sign a HIPAA Business Associate Agreement (required in the United States). The agreement means that any 3rd parties that may be privy to confidential client information understand their responsibility to keep the information confidential.

I emailed Hushmail support and asked if they could explain more about their service and how encryption works. I asked specifically how Hushmail differs from Gmail. I received this response and I am posting the response here with permission:

Hello DeeAnna,

Thank you for your email and we are delighted to help with this.

Hushmail has been providing web-based secure email services for over a
decade now and uses the well known and well used OpenPGP standard for
encrypting email. We are a hosted service where users create accounts
on our servers and their email/data is stored securely on our servers.

All interactions a Hushmail user has with our servers are, and always
have been done over SSL (HTTPS), which provides a secure tunnel
between the users computer and our servers. If a Hushmail user sends a
message from one Hushmail user to another the email it will be sent
securely over its entire journey over SSL. Gmail is now doing the same
as we are, and we think this is a really good thing. Hushmail however
provides additional security in that users have the ability to easily
individually PGP encrypt their messages before sending them, encrypted
messages are also stored on our servers in an encrypted state. This
means that email has greater protection not only in transit, but also
when it is being stored.

One other area where Hushmail provides additional security is in that
with Hushmail you can send an encrypted message to a non-Hushmail
user, you do this by setting a shared secret as the key to encrypting/
decrypting the message. This is different to gmail in that the message
is individually encrypted (gmail messages are not) but also, once a
message is sent to a recipient outside of your network you may not
have control over whether the email is sent securely over SSL.
Individually encrypting your message resolves this issue.

We have many customers who use our service for counselling via email
and have been doing so for a long time.

If you have any further questions please do not hesitate to contact me.

Kind regards

Ben Cutler
Hush Communications
604 685 7288

I hope you find this explanation as helpful as I did. You can follow @hushmail on twitter. Oh, and Ben says if our readers mention Online Therapy Institute, he will give a discount on hushmail services! Thanks Ben for your time, expertise and a great service!!

Some of you who are thinking about delivering therapy online are wondering what might be the best way to get started.  Some practitioners opt to deliver services straight from their own websites tapping into platforms such as Skype and Hushmail. Skype offers encrypted voice, web and chat services. Hushmail offers encrypted email and chat. Skype and Hushmail are but two examples of available services. Now many companies are offering encrypted communication platforms. Currently I use Skype and Hushmail because these services are free and user friendly for clients.

Others may opt to join an “E-Clinic” which is an easy way to describe a platform or portal that allows providers of services and potential clients to conduct therapy. There are some nuances across the E-Clinic menus but in a nutshell, it is a one-stop shop for the client and therapist. I have previously joined E-Clinics in the past and I am still listed on a few.  It might be interesting to note that I have been listed for several (a decade in some cases) years on some e-clinic sites and I rarely if ever receive an inquiry from a potential client. I’ll get back to that in a minute.  E-Clinics are convenient and easy. Some E-Clinics offer appointment setting, billing capability, credit card processing and an extensive listing. Conceivably, one could create a listing on such a site and use the listing as a website. Some E-Clinics offer customized or “branded” services so that you can integrate the platform into a custom website of your own.  And most E-Clinics conduct some variation of credentialing so that license and certification numbers as well as malpractice insurance information is verified.

So it sounds hassle-free. So, why not? Well, there are a few reasons why not.  One is cost. Some of these sites charge monthly fees. That’s great but if you also have a website of your own then you might be paying twice, so to speak. Remember I said previously that I rarely if ever receive client inquiries from these sites so just because they have a glossy “store front” and offer a suite of products to the therapist, it does not mean that the site is marketed well. If you want to know, do an internet search using keywords like online therapy, online counseling, online counselling, or etherapy. What comes up? Is the E-Clinic listed on the first page of results? That is but one way to find out how “popular” the service is.  The other way is to check press or media tabs on the websites. Has anyone interviewed the company? Is there any information about advertising campaigns, past, present or future?  Remember, you can create a listing anywhere on the World Wide Web. That does not mean people can find you. In the case of E-Clinics, make sure your money is working for you.

Another concern is security. Is the site encrypted? Is the information held on the company’s server? I often joke that we need to be careful about setting up our services using encrypted platforms that are hosted on Joe’s server located in Joe’s garage somewhere in an urban neighborhood across the country or the world. But seriously, the security and encryption of the site should meet very high standards. Does the E-Clinic serve via contract, any major government or insurance entities? That is one reasonable and simple way to know if the E-Clinic has “clout” so to speak. But even so, do your own security tests. Take the E-Clinic for a spin. Use their web, messaging or chat services with a colleague. When you are logged on, send the URL (which should begin with https://) via your regular email or chat (yahoo or gmail for instance). Can the person on the other end open the the URL? If so, the site is not secure. Why is this important? If you do this same test with sites like Amazon, Ebay or your bank once you have logged in, the other person will not be able to see your information and will most likely be sent to a login page for that site. The same process should occur for E-Clinic sites.

If you think you have found an E-Clinic you want to use, be sure to check out their Terms of Use, Privacy Policy and other Terms and Conditions.  You should be concerned with what you are agreeing to as the provider of services and what the consumer agrees to as the recipient of services. Does it match your legal and ethical responsibilities? Do you have the ability to upload your own informed consent documents to your clients? And if you take client referrals from these sites using their platform, what intake information do you receive? Does the site conduct any screening? Is the site set up to provide crisis intervention? If the site clearly states that online therapy is not for people in crisis, then consider whether you want to make yourself available immediately. Many of the E-Clinic sites offer instant sessions as a way to lure consumers into using the site. Some would say these E-Clinics are offering a viable service to people who are in immediate need. So I ask, is the immediate need a crisis or just needing to have a personal issue addressed right away, representing the immediacy of our culture? Be careful not to compromise standards of care. For instance, if you make yourself available immediately, what client information do you have on hand during this initial contact? Is the client allowed to remain anonymous? If so, what happens if the client is genuinely in crisis?  I recommend that if you are going to utilize the option of immediate availability that you use this option as an initial consultation- and treat that time much like you would if a client called on the phone inquiring about services.  Why? Well, consider your ethical responsibility to properly screen your client and to know the identity of your client. If you are providing crisis intervention then the site should clearly state that services are for people in crisis with the proper terms and conditions in place.  Counseling and psychotherapy services that occur within a contracted relationship are very different than crisis intervention services.

Remember that E-Clinics cater to many disciplines so be sure that you can follow your legal and ethical codes and that you remain within your scope of practice.  If you live in a geographic area that does not regulate your profession and you have no real code of ethics to fall back on for reference, then consider using best practice standards set forth by the Online Therapy Institute’s Ethical Frameworks for Mental Health Practitioners and Career and School Guidance.

Hoping this has been a helpful post~ perhaps this will generate a healthy discussion of the topic.

DeeAnna

Central Alberta Canada’s daily newspaper, the Red Deer Advocate featured an article on Online Counselling (called Online Advice…).  The article features the organization, Shepell.fgi E-Counselling and quotes the founder of Shepell.fgi’s e-counselling division, Cedric Speyer:

“Our experience as online clinicians demonstrates that some individuals are more honest, more uninhibited and more expressive in writing than face-to-face,” said Speyer, who has been involved in researching, teaching and publishing in this new form of counselling for over eight years.

The full article is available here: Online Advice

Speyer is a long-time colleague and presented online counselling in a positive light.  He has helped bring etherapy into the Employee Assistance Program counselling model in Canada, the United States and across the globe.

As with most news articles of this sort, they do a fine job presenting the concept, and stressing the importance of security and encryption, as one example. But the article does point to a valid concern.  In this article, the concern is ensuring that who you reach online for services truly IS who you intend to receive services from. 

We recommend potential consumers of online therapy check out the person they are considering working with if that person is working independently and not part of a company or group that would verify credentials.  Online therapists should have enough verifiable information on their website to bolster consumer confidence. For instance, education with school name and year of graduation, license and certifications with numbers and a link to licensing boards or accrediting bodies as applicable, as well as contact information for the therapist beyond an email address are examples of extending credibility to the practitioner.

Cedric- thanks for your contributions to the field!

DeeAnna

With the proliferation of social networks and most recently, the budding of new niche social networks geared toward specific groups, therapists are finding many places to connect and discuss! The Online Therapy Institute features discussion groups at Linkedin, Links for Shrinks and Facebook. We encourage open discussion of all issues related to technology and mental health from marketing one’s private practice on the web to actually conducting online therapy. But therapists should take caution when discussing client cases on such networks. While some networks may be password protected, links can sometimes be copied and pasted from most standard discussion boards and forums leaving practitioners and their clients vulnerable. The Online Therapy Institute provides a secure and encrypted member forum that is HIPAA compliant (important to therapists in the United States). The forum offers chat and discussion board features that give the therapist a confidential place to talk about cases.

Even when therapists “blind the record” removing all identifying information, client identity can sometimes be discovered if by simply knowing the location of the therapist through a forum or email tagline. If the therapist practices in a rural area, it may not be difficult to connect the dots. While it is enticing to enter into clinical discussions with peer professionals, counsellors and therapists should make sure discussions are completely confidential.

DeeAnna