Issues in Ethics: Confidentiality
About This Document
Published 2018. This Issues in Ethics statement is a revision of Confidentiality (originally published in 2001, and revised in 2004 and 2013). It has been updated to make any references to the Code of Ethics consistent with the Code of Ethics (2016). The Board of Ethics reviews Issues in Ethics statements periodically to ensure that they meet the needs of the professions and are consistent with ASHA policies.
Issues in Ethics Statements: Definition
From time to time, the Board of Ethics (hereinafter, the "Board") determines that members and certificate holders can benefit from additional analysis and instruction concerning a specific issue of ethical conduct. Issues in Ethics statements are intended to heighten sensitivity and increase awareness. They are illustrative of the Code of Ethics
(2016) (hereinafter, the "Code") and are intended to promote thoughtful consideration of ethical issues. They may assist members and certificate holders in engaging in self-guided ethical decision making. These statements do not absolutely prohibit or require specified activity. The facts and circumstances surrounding a matter of concern will determine whether the activity is ethical.
Professional persons in health care delivery fields (including those working in the public schools) have legal and ethical responsibilities to safeguard the confidentiality of information regarding the clients in their care. Scholars and those involved in human research have legal and ethical obligations to protect the privacy of persons who agree to participate in clinical studies and other research projects. Children and adults who are legally incompetent have the same right to privacy enjoyed by adults who are competent, although their rights will be mediated by a designated family member or a legal guardian.
There are federal statutes binding on all ASHA members who treat clients or patients, whether they work in health care facilities (where the Health Insurance Portability and Accountability Act [HIPAA] privacy and security rules apply), schools (which operate under the Family Educational Rights and Privacy Act [FERPA] as well as HIPAA), or private practice. There are also stringent federal statutes governing the treatment of human subjects in medical and other forms of scientific research. Individual states also have statutes governing the confidentiality of patient and client information, the protection of data gathered in research, and the privacy of students. It is the responsibility of all members of the audiology and speech-language pathology professions to know these laws and to honor them. Because state laws may vary, professionals moving from one state to another should take special care to familiarize themselves with the legal requirements of the new place of practice or residence. Educational institutions preparing professionals in the Communication Sciences and Disorders (CSD) discipline should give significant attention to informing all those entering the discipline about these legal requirements and should model good practice in their handling of confidential information concerning the students enrolled in their programs. Owners of businesses and managers of facilities should regularly review these legal requirements with the professionals and the staff whom they employ.
Institutions and facilities within which professionals see clients or pursue research may have their own policies concerning safeguarding privacy and maintaining confidential records. It is incumbent on the professionals in such settings to familiarize themselves with such workplace policies and regulations and to perform their work in conformity with these requirements. Owners and managers should make sure that such policies are readily available to their employees. Workplace training is desirable, and periodic reviews are recommended.
The Code identifies the confidentiality of information pertaining to clients, patients, students, and research subjects as a matter of ethical obligation, not just as a matter of legal or workplace requirements. Respect for privacy is implicitly addressed in Principle of Ethics I because to hold paramount the welfare of persons served is to honor and respect their privacy and the confidential nature of the information with which they entrust members of the professions. This broad, general obligation is further specified in both Rule O and Rule P.
Principle I, Rule O: Individuals shall protect the confidentiality and security of records of professional services provided, research and scholarly activities conducted, and products dispensed. Access to these records shall be allowed only when doing so is necessary to protect the welfare of the person or of the community, is legally authorized, or is otherwise required by law.
Principle I, Rule P: Individuals shall protect the confidentiality of any professional or personal information about persons served professionally or participants involved in research and scholarly activities and may disclose confidential information only when doing so is necessary to protect the welfare of the person or of the community, is legally authorized, or is otherwise required by law.
If there is variation among the different sources of rules on privacy, the professional should follow the most restrictive rule; for example, if the law seems to allow an action that the Code seems to prohibit, follow the Code. If there is conflict between sources, do what the law requires; for example, if workplace policies conflict on some point with legal requirements for confidential handling of records, the law takes precedence.
Confidentiality Issues in Research
Attention to the protection of privacy begins with the planning of a research project, is crucial to the way research on human subjects is conducted, and extends through the review of research results (on both human and animal subjects) for publication and the sharing of data sets. Everyone involved—researchers, human subjects, support personnel, editors, reviewers, and data managers—should be aware of the ethical and legal requirements regarding privacy and should not compromise confidentiality for any reason.
Institutional review boards must be consulted about any research involving human subjects, and informed consent forms must be obtained and honored. Human subjects have a right to expect that their personal information will not be divulged when the results of a study are published or when data sets from a research project are shared with other investigators. Protecting the privacy of research subjects is an obligation for all those who are involved in the research.
Data and the personal identities of individual participants in research studies must be kept confidential. There should be careful supervision of staff to make sure that they, too, are adhering to best practices in protecting the confidentiality of all participant data. Some reasonable precautions that should be taken to protect and respect participants’ confidentiality include
- disseminating research findings without disclosing personal identifying information;
- storing research records securely and limiting access (i.e., records may be accessed only by authorized personnel);
- removing, disguising, or coding personal identifying information; and
- obtaining written informed consent from the participant (or, in the case of a child, the parent or guardian) to disseminate findings that include photographic/video images or audio voice recordings that might reveal personal identifying information.
Because legal requirements in this area are very strict and because institutions monitor research on human subjects carefully, professionals should seek further guidance directly from the appropriate personnel in their home institutions.
During the peer review of submitted manuscripts, all findings, information, and graphics in the manuscripts must be treated as highly confidential, and reviewers and editors alike have an obligation to protect findings from any form of premature disclosure. In a blind-review process, researchers' identities must be protected. In a double-blind review process, the anonymity of authors and reviewers alike must be scrupulously preserved. Editors and reviewers should make no prepublication use of information that they learn from submitted manuscripts.
Confidentiality of Client Information
Clients must be assured that all aspects of their communication with an audiologist or speech-language pathologist regarding themselves or their family members will be held in the strictest confidence. Clients who cannot trust professionals to treat information as confidential may withhold information that is important to assessment and treatment. When professionals disregard the privacy of their clients, the clients are injured in obvious and/or subtle ways. Evaluations, treatment plans and therapy, discussions with the client or the client's relatives, consultations with the family or with other professionals, treatment records, and payment negotiations should all be treated as confidential. All persons who come into possession of client information are equally bound by this requirement. Therapists, supervisors, assistants, and support staff in schools, facilities, and firms overseeing billing services are all prohibited from revealing client information to unauthorized third parties. ASHA members have a responsibility not only for monitoring their own conversations, securing records, and sharing client information, but also for ensuring that supervisees and support staff are adhering to ethical requirements regarding privacy. ASHA members who oversee facilities delivering services should have in place policies and sanctions regarding violations of confidentiality by their employees or by students working under supervision.
Guidance With Respect to Verbal Communication
In the case of a competent adult, no one other than the client herself or himself has the right to authorize the release of information. In the case of a child, only the parent of record or guardian ad litem has this right. It should be noted that there will be cases (e.g., in custody disputes or under custody agreements) in which a biological or adoptive parent has neither the right to know client information nor the right to authorize disclosures. In the case of an incompetent adult, only the designated family member(s) or legal guardian has the right to authorize disclosure. Good practice suggests the following:
- In all treatment situations, a written form specifying disclosure of information should be provided to, and signed by, the client or client representative at the beginning of treatment.
- Every client record should contain a clear, specific, up-to-date, and easily located statement indicating who has the right of access to client information and who may authorize the release of such information to other parties.
For any release of information other than that specified in the preliminary privacy agreement or as required by law (e.g., a subpoena), audiologists and speech-language pathologists must obtain a release-of-information agreement from clients or their designated representatives. This includes obtaining permission to share information with another professional. It is prudent to obtain this permission in writing rather than rely on verbal assent.
In rare cases, courts or administrative bodies with subpoena power may legitimately require the disclosure of confidential information. When a court serves an organization or individual with a subpoena requiring records or other information as evidence in a legal proceeding, typically the professional complies with the request; however, it is often prudent for professionals to seek legal advice in such situations.
Professionals are prohibited from discussing clients in public places—such as elevators, cafeterias, staff lounges, restrooms, or clinical/business sites— with others, specifically including the practitioner's family members and friends. Practitioners sometimes think that if they do not use the client's name such discussions are acceptable, but this is not true. Any description of, or comment about, a client who is being served constitutes disclosure of confidential information.
The same restrictions that apply to face-to-face conversation also apply to digital and electronic forms of communication with professionals, colleagues, and friends.
Guidance With Respect to Written Records
Written records have a durability and reproducibility distinct from spoken information; therefore, additional concerns about the protection and handling of paper files or computerized records. These concerns and challenges have become more complex and intense as a result of the digitizing of information. Breaches of confidentiality can occur as a result of the way records are created, stored, or transmitted.
Ordinarily, professionals should not create, update, or store records on their personal electronic devices (e.g., computers, cell phones, and flash drives) or on personal online accounts. If a workplace is aware of and allows such off-site handling of records, then privacy safeguards, such as password protection and anonymized client identifications, should be meticulously observed. Records on portable devices should not be opened and read in public places such as coffee shops or on public transportation.
All therapists who practice independently and all businesses should have clear written policies concerning client records. Workplace policies concerning records management should typically address
- record accuracy and content;
- record storage, both electronic and paper;
- ownership of records;
- record access—both with respect to personnel who may read and manipulate the record and with respect to rights of access by clients;
- record review and retention and related statutes of limitation;
- transfer of information, including transfer by electronic means;
- procedures for handling requests for information by someone other than the client or the client's representative;
- use of client records for research; and
- destruction of material removed from records.
These policies should be observed without variance. Failure to comply with the requirements designed to protect client records not only puts client welfare at risk but also makes the practitioner vulnerable to ethics complaints and legal action.
It is particularly important for professionals serving clients in institutions and facilities to be aware of who owns the record. Usually, in a medical setting, the medical facility owns the record. In a private practice, the individual who is legally responsible for the practice owns the record. In a school setting, the school district owns the record. A report prepared by an audiologist or a speech-language pathologist in the course of employment in a particular setting is not owned by that audiologist or speech-language pathologist, and he or she may not remove or copy such confidential records while employed, upon termination of employment, or if the practice closes.
It is important for the professional to be aware of what information is necessary and appropriate for inclusion in the client's legal record and to exercise professional judgment in making notations in the client's record.
Appropriate steps must be taken to ensure the confidentiality and protection of electronic and computerized client records and information. All information should be password protected, and only authorized persons should have access to the records and information. Computerized records should be backed up routinely, and there should be plans for protecting computer systems in case of emergencies.
Student Privacy Issues
Many academic programs prepare audiologists and speech-language pathologists for entry into the CSD discipline. At all levels of professional education, students and student clinicians have privacy rights that educators must respect. Many of these rights are specifically protected by federal law (e.g., FERPA), and there may also be relevant state statutes. But, once again, safeguarding the privacy of information entrusted to a teacher, program administrator, or institution is an ethical and not just a legal obligation. Professional regard for students and student clinicians involves respecting each student as the arbiter of what personal information may be divulged and to whom it may be divulged.
Guidance With Respect to Students in Classes
Most academic institutions have very specific policies regarding access to, storage of, and release of confidential student academic and disciplinary records. Academic institutions are less likely to have written policies concerning appropriate conversations and communications among educators with respect to the students at that institution. Students do, however, have a right to assume that the knowledge that the faculty have of their academic achievements and personal situations will not be widely or carelessly shared. Verbal and electronically mediated discussion of a student's performance should be carefully restricted to those directly responsible for the student's education. Student performance and personal disclosures should not be discussed in public places, such as elevators, hallways, cafeterias, coffee shops, restrooms, or campus transportation vehicles. Graded student work and records of student achievement must be carefully safeguarded; access to grades in electronic files stored on mobile devices should be password protected if the device is carried outside the faculty member's campus office. Sensitive personal information that a faculty member may possess should not be shared at all in the absence of a clear and compelling need to know on the part of the person making inquiries.
Guidance With Respect to Student Clinicians
Maintaining the confidentiality of information is a complex challenge in the case of student clinicians. Those who supervise student clinicians must ensure the privacy of client and student clinical records and should model high regard for client privacy and best practices in recording, securing, and storing client records. Supervisors and mentors must treat the performance, records, and evaluations of student clinicians as confidential.
Supervisors of student clinicians must be familiar with the rules for viewing and sharing client information in a teaching setting. For example, a student supervisor's discussion of a patient record for the purposes of education in a university clinic is not a violation of confidentiality, but a student's discussion of the same patient with other students or friends would constitute a violation of confidentiality.
When student clinicians work with clients, persons unrelated to the client may request information about the client's communication problem. Requests might come from an off-site clinic supervisor, clinical fellowship mentor, or a professional who supervises student teachers. Patient or client information cannot be disclosed without a signed release.
Confidentiality in Relation to Peers and Colleagues
Issues of confidentiality also arise for ASHA members and certificate holders in their relationships with colleagues as a result of information that they obtain as they serve in roles such as site visitor, consultant, supervisor, administrator, or reviewer of documents such as manuscripts, grant proposals, and fellowship applications. All of these roles allow access to peer information of a personal and confidential nature. These activities are covered broadly under Principle of Ethics IV, which states, "Individuals shall uphold the dignity and autonomy of the professions, maintain collaborative and harmonious interprofessional and intraprofessional relationships, and accept the professions' self-imposed standards."
Information about colleagues and professional peers that is gathered or revealed in the course of evaluations, assessments, or reviews should be treated with the same care and respect that are appropriate to information about clients and research subjects.
When a colleague shares sensitive information or when one participates in committees or other groups that discuss sensitive or controversial matters, participants should clarify in a candid conversation what level of confidentiality is expected and scrupulously maintain the desired level. Records of such conversations should be appropriately secured with agreement as to their storage and disposal.
Matters that may result in disciplinary action by some body, board, or institution deserve special comment. Individuals reporting or responding to alleged violations of codes of ethics or professional codes of conduct are also dealing with confidential matters and acting in a confidential relationship with the adjudicating body. It would be prudent to consider all aspects of a matter confidential until a final decision is rendered. Once a final determination has been reached, it is important for the adjudicating body to clarify what information can now be shared and what information must remain confidential.
Adjudicating bodies themselves typically follow rules of confidentiality (some dictated by law and regulation, some dictated by the organization's internal governance policies and procedures) while the case is under consideration.
With respect to disclosure of decisions by adjudicating bodies, individuals need to inform themselves of pertinent laws and organizational policies. It would not be prudent simply to assume that the outcome can in all cases be made public. Even when the outcome can be made public, it is often the case that earlier filings, testimony, and deliberations must be maintained in confidence.
ASHA members who either place a complaint before the Board or find themselves responding to such a complaint have specific responsibilities to preserve the confidentiality of all materials relevant to the adjudication of complaints. Principle of Ethics IV, Rule P, is specific about this ethical obligation and states, "Individuals making and responding to complaints shall comply fully with the policies of the Board of Ethics in its consideration, adjudication, and resolution of complaints of alleged violations of the Code of Ethics."