It had to be you…(when your favorite EHR makes you break up with them)

This was posted to my practice newsletter this morning:

Dear friends and colleagues,

Things have been quiet here for awhile, but recently my ethical compass got spun around by the update to the privacy policy of the EHR platform I was using (if you haven’t heard yet, it rhymes with Dimple Cactus). I was particularly concerned about the privacy updates that stated a few different things:

First: they were saying that they owned my user data and claimed that they had a “non-exclusive right to repurpose it in perpetuity.” Ugh.

9.2 License to User Data.  By uploading or submitting any User Data to or through the Services, and permitting other Users (including, without limitation, Clients) to upload any User Data into the Services, You hereby automatically at such time grant SimplePractice (and its affiliates) a non-exclusive, worldwide, royalty-free, fully paid-up, perpetual, irrevocable, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, perform and display such User Data (including User Data that is created, collected or generated by the Services or SimplePractice using the User Data Users submit), for the purposes of providing you the Services and further developing, improving, and marketing SimplePractice’s products and services (including the Services), it being understood that the results generated from use for purposes other than providing the Services are not identifiable with the Organization or any natural person. The foregoing rights and licenses will be exercised in accordance with the SimplePractice Privacy Policies referenced in Section 10 below. You agree that the license includes the right to copy, analyze and use any User Data as SimplePractice may deem necessary or desirable for purposes of debugging, testing, or providing support or development services in connection with the Services and future improvements to the Services. The license granted in this Section is referred to as the “Service Data License.” You also acknowledge that the Service Data License granted to SimplePractice with respect to User Data will survive the expiration or termination of Your Account. Notwithstanding the foregoing license, the license granted to SimplePractice to use User Data that includes content that You provide for purposes of Your Professional Website is set forth in Section 17.2 (Professional Website Service) below. You further irrevocably waive any “moral rights” or other rights with respect to attribution of authorship or integrity of materials regarding User Data that You may have under any applicable law under any legal theory.

I am NOT an attorney, so some of this was mumbo jumbo to me, but as a person who creates and sells my own intellectual property (as practice forms), I did not like the idea that the EHR I was paying to use would claim ownership of my own copyrighted intake forms and policies. What do you mean I am “irrevocably waiving,” my rights to attribution or authorship of things I put in your system?? And why in the world would I agree to such a thing?

But that was just the self-interested part of me.

What was especially concerning was the part that informed me that psychotherapy clients are included in such User Data! I mean, how can I be on board with using any healthcare platform that has plans to copy and claim ownership of health data of my clients for the purposes of developing new products?

I wasn’t the only person who was concerned. There was a big discussion of this on a national APA listserv, and I was really hoping that my professional organization would advocate on behalf of mental health professionals and our clients and push back on these policies, but they determined that there is currently nothing of concern here.

But… they also have an existing affiliate relationship with this EHR, which according to their own ethics codes seems to be an existing conflict of interest.

3.06 Conflict of Interest

Psychologists refrain from taking on a professional role when personal, scientific, professional, legal, financial, or other interests or relationships could reasonably be expected to (1) impair their objectivity, competence, or effectiveness in performing their functions as psychologists or (2) expose the person or organization with whom the professional relationship exists to harm or exploitation.

Huh.

There was a fantastic webinar put on by Person-Centered Tech (oh, how I miss my dear Roy Huggins) and Zynnyme on this topic in which Eric Ström, attorney and LMHC weighed in on the legal challenges and SP’s seeming misunderstanding of how patient initials are part of PHI. I highly suggest watching this replay if you can. One thing that Eric said, however, was interesting to me: He noted that your Informed Consent shouldn’t say which EHR platform you use. I believe his point was that you might be boxing yourself into the platform if this was the treatment contract you created with clients.

This intrigued me because my practice has always been one that values transparency. I have also given clients the option to NOT use electronic records because I recognize that there are many reasonable objections a person might have in this day and age to having their data stored in the cloud. Since I moved to using an EHR in 2016, I have continued to honor all of my clients’ requests to stay on paper (about 20% of my practice).

When I understood that SP was not only forcing therapists into agreement with these policies in order to access our accounts in mid-August (they since retracted that and gave us until September 6th), I knew I had to get off the platform. It didn’t feel good to be forced to accept an agreement that was not in my own best interests, and which I could barely comprehend. I could not imagine what it would feel like to be a psychotherapy client and be similarly forced into accepting such an agreement to “ownership” of my health data simply to access a therapy session or get my Superbill.

So I fled for a platform in which I had more certainty about the commitment to patient privacy, as well as little interest in making big tech bucks. But let me tell you, it wasn’t fun. Moving seven years worth of clinical data that is only exported as single PDF’s is quite an undertaking. I feel great about my new system’s ethical commitments, but it is clunky and much more cumbersome than the one I was using. Things that took one click in my former platform sometimes take five to complete, and my wrists are aching! I also heard from many colleagues with group practices (that also run therapy groups) that it was just too overwhelming to change platforms, and they have my empathy and understanding.

What I Did

When this started going down, I first revoked my consent in Simple Practice. Then I sent all my clients an email letting them know that I had concerns about the EHR I was using and that to avoid them being forced into accepting any new terms of service, please use my HIPAA compliant Zoom link to access our upcoming sessions.

I also discouraged them from logging in to obtain their superbills and I told them I would email them their August Superbills encrypted from hushmail. I moved their payments over to IVY pay. This is one of the few times where my not using one platform for everything actually helped. My clients who do not want their information stored in the cloud had already been meeting me on Zoom or were using IVY pay. Bear in mind that HIPAA compliant Zoom with a Business Associate Agreement does not have the AI features enabled.

And then, I completely updated my Informed Consent, explaining the details of the new platform I am using, and updated my electronic consent policy so that people could opt-out of electronic records again if they had changed their minds.

 

What Ethical Standards Apply Here?

So we know that there are legal issues here, in terms of possible HIPAA issues down the line, but what are the ethical considerations?

I went to my APA Ethics Code to look at what is relevant to this situation. Let’s begin by thinking about Informed Consent. For psychologists, this is would be Standard 10.01, Informed Consent to Therapy:

10.01 Informed Consent to Therapy

(a) When obtaining informed consent to therapy as required in Standard 3.10, Informed Consent , psychologists inform clients/patients as early as is feasible in the therapeutic relationship about the nature and anticipated course of therapy, fees, involvement of third parties, and limits of confidentiality and provide sufficient opportunity for the client/patient to ask questions and receive answers.

Look at your own ethics code and see what it says about Informed Consent, but generally, ethicists point out that Informed Consent is an ongoing process that evolves over time. When we implement fee increases, or change any office policies, or need to remind people of cancellation policies, etc. we are continually reviewing and providing informed consent.

Now, I believe that “involvement of third parties,” absolutely extends to the use of payment systems, electronic health records, telehealth platforms, and so on. In the past, I have emphasized that “involvement of third parties,” could also mean your use of search engines if you engage in searches on your patients as part of your practice.

So if these relationships are changing, or if the platform itself is going to require psychotherapy patients to agree to new terms and give up ownership of their data in order to access their therapy sessions, I simply do not see how we can fail to discuss this with our clients.

But let’s also go back to Standard 3.10:

3.10 Informed Consent

(a) When psychologists conduct research or provide assessment, therapy, counseling, or consulting services in person or via electronic transmission or other forms of communication, they obtain the informed consent of the individual or individuals using language that is reasonably understandable to that person or persons except when conducting such activities without consent is mandated by law or governmental regulation or as otherwise provided in this Ethics Code…..

And let’s skip to section d, below:

(d) Psychologists appropriately document written or oral consent, permission, and assent…

So our Ethics Code tells us that when we are providing services via electronic transmission we obtain informed consent in language that is reasonably understandable. I would say as one of the “Users,” of the platform I was using, I was not able to fully understand what I was agreeing to. I would guess that many of my clients who aren’t in the legal profession might also be unable to understand it as well. Furthermore, it seems to me that we would need to also document permission to continue with an EHR platform that is changing its terms on our patients.

I tried to liken this to some colleagues as what happened when I moved from a quiet little office in the Castro to a big professional building in downtown SF. When I moved, my clients had to check in with a security guard who asked for their names and identification when they entered the building after 5pm. I talked to the building management to protect client confidentiality and ask them to please let people simply say they were coming to see me without having to provide any name or identification. It worked out fine. But I also discussed it with my clients and let them know they did not have to give their name and identify themselves. This was a change in procedures that impacted their privacy. It is the only comparable example I can give now that we are so digitally enmeshed. Because, obviously, my office building wasn’t going to take photos or names and claim to own them.

Moving on, I believe strongly in the General Principles of my Ethics Code and I also believe a number of them apply:

 

Principle A: Beneficence and Nonmaleficence

Psychologists strive to benefit those with whom they work and take care to do no harm. In their professional actions, psychologists seek to safeguard the welfare and rights of those with whom they interact professionally and other affected persons, and the welfare of animal subjects of research. When conflicts occur among psychologists’ obligations or concerns, they attempt to resolve these conflicts in a responsible fashion that avoids or minimizes harm…

Well, I definitely think that moving to a more privacy minded platform and talking to my patients about this is in service of safeguarding their welfare and rights and minimizing harm.

While many clinicians may have reasonable arguments for continuing on this or any platform, it seems that a conversation about what it means to stay on there would be another easy way to minimize harm. And what about those who might feel forced to accept an agreement that isn’t in their best interests just to continue care with a therapist they want to continue seeing?

Wouldn’t a discussion about this be important?

Principle B: Fidelity and Responsibility

Psychologists establish relationships of trust with those with whom they work. They are aware of their professional and scientific responsibilities to society and to the specific communities in which they work. Psychologists uphold professional standards of conduct, clarify their professional roles and obligations, accept appropriate responsibility for their behavior, and seek to manage conflicts of interest that could lead to exploitation or harm….

I absolutely believe that what this EHR is doing is a form of exploitation of both the clinicians and the therapy clients using it. So I think Principle B applies here too. Continuing to establish a relationship of trust and managing conflicts of interest was at heart when I talked to my clients about it.

 

Principle C: Integrity

Psychologists seek to promote accuracy, honesty, and truthfulness in the science, teaching, and practice of psychology. In these activities psychologists do not steal, cheat or engage in fraud, subterfuge, or intentional misrepresentation of fact. Psychologists strive to keep their promises and to avoid unwise or unclear commitments. In situations in which deception may be ethically justifiable to maximize benefits and minimize harm, psychologists have a serious obligation to consider the need for, the possible consequences of, and their responsibility to correct any resulting mistrust or other harmful effects that arise from the use of such techniques.

If we are acting with integrity and promoting accuracy, honesty, and truthfulness in our practices, why would we NOT discuss what’s happening on our EHR platforms and chat openly about this with the people we are seeing clinically? I think most of them would care about this quite a bit.

Principle E: Respect for People’s Rights and Dignity

Psychologists respect the dignity and worth of all people, and the rights of individuals to privacy, confidentiality, and self-determination….

My primary concerns about these privacy changes were initially about peoples’ right to privacy and confidentiality. But self-determination speaks to a person’s right to to make decisions for themselves.

Ultimately, this is one of the most relevant and critical ethical considerations to me in terms of what is happening with this EHR (and what may happen to other big tech EHR’s).

I want my clients to feel free to decide what happens with their health data and not have it decided for them by me or by a service I willingly choose to use. So this brings it back to why it felt imperative to me to talk about this openly with my clients and give them the option to move to the new platform with me or go back to paper charts.

Are there Clinical Considerations? 

Why what a great question. I’m so glad you asked!

At some point in the near future, when psychotherapy clients start trying to attend therapy  on Dimple Cactus and they are met with a pop-up  forcing them to accept new terms of service that some of their therapists have discussed with them (and some have not),I think it’s going to get…interesting.

Maybe some clients will feel like they have to say yes to this in order to continue seeing their therapist. Some may have already talked about it with their therapist and they have already decided they are okay with it. Some psychotherapy clients may wonder why their therapist didn’t talk this through with them at all? And I wonder if perhaps some will look for therapists who use different systems.

Will people feel comfortable raising the issue at all if they are upset with their therapist for not moving or not mentioning it?

I am so very curious about all of these scenarios. So aside from legal, ethical, and risk management, I think this has the potential to become a big clinical issue and I am very interested in hearing from any of you who wind up having clients respond to the forced opt-in, whenever that gets rolled out.

As for my own clinical feedback: despite the headache, hassel, and repetitive strain issues of the last weeks as I drag and click away into eternity as I move charts to the new system…most of my clients have thanked me for caring about their privacy and getting off that platform that wanted to own their data.

It’s still unclear to me what will happen with the records of terminated clients who will never have the opportunity to have a vote in this. I would guess that their records would be outside of the license to use, reproduce, distribute…blah blah blah. But I lost trust in this platform already and I’m glad I have removed their data. Note that they said that they would do this even with terminated and deleted accounts.

It’s been an adventure.

Oh, and if you wonder where I went with my data, I went to PSYBooks. Like I said, it’s not the most streamlined and it doesn’t have the best user experience. But, it is run by a caring and committed psychologist I know who has no intentions of ever selling or de-identifying user data. I was tempted by other platforms, but I hope to never have to migrate this data again. And she is local, so if she does something else with her platform, I can go bang on her door and ask her why. Also, her customer support team is exceptional. So that’s where I went and why.

As always, I am so curious about your thoughts and experiences. Please hit reply and tell me what this has been like for you.

I’ve sure missed talking to you all, but I didn’t have anything so meaningful to post about in a long while.

Best wishes,

Keely Kolmes

September 22, 2023: 9:56am Eastern: This post was  initially addressed to mental health professionals. But many of us are in therapy. And many of my readers are also people who obtain mental health services. If this issue has impacted you as a psychotherapy client, can you let me know? If you’re comfortable commenting, you can do that, or you can send me a note. Thanks!