Show Summary Details
Page of

(p. 185) Ethics-Based Staff Training About Confidentiality 

(p. 185) Ethics-Based Staff Training About Confidentiality
(p. 185) Ethics-Based Staff Training About Confidentiality

Mary Alice Fisher

Page of

date: 14 December 2017

It is important for all personnel in mental health settings to perform their assigned tasks competently, but for staff members who interact with mental health patients, or who have access to patient information, it is important that their competence include ethical awareness. In other words, whether their role is clinical or nonclinical, those who work in mental health settings must demonstrate more than technical competence. For the protection of patients and their rights, ethical competence is also important, especially as it applies to patient confidentiality and record security.1

In contrast to legal training about the Health Insurance Portability and Accountability Act (HIPAA) the confidentiality training described in this chapter is “ethics-based” in the sense that, instead of being based on laws, it is grounded in ethical mandates and professional recommendations from the mental health professions themselves. The Ethical Practice Model, which formed the outline for Part II of this book, reflects these ethical requirements and is useful in the training process. But the fact that the training is ethics-based does not mean that legal issues are ignored. The training recommended here incorporates the relevant legal requirements affecting confidentiality, including state laws and federal HIPAA regulations, in order to place those into ethical context.

Providing confidentiality training for all staff—clinical and nonclinical—can convey the message that everyone shares responsibility for protecting patients’ rights about confidentiality and that all personnel in the setting must collaborate in creating a “culture of safety” that ensures that protection.2 All who work in a mental health setting should attend such training, even if they were previously trained elsewhere: Legal requirements vary from state to state, and voluntary policies vary across settings within each state, so some confidentiality and disclosure policies that were acceptable in their previous setting may be inappropriate in the current one.

(p. 186) This training is especially important for nonclinical staff, because they do not usually have access to ethics training elsewhere; but it is also appropriate for clinical staff. Unlike “generic” ethics training, this training will be focused on setting-specific confidentiality policies that all personnel will be expected to follow.

Including clinical students, interns, and supervisees can also be important. Research suggests that the ethical violations of clinical trainees often involve breaches of confidentiality,3 and participating in such training can be helpful in elevating the ethical awareness of the next generation of clinicians. This training can be part of a mentoring process that allows them to carry a clearer understanding of confidentiality ethics to their future settings.

If desired, confidentiality training can be conducted within a broader ethics training program, rather than presented as a stand-alone topic. Such broader ethics training might include topics such as creating an appropriate office environment, monitoring staff interactions with patients and their families, and respecting boundaries with patients.4 (See the sample training outline in Appendix VIII.)

Ethical Standards and Professional Recommendations About Staff Training

The ethics codes of the mental health professions contain standards that reflect the importance of training staff and monitoring their performance. The American Psychological Association (APA) requires that psychologists who delegate tasks to others “take reasonable steps to … see that such persons perform these services competently.”5 The National Association of Social Workers (NASW) ethically requires those with administrative responsibilities to “take reasonable steps to ensure that the working environment for which they are responsible is consistent with and encourages compliance with the NASW Code of Ethics;” to “eliminate any conditions in their organizations that violate, interfere with, or discourage compliance with the Code”; and to provide or arrange continuing education for all staff to “address current knowledge and emerging developments related to social work practice and ethics.”6 The American Counseling Association (ACA) requires counselors to “make every effort to ensure that privacy and confidentiality of clients are maintained by subordinates, including employees, supervisees, students, clerical assistants, and volunteers.”7

Other professional guidelines also emphasize staff training. For example, the Record Keeping Guidelines of the APA stress the necessity for staff education about protecting the confidentiality of records:

When the psychologist employs clerical or testing personnel, he or she is required by the Ethics Code (Standard 2.05) to take reasonable steps to ensure that the employee’s work is done competently. Therefore, the psychologist strives to educate employees about confidentiality requirements and to (p. 187) implement processes that support the protection of records and the disclosure of confidential information only with proper consent or under other required circumstances (e.g., mandated report, court order).8

The APA Practice Organization and the APA Insurance Trust both recommend that clinical and nonclinical staff be required to sign a confidentiality contract as a condition of employment.9 The website of the American Psychiatric Association (APsyA) provides a sample contract for that purpose.10 If desired, such a confidentiality contract can be one component of a broader ethics contract.11

For the protection of both patients and themselves, mental health professionals must be free to discharge staff members who are unable or unwilling to follow the relevant ethical standards.12 Toward that end, the APA Insurance Trust recommends that psychologists require all personnel to follow the APA Ethics Code, with failure to do so being grounds for termination.13 In multidisciplinary settings, staff can be required to behave in a manner consistent with all the ethics codes that are represented in the setting. If such requirements are to be imposed as conditions of employment, however, this should be stipulated in the initial employment contract.

Legal Requirements About Staff Training

State laws and state agency regulations sometimes contain training requirements for those who assist clinicians in performing certain tasks. In addition, state law can forbid staff members from removing patient records or other identifiable patient data from the setting without the express consent of the owner. All such legal mandates can be included in the ethics-based training described below.

At the level of federal laws, the HIPAA regulations contain both explicit and implied training mandates about confidentiality.14 The HIPAA Privacy Rule requires training for the entire workforce in health care settings.15 This training must be provided within a reasonable time after someone joins the workforce, must apply to the person’s specific job responsibilities, and must be tailored to the confidentiality policies that will apply in that setting. The provider must document that the training was provided.16 The Privacy Rule also imposes a “minimum necessary” standard about disclosure of confidential information, requiring that staff members not be given access to levels of information beyond what is reasonably necessary for fulfilling their own specific duties.17

The HIPAA Security Rule requires Security Awareness Training, as well as contingency planning about staff responsibilities in disaster situations, and it requires that this training be documented.18 Furthermore, HIPAA requires that sanctions be imposed on any staff member who fails to comply with the policies affecting privacy or record security.19 For documenting that staff understood the information covered in the training, their performance on a post-test can be included in their personnel record.20

(p. 188) Integrating Ethical and Legal Training About Confidentiality

The relationship between ethics and laws can be very confusing. As described in earlier chapters, legal requirements about confidentiality sometimes overlap with ethical obligations, but they sometimes conflict with them.21 An advantage of ethics-based training is that it can highlight both the ethical-legal overlaps and the potential ethical-legal conflicts.

Differentiating Between Legal Training and Ethics Training

By definition, ethics-based training about confidentiality will focus on patient’s rights and on therapists’ responsibilities in protection of those rights, as defined by the mental health professions themselves. In contrast, legal-based training will focus on laws and regulations that are created by legislators, regulators, and courts. Training about the relevant laws will be necessary and important, but should not be treated as a substitute for ethics-based training.22 Attorneys often provide some of the legal training about confidentiality. Although they are experts about the law, mental health professionals must be the experts about the ethical standards of their own professions and must retain responsibility for clarifying the ethical implications of the laws that are taught.

Disadvantages of Law-Based Training

Confidentiality training that is based solely or largely on legal responsibilities can have several major disadvantages for therapists and their patients, as noted earlier:

First, it fosters the impression that attorneys—not clinicians—have become the only “real” experts about this aspect of practice. Second, it creates a legal language about confidentiality that threatens to usurp psychologists’ own clinical or ethical language about it: Laws take center stage, when what is needed is a language for placing them into ethical context. Third, it exacerbates the figure–ground confusion (by substituting legal rules for ethical rules) and often takes a risk-management perspective that raises anxiety: It encourages psychologists to focus on obeying laws in order to avoid risks to themselves when what they need is a clearer focus on their ethical obligations and the potential risks to clients.23

Some therapists report that legal-based risk management training can raise their anxiety to the point at which they cease to learn what is being taught. In fact, one thing obscured by the legal focus is the fact that the best risk management strategy begins with understanding and following the patient-protective ethical standards of one’s profession.

(p. 189) Advantages of Ethics-Based Training About Confidentiality

Laws can have ethical consequences, which is why it is not appropriate for staff training to focus only on the laws themselves. It is recommended that staff training be organized around the therapists’ ethical standards; then, relevant laws can be integrated into that ethical structure. The Ethical Practice Model can be very useful for that purpose. The ethical topics of confidentiality and record keeping can be presented using that six-step model; then, the legal information can be placed into ethical context by incorporating it within that ethics-based outline, highlighting the ethical implications of both the legal protectors and the legal limiters of confidentiality24 (see discussion in Chapter 3 and the annotated model in Appendix V).

Staff members who have been taught about therapists’ ethical responsibilities will be aware that ethical requirements and legal demands might differ. In integrated training, staff will not simply learn the relevant laws but will learn to consider the ethical implications of those laws. Staff members who learn to notice when ethical and legal demands differ will learn to bring questions to the psychologist rather than responding to a legal demand without consultation.

The importance of providing training that places laws into ethical context is illustrated below using three training examples that contrast law-based HIPAA training with the ethics-based confidentiality training advocated here.25

Training Module 1: What If You Receive a Legal Demand for Patient Information?

HIPAA training might teach that a legal mandate is a sufficient basis for disclosing information without the patient’s consent. Legally speaking, this is sometimes accurate. Ethically speaking, however, this circumstance is actually much more complicated, because therapists have ethical requirements when faced with ethical-legal conflicts (see, in Chapter 1, “Ethical Standards About Conflicts Between Ethical Duties and Other Obligations”).

Ethically, the first step is to determine whether the patient wishes to give consent for the legally demanded information to be disclosed. If not, the therapist can seek ways to minimize disclosure and can sometimes protect the information completely.26 Even if the information is not legally protectable, therapists should not delegate to nonclinical staff the responsibility for deciding whether to disclose it. In such circumstances, the therapist is advised to use a structured decision-making process for deciding whether to “follow the law despite their ethical concerns” or whether “a conscientious objection is warranted.”27 Although the ethics-based training can teach nonclinical staff how to behave ethically when a subpoena is initially delivered, therapists themselves have responsibility for weighing the competing values and deciding what to do next.

(p. 190) Training Module 2: Can You Disclose Without Patient Consent If Legally Allowed?

Some law-based training suggests that if a specific type of disclosure is allowed by law, then the patient’s authorization is not needed. This has broad implications, because HIPAA legally allows disclosures for such vague and wide-ranging purposes as “treatment, payment and health care operations activities,”28 and some states have laws allowing similarly broad disclosures without patient consent.

Ethically speaking, disclosing information without patient consent in the absence of a legal requirement to do so constitutes a voluntary breach of confidentiality. Whereas a legal requirement can create a true ethical-legal conflict (thereby invoking the ethical duties described in the module above), a voluntary disclosure involves no ethical-legal conflict at all. “There is thus a vital ethical difference between legally mandated disclosures (which can be legally compelled whether or not a patient gives consent) and those merely legally allowed (which psychologists remain free not to make, and for which a patient remains free not to give consent).”29

Throughout these chapters, we have advocated that therapists take the supererogatory ethical position that voluntary disclosures without the patient’s consent should be avoided whenever legally possible. Consistent with this position, ethics-based training can teach that “legally allowed” is not synonymous with “ethically appropriate,” and that only the mental health professional can decide whether and when to disclose in the absence of the patient’s informed consent.

Training Module 3: What Must You Do to Protect Patients’ Informed Consent Rights?

HIPAA trainers may teach that, in the name of efficiency, nonclinical staff can satisfy the legal requirement to inform prospective patients about limits of confidentiality by simply obtaining their signature on the HIPAA “Notice of Privacy Practices” when they first arrive. “This practice is not unethical in itself; but it is not a substitute for obtaining the client’s truly informed consent to accept the potential risks that may be created by the limits that may be imposed on confidentiality.”30

Legally speaking, the only purpose for obtaining a signature on the HIPAA notice is to document that the patient received it. Ethically speaking, however, obtaining a patient’s informed consent involves more than this (see Chapter 5 about obtaining informed consent at intake and Chapter 6 about obtaining patient consent before disclosing patient-specific information). A further ethical problem is raised by the fact that most versions of the HIPAA notice are written in language that is unintelligible to average patients, and thus do not meet therapists’ ethical requirement to inform patients in “developmentally and culturally appropriate” language that is “clear and understandable”31—or at least “reasonably understandable.”32

In some clinical settings, nonclinical staff are given responsibility for informing prospective patients in advance about certain other things that may have implications for confidentiality, including information about third-party reimbursement, (p. 191) before they meet with a therapist for the first time. Although therapists are not always in control of such policies, they can meet their ethical and professional obligations by (1) providing ethics-based staff training about informed consent to the personnel who make that first contact, and then by (2) beginning their own initial sessions with a discussion that determines whether the patient has been adequately informed and understands the information. This includes inviting patients to ask questions about the limits of confidentiality and responding to those questions with clear answers about how the therapist actually intends to behave. It is important that the therapist be the one to conduct this conversation, not only because nonclinical staff may not know the accurate answers, but also because such conversations can raise clinical issues that nonclinical staff should not try to address.

Finally, since informed consent is an ongoing process, the limits of confidentiality must be discussed not only at the outset of the relationship, but also whenever thereafter that new circumstances might warrant. This renewed conversation cannot be delegated, because “such issues are best addressed when they arise, and that will likely be during a private session with the therapist.”33

Separating Ethics-Based Training From Technical Training or Administrative Training

The ethics-based training advocated here is different from the technical training that is sometimes legally required for those who assist clinicians in certain types of tasks (e.g., psychological testing assistants). This training is also different from the task-specific ethics training that some employees may need if they perform specialized duties that have ethical implications (e.g., performing billing tasks or ensuring that proper authorizations are in place before disclosing information to others).

For conducting the ethics-based training described here, it can be useful to construct a training manual, and samples are available.34 Such a manual should be separate from the broad policy manuals used in many settings. “It is recommended that the ethics-based training be presented separately, in its own self-contained manual. Otherwise, its importance may be diminished and its ethical intentions obscured by the large number of general administrative matters, business goals, and legally-required details in a general policy manual.”35

Recommendations When Planning Integrated Staff Training

We will consider here only those recommendations related specifically to staff training on the topic of patient confidentiality, even though this training may be conducted within the context of a broader ethics-based curriculum.36 Based on the ethical and legal considerations described above and throughout this volume, (p. 192) therapists or administrators who are planning or conducting staff training in their own mental health setting can consider the following:37

1. Planning for the confidentiality training must begin by constructing a set of clear written policies that all staff will be expected to follow. These must both conform to ethical standards and meet the legal requirements that apply in the setting. Constructing a training manual will help the clinician be more clear about the policies and more prepared to enforce them. If the policies are vague, unclear, or ineffective, so will be the training.

2. There can be advantages in providing the same ethics-based confidentiality training to all personnel in the setting, including clinical staff and trainees, as well as nonclinical staff and volunteers. Inappropriate or unethical behavior by anyone in the setting can harm a patient and/or reflect badly on the mental health profession. “Helping staff maintain ethical practices will not only create a culture of safety in which clients are protected in the current setting but also can help raise ethical standards in other settings where these employees might later work.”38

Everyone in the setting can be given responsibility for monitoring performance and offering further recommendations about how to provide the best confidentiality protections for patients. It is important that trainers assure staff that there will be no retaliation if they call attention to gaps in the confidentiality safety in the workplace. It can be explained that the HIPAA Breach Notification Rule legally requires therapists to report any known breaches of confidentiality, and that staff can participate in that process.

3. On subtopics that have both ethical and legal content, it is recommended that the training begin with the ethical standards and related professional recommendations. Legal requirements can then be discussed within that context, to help staff understand their ethical implications. For example, training on the ethical subtopic of “Informing Prospective Patients About the Limits of Confidentiality” can begin by covering the relevant ethical standards listed in Appendix II and using the graphic in Figure 1.2. Within that context, there can also be discussion of the legally required HIPAA “Notice of Privacy Practices,” explaining to staff that this legal form meets the “informing” requirement but not the “consent” requirement.

4. Mental health professionals who are not sophisticated about legal issues may decide to invite some attorney-led training about certain aspects of confidentiality, such as responding to subpoenas. However, such legal training should not be treated as a substitute for ethics training on that topic. If attorney-led training is presented within the practice setting, it should be placed into ethical context at the time (as described above) by a mental health co-leader. This plan should be explained to the invited attorney in advance. If staff will receive law-based training (e.g., HIPAA training) elsewhere, they will better understand its ethical implications if the related ethics-based training has been provided first.

5. Confidentiality training should not be a one-time event. Ethics codes and laws can change, making ethical and legal updates important. General refresher training (p. 193) is also recommended, perhaps annually. Meanwhile, in the more frequent regular staff meetings, therapists can address ethical issues about confidentiality whenever they arise in the setting.

6. Therapists, administrators, and trainers can evaluate staff’s level of understanding through oral or written examinations. These can be administered immediately after the training and repeated annually, or can be a required part of job-performance evaluations. Staff can be provided with certificates that document completion of the training.39

7. All staff, both clinical and nonclinical, can be required to sign a confidentiality contract as a condition of employment,40 and this signing can be renewed at annual refresher trainings, to emphasize its importance. If a deliberate breach of that contract will be considered cause for dismissal, that should be explained in the hiring interview and in the initial employment contract. (p. 194)


1. Bennett, Bricklin, Harris, Knapp, VandeCreek, & Younggren (2006), Assessing and Managing Risk in Psychological Practice; Fisher (2009a), “Ethics-based training for non-clinical staff in mental health settings”; Fisher (2012), Confidentiality and Record Keeping; Koocher & Keith-Spiegel (2008), Ethics in Psychology and the Mental Health Professions.

2. Knapp & VandeCreek (2006), Practical Ethics for Psychologists: A Positive Approach, p. 115.

3. Fry, vanBark, Weinman, Kitchener, & Lang (1997), “Ethical transgressions of psychology graduate students: Critical incidents with implications for training.”

4. See Fisher (2009a). This article, which contains a sample outline for broad-based ethics training, is also available online at A sample training manual is also available for purchase at

5. APA Ethical Standard 2.05 (“Delegation of Work to Others”).

6. NASW Ethical Standards 3.07 and 3.08 (“Continuing Education” and “Staff Development”).

7. ACA Ethical Standard B.3.a (“Subordinates”).

8. APA (2007), “Record keeping guidelines,” p. 997.

9. APA Practice Organization, Office of Legal and Regulatory Affairs (2006), Final HIPAA Enforcement Rule Takes Effect; Bennett et al. (2006).

10. See APsyA (2011), Confidentiality Policy and Form for Staff to Sign.

11. See sample staff contracts at Center for Ethical Practice (2009), Staff Training: Sample Documents.

12. Regarding malpractice risks that can arise with staff or employee use of electronics, see Tracey (1998), “Be aware of malpractice risks when using electronic office devices.”

15. “Workforce” is defined in HIPAA to include paid employees plus trainees, supervisees, and volunteers under direct control of the HIPAA-covered clinician. It is not necessary for every employee, trainee, supervisee, or volunteer to know everything about HIPAA and patient privacy, but each should be trained about what is necessary for carrying out his or her own duties and trained not to handle patient information (p. 291) beyond their job description and training unless specifically so authorized. See HIPAA, 45 C.F.R. 164.530(b) (1); see summary, “Staff Training Required by HIPAA Regulations” in Appendix IV.

16. HIPAA, 45 C.F.R. 164.530(b) (1): “A covered entity must train all members of its workforce on policies and procedures with respect to protected health information.”

17. In Appendix IV, see HIPAA re: “minimum necessary disclosures.”

18. HIPAA, 45 C.F.R. 164.308. Also see APA Practice Organization, Office of Legal and Regulatory Affairs and Technology Policy and Projects Staffs (2005, June), Contingency Planning: Do You Know What HIPAA Requires?

19. HIPAA, 45 C.F.R. 164.308(a)(1)(ii)(C);164.530(e)(1). Training requirements are summarized in Appendix IV and at Also see links to HIPAA-Compliance resources at

20. For a HIPAA training guide and a sample HIPAA test for demonstrating staff understanding of that material, see Knapp (2005), “What should your employees know about confidentiality? A HIPAA training guide.” Ideally, a post-test would include not only this legal material but also the voluntary privacy and confidentiality policies that apply in the setting.

21. Donner (2008), “Unbalancing confidentiality”; Knapp, Gottlieb, Berman, & Handelsman, “When laws and ethics collide: What should psychologists do?”; Pope & Bajt (1988), “When laws and values conflict: A dilemma for psychologists.”

23. Fisher (2008b), “Protecting confidentiality rights: The need for an ethical practice model,” p. 6.

24. For making this process clear, and for showing how laws fit into the Ethical Practice Model, trainers can use the color-coded version of the model provided by the Center for Ethical Practice (2010) at

25. The following three examples were adapted from Fisher (2009a), pp. 460–461.

26. See, for example, APA Committee on Legal Issues (2006), “Strategies for private practitioners coping with subpoenas or compelled testimony for client records or test data,” and APA Practice Organization, Legal & Regulatory Affairs Staff (2008, December), How to Deal With a Subpoena.

28. HIPAA, CFR § 164.506.

29. Fisher (2009a), p. 461.

31. ACA Ethical Standard A.2 (“Informed Consent in the Counseling Relationship”) paragraph c.

32. APA Ethical Standard 3.10 (“Informed Consent”).

33. Fisher (2009a), p. 461.

34. See, for example, Fisher (2009a) and Appendix VIII.

35. Fisher (2009a), p. 462.

36. The sample outline provided by Fisher (2009a) and reproduced in Appendix VIII is an example of a broader ethics curriculum that includes the topic of confidentiality, among other topics such as privacy, boundaries, informed consent, relationships with patients, and the like.

(p. 292) 37. The following paragraphs are loosely adapted from the sections “Integrating Ethical and Legal Training Requirements” and “Advantages of Ethics-Based Training” in Fisher (2009a), pp. 461–462.

38. Fisher (2009a), p. 465.

39. See sample certificate at Center for Ethical Practice (2009).

40. See sample contracts at Center for Ethical Practice (2009).