Eye on Ethics

Privacy Audits in the Digital Age
By Frederic G. Reamer, PhD
October 2016

Every social worker knows that the advent of digital technology has changed the meaning of the term privacy in professional practice. During most of social work's history, privacy meant talking to clients in protected office-based settings, storing sensitive documents in locked file cabinets, avoiding disclosure of confidential information to third parties without authorization, and so on. In contrast, today's social workers must know how to secure the privacy settings on online social networking sites (such as Facebook), ensure that their workplace e-mail accounts and smartphones are properly encrypted, and verify that the videoconferencing software they use to communicate with clients who live in remote locations is compliant with HIPAA standards.

Many contemporary social workers began their career long before today's digital technology existed. Social work services were delivered in person and summarized in written records. Correspondence with clients and colleagues was in the form of letters. In contrast, many social workers now deliver services to clients using e-mail, video, text messaging, and online posts. Communications about clients among colleagues often occur electronically. Oh, how times have changed!

Clearly, social workers have always understood the importance of client privacy, although our grasp of complex subtleties and nuances has increased dramatically over the decades. Here is the sum total of what the first NASW Code of Ethics, adopted in 1960, had to say about privacy: "I respect the privacy of the people I serve." That's it.

In sharp contrast, the current NASW Code of Ethics includes many detailed and comprehensive standards related to client privacy and confidentiality. They include specific guidelines related to client consent; disclosures to protect clients and third parties from harm; confidentiality when providing services to couples, family, and groups; disclosures to third-party payers; disclosures during legal proceedings and to the media; storage of client records; transfer and disposal of client records; disclosure of confidential information during collegial consultation; and protecting the confidentiality of deceased clients.

The Emergence of Privacy Audits

Increasing numbers of social work agencies and practitioners are conducting what are now known as privacy audits to ensure compliance with current standards. Many of the current privacy audit standards were developed with two prominent sets of federal standards—HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act—in mind. HIPAA, which has become the gold standard related to privacy, is very well known. As most social workers know, the Health Insurance Portability and Accountability Act (Public Law 104–191, 110 Stat. 1936) was enacted in 1996 by the U.S. Congress and signed by President Bill Clinton. HIPAA sets the standard for protecting sensitive patient data. Any health care provider that deals with protected health information (PHI) must ensure that all the required physical, network, and process security measures are in place and followed.

Less well known is the HITECH Act, part of the American Recovery and Reinvestment Act of 2009, which includes provisions requiring organizations to conduct privacy audits. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules. Health care organizations and third-party payers are expected to monitor for breaches of PHI from both internal and external sources.

In 2012, the U.S. Office for Civil Rights released criteria that its auditors use to validate compliance with federal regulations. They provide a useful guide for social service agencies and social workers that conduct their own privacy audits. Key audit activities include the following:

• Determine the activities that will be tracked or audited. Obtain and review documentation to determine whether audit controls have been implemented over information systems that contain or use PHI.

• Select the tools that will be deployed for auditing and system activity reviews. Inquire of management as to whether systems and applications have been evaluated to determine whether upgrades are necessary. Obtain and review documentation of tools or applications that management has identified to capture the appropriate audit information.

• Develop and deploy the information review/audit policy. Obtain and review formal or informal policies and procedures and evaluate the content to understand whether a formal audit policy is in place to communicate the details of the entity's audits and reviews to the workforce. Obtain and review an e-mail, or some form of communication, showing that the audit policy is communicated to the workforce.

• Develop appropriate standard operating procedures. Obtain and review management's procedures in place to determine the systems and applications to be audited and how they will be audited.

The American Health Information Management Association (AHIMA)—a prominent organization dedicated to improving the management of health-related information—has developed comprehensive protocols for professionals who want to conduct privacy audits. Their guidelines are especially valuable for social workers and social service agencies.

According to AHIMA, privacy audits should produce detailed audit logs that are useful for the following:
• detecting unauthorized access to client information;
• establishing a culture of responsibility and accountability;
• reducing the risk associated with inappropriate access;
• providing forensic evidence during investigations of suspected and known security incidents and breaches to client privacy, especially if sanctions against a workforce member, business associate, or other contracted agent will be applied;
• tracking disclosures of PHI;
• responding to client privacy concerns regarding unauthorized access by family members, friends, or others;
• evaluating the overall effectiveness of the organization's policy and user education regarding appropriate access and use of client information (this includes comparing actual workforce activity to expected activity and discovering where additional training or education may be necessary to reduce errors);
• detecting new threats and intrusion attempts;
• identifying potential problems; and
• addressing compliance with regulatory and accreditation requirements.

The permeation of social work practice by digital technology has created new and stricter privacy expectations and standards. Today's social workers would do well to keep pace with them.