Record-Keeping of Phone Messages, Email and Texts
in Psychotherapy & Counseling
Ofer Zur, Ph.D.
This article is part of two online courses:
Digital and Social Media Ethics for Psychotherapists: Clinical and Ethical Considerations (8 CE) and
Record Keeping in Psychotherapy & Counseling: Ethical, Legal, and Clinical Issues (6 CE)
To cite this page: Zur, O. (2010-Revised 2015). Record-Keeping of Phone Messages, Email and Texts in Psychotherapy & Counseling, Online Publication, Zur Institute. Retrieved month/day/year from http://www.zurinstitute.com/digital_records.html
Table Of Contents
1. Records of phone messages, emails & texts
2. Phone, email & texting
2a. Phone messages from clients
2b. Email communication between therapists and clients
2c. Texting between therapists and clients
2d. Confidentiality and HIPAA Considerations
3. Recording phone messages, emails & texts
3a. Archiving phone messages from clients
3b. Archiving emails to and from clients
3c. Archiving text messages from and to clients
3d. Overview on archiving texts, emails and phone messages
5. References & Further Online Resources
Modern digital technologies have raised many complex clinical, ethical and legal issues for psychotherapists, counselors, MFTs, social workers, psychiatrists and other mental health care providers, as well as for clients, patients, and other consumers of mental health services. This paper addresses the issue of record keeping in regards to phone messages, email, and texting between clients and therapists. It does not address record-keeping for telehealth, tele-mental-health, phone therapy or e-therapy. The paper emphasizes, as with every electronic communication, the ramifications of text messaging, emails or online recording services on security, privacy, and confidentiality are not clear yet. Therapists must use caution, as well as informed consent, when using cutting-edge digital methods to communicate with clients and store such communications.
1. Are voicemail messages, emails, and texts part of the clinical records?
Among the many digital complexities therapists face these days is the question of whether Emails and phone text messages are part of the clinical records. This issue is similar to the pre-digital question of whether phone messages should be included in the treatment records. Like phone messages, emails and text messages that have clinical or other significance should be considered as part of the clinical records. Like phone messages and phone calls, texting and emails that simply discuss scheduling issues or other issues with little or no clinical significance do not need to be included in the clinical records. In addition to clinical importance, archiving email, voicemail, or texts may also become important in cases, such as where therapists are inundated with messages from clients, harassed, stalked, or threatened by clients, or during crisis and other high-pressure situations
2. Therapist-client communication via phone messages, email and texting
This section reviews the issues that are involved in therapists communicating with their clients via phone messages, emails and cell phone texts. The last part of this section briefly reviews the relevant privacy, confidentiality and HIPPA considerations and provides follow up resources.
a) Phone messages from clients:
Therapists are accustomed to having an answering machine or voicemail system and readily giving clients a phone number where they can leave phone messages
b) Email communication between therapists and clients:
In the digital age, increasing numbers of therapists communicate with clients via email, which makes sense: Email communication has become an acceptable and expected mode of communication in the 21st century (see article:I Love These Emails, or Do I? The Use of Emails in Psychotherapy and Counseling). Email communication has an inherent vulnerability as computers and the electronic communication they contain can be relatively easily accessed by unauthorized people and hence can compromise the privacy and confidentiality of such communication. Emails (and e-faxes) are vulnerable to such unauthorized access due to the fact that servers have unlimited and direct access to all emails and e-faxes that go through them. Additionally, most therapists' emails and digital data are not encrypted, as there is technical complexity and coordination involved in encrypting emails. It is recommended that therapists use Informed Consent with clients that outlines the risks to privacy and gives clients the choice whether to use Emails or not. Such consent may be simply included in the Office Policies or Informed Consent that all clients read and sign prior to the beginning of treatment (Informed Consent form is available via our Essential Clinical Forms).
Update for 2014: While the 2013 HIPAA Omnibus Rule clarified that clients can choose to request unencrypted emails from their providers, professional ethics codes, licensing boards, and state laws may define some restrictions on the contents or uses of these emails or define heightened requirements for the process of informed consent.
For example, the 2012 NBCC Code of Ethics requires that NCCs use encryption for any electronic communications "of a therapeutic type." The 2014 ACA Code of Ethics requires that counselors "urge clients to be aware" of the confidentiality risks in unsecured electronic communications before informed consent can be given. Some licensing boards also have restrictions similar to those of the NBCC code. Some have even tighter restrictions.
While there are extremely few circumstances where client autonomy to receive emails from their therapists is removed completely, the landscape has become somewhat more complex. Be sure to understand your applicable ethics codes and laws before adopting an informed consent process around email and other unsecured electronic communications with clients.
c) Texting between therapists and clients:
As more young people enter therapy, texting is used more frequently initiated not only by patients but also by therapists who quickly learn that the most effective way to communicate with young people (AKA digital natives) is by texting as opposed to phone calls, phone messages or emails. An extensive article on the differences between the younger generations (Digital Natives) and the older ones (Digital Immigrants). Still, many older therapists (AKA digital immigrants) are reluctant to give their cell phone number to clients for personal (e.g., not wanting to be available to clients 24/7), cultural-generational (e.g., digital immigrants generally prefer phone calls to texts), and clinical reasons (e.g., it may be counter-clinical to give some clients such unlimited and direct access).Regardless of the reasons that therapists are reluctant to text with clients, I have no doubt that in our consumer-driven behavioral health market, setting and changing appointment times and many other basic administrative and simple communications between therapists and clients will be done increasingly on cell phones and via texting in the next few years.
Most digital natives have only a cell phone without a land line; meaning they are available to text and communicate anywhere, virtually any time. As these natives grow up, attend graduate schools, and begin their own clinical practices, the professional protocol of how to communicate with clients will inevitably shift even more strongly in the direction of fluid, instant communication (such as texts). Today's therapists will follow in the footsteps of most parents of digital native children, who have learned quickly that the best way to get a response from the natives is not by calling nor by emailing, but rather by texting. As with every electronic communication, the ramifications of text messaging on security, privacy, and confidentiality are not clear yet. Like with email and other electronic communications, therapists must use caution as well as informed consent when using texts with clients. The informed consent may be simply included in the Office Policies or Informed Consent that all clients read and sign prior to the beginning of treatment (Informed Consent form is available via our Essential Clinical Forms).
Update for 2014: Refer to the update above in section b) for caveats regarding ethics codes and local laws on the process of informed consent for non-secure communications such as classic text messaging.
d) Confidentiality and HIPAA Considerations:
Therapists who communicate with their clients via email and store clinical records digitally must assure that their computers have password, firewall, virus protection, logs, backup systems, encryption when necessary, and other computer safety measures. Additionally, therapists must assess whether they are considered as Covered Entity under HIPAA.
There seems to be so much confusion and misunderstanding around the issues of whether email must be encrypted or not. Let me try to shed some light on this issue.
The 2013 HHS-HIPAA regulations refer to the idea that covered entities are permitted or allowed to send clients unencrypted emails and texts, which may include confidential information, if two conditions are fulfilled:
- The client requests and agrees to such unencrypted digital communication after he/she has been advised of the risks (i.e., informed consent)
- If the covered entity has conducted and documented an analysis regarding different email or text communication options in regard to cost, risk, applicability, suitability, security, etc.
If the covered entity's (i.e., therapist's) analysis proves that encryption turns out to be too expensive and difficult to implement due to the covered entity's size (i.e., solo private practice) and capabilities, and seems to add little value to the overall security of PHI, then HIPAA allows the covered entity to forego encryption, after the client has been informed of the risks. It is important to remember that HIPAA regulations are scaled. That means that solo practitioners or small operations are expected to implement and invest much less than larger operations, such as large clinics and hospitals.
It is required by HIPAA that the covered entities must document their analysis and decision making process.
The omnibus, 1/23/2013 version, states:
As clarified in the preamble to the Omnibus Rule, if an individual requests that a copy of his or her PHI be sent via unencrypted email, then a covered entity is permitted to do so, as long as the covered entity has advised the individual of the risks and the individual still prefers the unencrypted email.
The Final Rule, Federal Register/Vol. 78/17, 1/23/2013 states:
We clarify that covered entities are permitted to send individuals unencrypted emails if they have advised the individual of the risk, and the individual still prefers the unencrypted email. We disagree that the "duty to warn" individuals of risks associated with unencrypted email would be unduly burdensome on covered entities and believe this is a necessary step in protecting the protected health information. We do not expect covered entities to educate individuals about encryption technology and the information security. Rather, we merely expect the covered entity to notify the individual that there may be some level of risk that the information in the email could be read by a third party. If individuals are notified of the risks and still prefer unencrypted email, the individual has the right to receive protected health information in that way, and covered entities are not responsible for unauthorized access of protected health information while in transmission to the individual based on the individual's request. Further, covered entities are not responsible for safeguarding information once delivered to the individual. (p. 5634)
Update for 2014: Once again, it is important to differentiate between what HIPAA – a federal law -- requires and what is required by local laws as well as professional ethics, standards of care, and best practices. In general, mental health professional organizations recommend a higher threshold than the above-quoted law for informing clients of risks to confidentiality when using email, texting, and other electronic communications. The 2014 ACA Code of Ethics is the first to address this issue in an ethics code (as opposed to a professional guideline document.) The ACA code requires that counselors "urge clients to be aware" of those risks to confidentiality, which is a higher threshold of "duty to warn" than is defined by HIPAA.
Be aware, however, that a higher threshold for informing clients of risks is not necessarily a restriction on nor a removal of client autonomy to request these communications. It simply requires a higher level of collaboration with clients to make sure they understand the risks they are taking.
For more information on email communications, computer security and HIPAA, please visit:
Top of Page
3. Recording and archiving phone messages, emails and texts
This section focuses on the practical ways to record or archive phone messages, emails and texts so, when necessary and applicable, they become part of clients' clinical records. A simple way to record phone messages, emails or texts is to enter a hand written or typed note in the clinical records that describes the content of these communications. Emails, of course, are easy to print and require no format changes.
a) Archiving phone messages from clients:
Compared to emails, it takes forethought to record phone messages. Most phones will automatically delete old texts to make room for the new ones, and saving phone messages on one's regular phone or voicemail system simply isn't a reliable or practical method of keeping records long-term. Following are three ways to save significant or all phone messages so they can be stored electronically or printed and placed in clinical records:
- A 'low tech' option is to save important phone messages by using audio recording devices and storing the audio recording as a CD in the client's file.
- Digital answering systems can also provide phone messages on MP3 or similar digital audio files, which can be delivered as email attachments on VOI (Voice Over the Internet) phone systems, such as Vonage. These digital audio files can be easily stored electronically on therapists' or clinics' computers.
Update for 2014: Note that for HIPAA covered entities, any system that provides this service qualifies as one’s HIPAA Business Associate. You would need to acquire a Business Associate Agreement with the phone service provider to remain compliant with HIPAA if you use this service and are a HIPAA covered entity.
- There are other systems available, for example, Google Voice that provide technically easy means to save voicemails. Please note that privacy issues should always be considered with any service, as there have been well-publicized privacy breaches by many large companies including Google and Facebook. Google Voice is free and works by having callers call therapists' Google Voice number, which forwards to as many phone numbers as one likes (such as your cell phone, office and home number). Google voice saves voicemails as recordings that are emailed to you, and also gives you a not-so-accurate (but often very humorous) typed transcript version of (what the program thinks) was on the message. The most useful part here is the recording, as therapists can save it in a web-based email program or download it to their computer, and print the transcription if they so desire. While this is a viable and easy entry for clinical records, the legal and ethical issues around privacy and confidentiality are far from being resolved. Like with other digital issues, Informed Consent that explains to clients the risk involved in such communication due to method of storage may need to be in place. Google Voice is free, and currently works on an invite-only system; simply ask someone you know who already has the service to send you one, or email your friends to see if anyone has a spare invite.
Update for 2014: Once again, be aware that Google Voice’s voicemail transcription and storage services would cause Google Voice to qualify as a HIPAA Business Associate for HIPAA covered entities who use these features. You would need to acquire a Business Associate Agreement with Google Voice to remain compliant with HIPAA if you use this service and are a HIPAA covered entity. At the time of writing, Google Voice does not enter into Business Associate Agreements.
b) Archiving emails to and from clients:
In comparison to phone messages and texting, emails are rather easy to print and place in clients' files or to save on one's computer.
c) Archiving text messages from and to clients:
When it comes to texting, certain steps must be taken if one wants to have an actual record of the text-conversation, rather than simply taking notes about it. Following are five ways to save significant or all text messages so they can be printed and placed in clinical records:
- Therapists can forward text messages to their own email address.
- A service such as Google Voice can record and save phone text messages. Therapists can simply set it up and give that number to clients and then will have a record of all texts. Again, security concerns are worth taking into account with all such services.
- The service Missing Sync connects therapists' phones to their computers and backs up (archives) the text messages.
- Another option is to use an online for-fee service, such as Treasure My Text. This service stores the text messages online by allowing for simple uploads of messages via text.
- Lastly, some cell phones, such as iPhones, allow therapists to take screen-shots of their text messages and then send to their email address as an attachment.
Note: The above-mentioned methods 2, 3, and 4 involve online services with the inherent vulnerabilities that such services provide. Verify issues of security, privacy and confidentiality before you use these product and employ Informed Consent as necessary.
Update for 2014: Any service that stores protected health information, such as text messages to and from clients, would qualify as a HIPAA Business Associate for HIPAA covered entities. You would need to acquire a Business Associate Agreement with the provider to remain compliant with HIPAA if you use the service and are a HIPAA covered entity.
d) Overview on archiving texts, emails and phone messages:
Whichever method you choose for archiving clinically significant emails, phone messages or texts, make sure it makes sense to you technically and personally. Confidentiality and security issues must be taken into consideration when storing information online, and using web applications to record, archive and store records digitally. Older therapists, who fall under the definition of "Reluctant Digital Immigrants," are by definition intimidated by technology and may simply want to write or type up important text messages, print and enter into the clients' files. Therapists who are not tech-savvy are probably not texting very often, so this cumbersome task will be intermittent and rare. Therapists who text with their clients more often are also more likely to be more comfortable with the web technologies listed above. As technology advances, the methods available will be even easier and more intuitive to use. While Google's products are the easiest and most user-friendly of those listed above, their security measures must be carefully evaluated. Digital immigrant practitioners who want help can become oriented to this and other services quite easily with the help of a nearby digital native, if they need it. The important piece is to find a method of keeping accurate records of messages with clinically significant content that makes sense for the sort of practice that one has. Therapists may also want to consider the issue of informed consent where clients are notified on the therapists' record keeping practices, the vulnerability and risks of various means of communications and record keeping practices.
This paper introduced psychotherapists, social workers, counselors, and MFTs to three related topics: archiving phone messages, emails, and texting; therapist-client communication via phone messages, email and texting; and ways to record and archive phone messages, emails and texts. Digital technologies are fastly evolving and here to stay, and therapeutic practices must evolve to keep abreast of the changes. Clinical record-keeping must encompass the new methods of communication by which therapists and clients communicate. This issue of adaptation will stay alive for many years to come; digital immigrants can think of it as another way to learn about their clients, by getting to know the digital world they live in. As with every cutting-edge digital advancement, the ramifications of text messaging, emails or online recording services on security, privacy, and confidentiality are not clear yet. Therapists must use caution as well as informed consent when using cutting-edge digital methods to communicate with clients and store or archive such communications.
5. References & Further Online Resources
Top of Page