- Center for Ethical Practice - https://centerforethicalpractice.org -

Online Course #1 – Ethics Training in Mental Health Settings: What Do Non-Clinical Staff Need to Know?


Ethics Training in Mental Health Settings: What Do Non-Clinical Staff Need to Know?
Mary Alice Fisher, Ph.D., Clinical Psychologist, Executive Director of the Center for Ethical Practice

3 CE Credits – 22 test items – $75

This is an “intermediate level” workshop, appropriate for mental health professionals from all professions and at all levels of training.


This page contains learning objectives, course outline and complete text for this CE course.  You can read the course online, print the course or save it to your computer. 

At the bottom of the course there is a link that allows you to purchase the test. You will be required to create an account (using your email address) so that you will be able to complete the test immediately, or on your schedule.  You may also begin the test and save it to finish at a later time.

Once you submit the online test, it will be automatically graded. You may take the test up to 3 times in order to pass (80% correct out of 22 questions).  Once you pass, you will be required to complete an evaluation form, after which you will be able to immediately download a certificate of CE credits.



  1. List some of the ethical & legal implications of non-clinical staff involvement with patients and their records.
  2. Describe the areas of ethics-based training that are appropriate for non-clinical staff.
  3. Name some of the advantages of pooling resources for staff training.





I. Ethical & Legal Mandates About Staff Training

     A. Ethical Requirements
     B. Legal Requirements

II. Staff Hiring and Firing

III. What Should Non-Clinical Staff Know?

A. Underlying Principles
B. Environment and Staff-Patient Interactions
C. General Office Procedures in Your Setting
D. Privacy and Confidentiality
1. Protecting Patients’ Informed Consent Rights
2. Limiting “Voluntary” Disclosures
3. Responding Ethically if Disclosure is Legally Demanded
4. Protecting Confidentiality When Using Electronic Technology
E. Boundaries and Dual Relationships
F. Billing and Third-Party Reimbursement
G. Patient Access to Records
H. Other Policies with Ethical and/or Legal Implications
1. Operating Within Your Specified Job Description
2. Monitoring Ethical Behavior in the Setting

IV. Are Your Policies & Expectations Clear? Written?

A. Policies about Employee Behavior
1. What are the Policies About Use of Technology?
2. What are the Policies About Interactions with Patients & Others?
3. What are the Policies About Responding to Attorneys?

B. Policies about Your Own Behavior Toward Employees
1. Are You Available for Consultation?
2. What Might Lead You to Remove an Employee?

C. What Other Policies in Your Setting Have Ethical/Legal Implications?
1. Knowing Procedures in Non-Clinical Emergencies
2. Operating Within the Specified Job Description
3. Monitoring Compliance with Ethical and Legal Standards

V. Who Will Take Responsibility?

A. Who Will Provide Training?
B. Who Will Test Employees?
C. Will You Pool Training Resources?

VI. Recommendations

VII.  Sample Staff Training Manual – Outline

Portions of this course were adapted from Chapter 13, “Ethics-Based Staff Training About Confidentiality” in the book by Mary Alice Fisher, The Ethics of Conditional Confidentiality, published by Oxford University Press in 2013, as well as the book published by APA, Confidentiality Limits in Psychotherapy: ü   Ethics Checklists for Mental Health Professionals [1] (Fisher, 2016). This course is also based on the manual published by The Center for Ethical Practice, Ethics-Based Training Manual for Non-Clinical Staff in Mental Health Settings [2], (Fisher, 2018). That staff training manual is available for purchase in both a Virginia version and a national version. When it is cited and quoted here, the national version is used. To order that staff training manual in either version, please follow this link [3] for more information.

Course Content:


Why should mental health settings provide ethics training for their non-clinical staff?  Employee training usually covers office policies and technical training, but it rarely includes formal discussion of ethics. Yet, mental health professionals are ethically responsible for establishing and maintaining policies and procedures that are consistent with their own professional ethical standards. Unless well trained in the policies that support those ethical standards, staff members might unintentionally behave in ways that place mental health patients or the public at risk, thereby inadvertently placing the clinician at risk.  The training described in this course is therefore designed to meet the staff training requirements that are implied by the Ethical Standards mental health professionals must uphold, and to the best of our knowledge the recommendations are consistent with those from the professions cited in the text.  It can be adapted to outpatient, inpatient, research, or academic clinic settings.

Is legal training necessary for non-clinical staff?  It is not unusual for a mental health care provider to send non-clinical staff members to attend legal-based HIPAA training.  Such training is certainly appropriate and is legally required by HIPAA in mental health settings that transmit patient information electronically.  After all, the non-clinical staff often bear much of the responsibility for maintaining compliance with these complicated federal regulations.  In addition, state laws and regulations can also affect mental health practices, and attorneys often lead legal workshops about these laws.

However, attorney-led training that focuses on legal compliance should never be considered a substitute for ethics-based training that focuses on patients’ rights about confidentiality and privacy.  Fisher (2009) provided the following arguments for differentiating between ethics-based training and legal training:

One advantage of ethics-based training is that its focus is on protection of the client’s rights as defined by the mental health professions themselves. Another advantage is that, unlike training that focuses on laws, an ethical focus shifts the training responsibility away from attorneys and toward psychologists themselves. Because laws can have ethical consequences, it would be inappropriate for psychologists to focus only on the laws themselves or to abdicate their training responsibilities to attorneys (Fisher, 2008). Attorneys are experts about laws, and their participation may be necessary for presenting material that has prominent legal content (including HIPAA), but psychologists must serve as the experts about their own ethical standards and retain responsibility for clarifying the ethical implications of state or federal laws. (Fisher 2009, p. 460, emphasis added.)

What about risk-management training?   Although based partly on underlying ethical and legal requirements, a risk-management focus implies attention not on ethics (i.e., protection of patients and their rights) but instead on protection of the professional who provides the mental health services.  In other words, a risk-management focus implies “attention on minimizing the legal risks to oneself  (e.g., identifying ways in which patients can be harmed — or perceive themselves to be harmed) for the purpose of protecting oneself from allegations of misconduct , whether founded or frivolous”  (Fisher, 2013, p 5).  According to Knapp, VandeCreek, & Fingerhut (2017), risk-management instruction would include attention to how clinicians “can protect themselves from unfounded or frivolous complaints” (p. 11).

In contrast, ethics training focuses primarily on protecting patients and their rights — a focus that also thereby protects clinicians. “From an ethical perspective, staff training is not an end in itself, nor a risk-management strategy for protecting [mental health professionals], but a means of protecting patients and their rights.  The goal is to create a culture of safety in which upholding ethical standards becomes everyone’s shared responsibility” (Fisher, 2009, p. 459).

From an ethical perspective, the better the staff training and the higher the expectations for staff conduct, the better protected the clients will be. From a risk-management perspective, the better protected the clients, the safer the psychologist will be. Attention to risk management does not mean inattention to ethics. On the contrary, awareness of professional ethical principles is an essential aspect of risk management. (Fisher, 2009, p. 460; Knapp et al., 2017, p. 11)

The ethics-based training outlined here would be appropriate not only for non-clinical staff, but also for clinical staff, supervisees, students, and volunteers.  It is suggested that in multidisciplinary settings, all personnel be included in this staff training in order to create a “culture of safety” (Knapp, VandeCreek, & Fingerhut, 2017, p. 201) in which maintaining an ethical workplace is viewed as everyone’s responsibility, and all staff cooperate in maintaining high ethical standards the workplace.  Toward that end, it is recommended that the Ethics Codes of all the mental health professionals in the workplace be made available to all staff, including non-clinical staff.

Sample training vignettes are provided in some of the sections below.  However, the most useful vignettes will be those provide by staff members themselves.  Staff can be invited to provide vignettes in advance, based on some of their own experiences in the setting.

I. Ethical and Legal Mandates About Staff Training

            Responsibilities about staff training in mental health settings can arise from several sources.  Mental health professionals have Ethics Codes and guidelines, and sometimes these contain mandates about staff training. Laws related to staff training can arise from federal regulations such as HIPAA, as well as from state laws and state agency regulations.

      A. Ethical Requirements

            The Ethics Codes for mental health professionals do not explicitly require ethics-based staff training.  However, the Ethical Standards do make mental health professionals responsible for ensuring the competence of those to whom they delegate tasks.  For example:


“For staff members who interact with clients, or who have access to confidential client information, technical competence may not be sufficient” (Fisher, 2009, p. 459).  Ethical competence may be necessary as well, and ethics-based training is the most direct way to ensure that all staff, including non-clinical staff, will demonstrate ethical behavior and avoid actions inconsistent with the protection of patients’ rights and welfare.

In their excellent ethics text, Koocher & Keith-Spiegel (2016) advise as follows about ethical responsibilities for the behavior of employees:

Mental health professionals have responsibilities for training and monitoring the behavior of their employees with respect to any duties delegated to them.  Employees who handle grade books, confidential records, data sets, incoming requests from consumers, or billing must understand the ethical requirements that attend their duties and behave in a trustworthy manner.  They must be prepared to deal with other situations that might be unlikely to arise in more traditional work settings. (p. 334-335)

The Center for Ethical Practice also provides an ethics-based staff training manual in two versions, one for Virginia clinicians and one for other U.S. clinicians.  (See Fisher, 2018; online at https://centerforethicalpractice.org/ce-home-study/home-study-manuals-tests/ [3]  )

     B. Legal Requirements

Legal mandates that apply in mental health settings include those contained in the federal HIPAA regulations (1996). These require certain types of training for all members of the “workforce” in a health care setting.  HIPAA defines “Workforce” to include paid employees plus trainees, supervisees and volunteers under direct control of the HIPAA-covered clinician.

The training must occur within a reasonable time after they join the workforce. and must be tailored to their job responsibilities, as well as the confidentiality policies and procedures within that specific setting.  This training must be documented, and the documentation must be retained for six years (45CFR184 530(b)(2)(i); 45CFR184 530(k)).

The HIPAA Privacy Rule requires as follows:

Furthermore, the HIPAA Privacy Rule contains some explicit and detailed requirements about that “workforce” training:

“A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. . . .A covered entity must train all members of its workforce on the policies and procedures with respect to protected health information (PHI) . . . as necessary and appropriate for the members of the workforce to carry out their functions within the covered entity.” (Privacy Rule: 45CFR184 530(b) (1)); https://www.law.cornell.edu/cfr/text/45/164.530 [5]  )

The HIPAA Security Rule and Transaction Rule also have implications for staff training. The Security Rule requires practitioners to safeguard electronic protected health information in their practice from unauthorized alteration, destruction, or disclosure, both intentional and unintentional. That means practitioners need to train staff members to protect electronic data, such as patient notes, e-mail with/about patients, insurance or financial records with identifying patient information, etc., from potential security risks. Under the Security Rule’s “contingency planning standard,” employers must also develop an emergency plan to address how employees should respond to a loss of electronic information in the event of a disaster or emergency. This would include training employees about what to do if they are involved in an emergency situation and whom they should contact to assess the seriousness of the situation. A disaster recovery plan should also encompass procedures such as developing an employee phone list to use in an emergency and procedures for patient contact in the event that appointments need to be verified or rescheduled. It is recommended that employers use a written test or an oral examination to ensure that the employee understands the material covered in the training.

Finally, legal requirements about staff training can arise at the state level.  These can include general statutes, licensing regulations, and state agency regulations, all of which vary greatly from state to state.  Such requirements can include staff training about how to protect patient confidentiality and other patient rights.

II. Staff Hiring & Firing

Creating an ethical workplace begins with careful hiring of staff, both clinical and non-clinical. Woody (2000) recommended that mental health professionals select job applicants on the basis of their integrity and then screen further for maladaptive behaviors before hiring.  Koocher and Keith-Spiegel (2016) similarly recommend that we “assess the ability and sensitivity of all potential staff members prior to hiring” (p. 335), including the ability to respect privacy and confidences, and then “exercise caution and diligence in training and monitoring the behavior of employees and supervisees and provide timely feedback to ensure conformity with ethical practice” (p. 342).

All staff, both clinical and non-clinical, can be required to sign confidentiality agreements as a condition of employment.  Such contracts can include requirements about ensuring the safety of patient records stored in hard copy, as well as requirements about the safety of confidential information stored or transmitted using electronic technology. (Fisher, 2016, p. 67)

For therapists of any profession, Fisher (2010) has provided sample confidentiality contracts that can be used for both clinical and non-clinical employees who might have access to patients and/or to protected confidential information about them. If non-compliance with the confidentiality requirements will be considered a basis for termination of employment, this should be stipulated in the contract.

These recommendations imply a focus not only on technical competence but also on the “ethical competence” of staff.

For the protection of both clients and themselves, psychologists must be free to discharge any staff member who engages in unethical behavior. This should be explained to both clinical and nonclinical staff and can be stipulated in employment contracts.

The APA Insurance Trust actually recommends that all personnel in the setting be required to follow the APA Ethics Code (2017), with failure to do so being “grounds for employment termination.”  (Fisher, 2009, p. 460, citing Bennett et al., 2006, p. 182)

The quotation above is from an article published in a psychological journal, citing a risk-management text published by a malpractice insurer for psychologists.  However, this advice would apply to mental health service providers of any profession. In multidisciplinary settings, staff can be provided with the Ethics Codes of each of the professionals in the setting, and these can be referenced during the staff training. If ethical non-compliance in any form will be considered a basis for termination of employment, this should also be stipulated in the employment contract.

III. What Should Non-Clinical Staff Know?

     A. Underlying Principles

The staff training can begin with a discussion of some of the patient-protective principles that underlie ethical practice in mental health settings.  These might include the following principles.  During the training, staff members can be asked to consider how to answer the related questions from the perspective of their own job in the setting:

  1. Beneficence (Doing Good): – “Will my doing this be helpful to our patients?”
  2. Nonmaleficence (Doing No Harm) – “Might this action likely harm the patient or anyone else?”
  3. Fidelity (Trustworthiness) – “To whom do I owe an obligation or an allegiance in this situation?”
  4. Responsibility (Clarifying Roles; Avoiding Exploitation) – “Could this action complicate the patient’s relationship with me, or risk exploiting the patient?”
  5. 5. Autonomy (Fostering Independence) – “Does this action foster independence or will it promote dependence on the part of the patient?”
  6. Integrity (Honesty, Truthfulness) – “Have I been honest and truthful in providing the patient with information?”
  7. Justice (Fairness) – “Is this action consistent with how I would want to be treated if I were the patient?”

    B. Environment & Staff-Patient Interactions

What atmosphere are we trying to create?  What will be a new patient’s first impression of our setting?  How well does our space reflect our approach to providing mental health services?  How are staff expected to interact with patients in this environment?

This aspect of staff training can include decisions about the waiting room (e.g., choice of reading material and/or toys; use of background music or white sound; decisions about decor), as well as consideration of who will be responsible for monitoring and maintaining that space.  It can also include discussion of staff-patient interactions that occur in the waiting room (e.g., staff responses to patient complaints; staff intervention if patients or others create excessive noise or use cellphones in a manner that intrudes on others).

This section of staff training can also include discussion of how to respond to patient’s questions or comments, and how to deal with patients’ friendship overtures.  (This would overlap with the topic, “Boundaries and Dual Relationships” below).

C. General Office Procedures in the Setting

Policies differ greatly across mental health settings.  For this reason, even the personnel who have previously worked in other mental health sites should be required to attend the ethics-based training, because it teaches how professional ethical standards will be upheld through the policies in this specific setting. For the training, and for later reference, staff members should be provided with a written copy of the office policies, including those described in the sections below, so that the specifics can be discussed together.

     D. Privacy & Confidentiality

“Privacy,” within the context of a mental health setting, has to do with “the patient’s right to be protected from visibility, access, or intrusion by others — the right not to be public” (Fisher, 2013, p. 7).  Patient privacy can be protected through such things as discrete office arrangements and by sound barriers that prevent voices from being heard outside a therapy room.

“Confidentiality” is a narrower concept that relates to privacy of information.  In the Ethics Codes for each mental health profession, patient confidentiality is protected by a confidentiality rule (or non-disclosure rule) requiring that no information about patients will be disclosed without their consent. The Center for Ethical Practice (2010) has provided a Confidentiality Practice Model that is based on the ethical requirements about how to protect patients’ rights about confidentiality.

The term “preventable disclosures” refers to “disclosures of patient information that are made without obtaining the required patient consent and in the absence of any legal requirement to disclose” (Fisher, 2016, p. 65).  Professional ethics codes emphasize the need to train all staff about how to avoid preventable disclosures, which includes “accidental disclosures,” defined by Knapp (2002) as “unintended lapses or unanticipated problems” (p. 6).  This can result from such things as “staff carelessness in transmitting patient information electronically, including accidental misdials on the FAX machine and errors in email addresses” as well as “oversights such as unattended computers or failure to institute password protections” (Fisher, 2016, p. 66).

The ACA Ethics Code stipulates that “Counselors make every effort to ensure that privacy and confidentiality of patients are maintained by subordinates, including employees, supervisees, students, clerical assistants, and volunteers” (ACA, 2014, Ethical Standard B.3.a).  The APA Record Keeping Guidelines (APA, 2007) further emphasize the need to “educate employees about confidentiality requirements” (p. 997).

Knapp, VandeCreek, & Fingerhut (2017) described the importance of “ensuring that staff are well trained in the rules surrounding confidentiality” (p. 130).  Barnett and Klimik (2012) recommended that “psychologists should train staff to protect client confidentiality, oversee their performance, . . . and give feedback as needed to remediate any misunderstandings” (p. 434). Although there are some exceptions to the ethical rule of confidentiality, it must be the clinicians – not the non-clinical staff — who determine when those exceptions will apply in their setting.

In addition to these ethical requirements about privacy and confidentiality, the federal HIPAA regulations have very detailed legal requirements about privacy and confidentiality (APA Corporate Relations and Business Strategy Staff, 2005).  It is usually appropriate to involve attorneys in the HIPAA training, whether by sending staff to an attorney-led HIPAA training, or bringing in an attorney to co-lead the confidentiality training.

However, as described in the Introduction above, it is important that legal-based HIPAA training not be considered a substitute for ethics-based training about confidentiality. For example, the federal HIPAA regulations do contain many mandates about confidentiality and privacy, but some of the disclosure policies that are legally allowed by HIPAA fall far below the disclosure standards required by the ethics codes of most mental health professions.

It is true that legal requirements sometimes overlap with psychologists’ ethical obligations. For example, some key HIPAA principles are consistent with confidentiality protections in the APA Ethics Code; . . .  and some state licensing laws cite ethical standards, or incorporate specific professional obligations into law. However, there are also laws that can conflict with ethical standards (Donner, 2008; Knapp, Gottlieb, Berman, & Handelsman, 2007; Pope & Bajt, 1988). Ethics-based training highlights both the ethical–legal overlaps and the potential ethical–legal conflicts, helps staff understand the similarities and differences between ethical standards and laws, and helps psychologists prepare for the potential conflicts. (Fisher, 2009, p. 460).

  1.   Protecting Patients’ Informed Consent Rights: Should nonclinical staff play a role in the initial informed consent process about confidentiality or other matters? Legal trainers may teach that, in the name of efficiency, non-clinical staff can satisfy the HIPAA requirement to inform prospective patients about limits of confidentiality by simply obtaining their signature on the HIPAA Notice of Privacy Practices at their first visit. This practice is not unethical in itself, but it would be unethical to treat it as a substitute for obtaining the patient’s truly informed consent to accept the potential risks created by the limits that may be imposed on confidentiality in your setting (Fisher, 2009).

Legally speaking, the purpose of signing the HIPAA Notice of Privacy Practices is simply to document that it was received. Ethically speaking, however, obtaining truly informed consent involves more than obtaining a signature on a form. Furthermore, most HIPAA notices are unintelligible to the average patient, and this does not meet the ethical requirement that patients be informed in reasonably understandable language.

Some settings also give nonclinical staff the duty of informing prospective patients about certain other things at the initial visit, including fees, insurance, scheduling, clinician availability, etc. The Center for Ethical Practice (2016) has provided a chart summarizing the many topics about which clinicians are ethically required to inform prospective patients when obtaining their consent for treatment. Again, assigning this task to non-clinical staff and having them obtain patients’ signatures on consent forms is not a substitute for a complete informed-consent discussion with a clinical person about such matters.

Although clinicians are not always in control of the setting’s intake policies, they can meet their ethical obligations by (a) providing specialized staff training about informed consent, and (b) beginning their own initial session by ensuring that the client was well informed before giving consent to receive services. This gives prospective clients the ethically required sufficient opportunity to ask questions and receive answers. Such conversations often raise clinical issues that nonclinical staff should not try to address. (Fisher, 2009, p. 461)

Finally, it is important for staff to understand that informed consent is an ongoing process, not a one-time event. For example, potential limits of confidentiality should be discussed not only at the outset of the relationship but also thereafter whenever circumstances may warrant. “The latter responsibility cannot be delegated to non-clinical staff, because such issues are best addressed when they arise, which will likely be during a private clinical session” (Fisher, 2009, p. 461).

When it comes to patients’ informed consent rights and confidentiality, it is especially important not to focus primarily on legal compliance, but instead to use ethics-based training to place the legal regulations into ethical context.  For example, attorneys often call or visit a mental health office and inform the staff that the patient’s consent is not needed for communicating with the patient’s own attorney.  Legally, this may be true (depending upon the context), but ethically speaking, this is a “voluntary” disclosure and requires the client’s consent.  Clients often choose to limit the information that the clinician will provide to their attorney, and when obtaining the client’s informed consent to disclose, the client must be given the right to place limits on a disclosure that they give consent for the clinician to make.  This is why it is important for the clinician be the one who obtains that consent and makes the decisions about such disclosures.

  1. Limiting “Voluntary” Disclosures to the Extent Legally Possible: 

Definition: “Voluntary” disclosures of confidential information are disclosures that are not legally required and for which explicit client consent must therefore be obtained at the time of disclosure.  Unless consent has been obtained as part of the intake interview (e.g., in a HIPAA Notice of Privacy Practice), no disclosure may be made without obtaining explicit client consent beforehand. (See summary of HIPAA “Final Rule” at https://centerforethicalpractice.org/ethical-legal-resources/virginia-legal-information/legal-updates-news/hipaa-final-rule-effective-march-2013 [6] )

Unlike legally-required disclosures (e.g., child abuse reports; court orders), “voluntary” disclosures remain within the control of the mental health clinician and staff.  The Center for Ethical Practice staff training manual (Fisher, 2018) recommends that staff training might include instructions such as the following:

There are explicit ethical and legal rules about how mental health professionals must respond to requests for patient information.  These rules vary, depending upon (a) state laws; (b) who is making the request, and (c) the legal context of the request (e.g., does HIPAA apply?).  Clinicians are responsible for knowing, following, and enforcing these ethical and legal requirements. It is your responsibility to disclose no patient information or records, even to the patient, unless you have explicit authorization from a clinician. (p. 10)

May employees disclose information to the client’s attorney without the client’s consent?  Many attorneys will insist that mental health professionals do not need to obtain consent before talking with them and giving them information, since attorney-client privilege would apply. To some extent, that may be legally accurate. Ethically, however, this is a “voluntary” disclosure that does require the client’s consent.  When asked, many clients wish to place limits on their consent if there is certain information they do not want disclosed to their attorney (e.g., explicit information about previous abuse, family history, or other information not relevant to their court case).  Therefore, regardless of how “pushy” the attorney might be, non-clinical staff should provide them with no information unless the clinician has given that instruction.

May employees voluntarily disclose information without patient consent as long as the disclosure is legally allowed? Law-based training sometimes suggests that if a disclosure is allowed by law, then patient authorization is not required. This has broad implications: HIPAA allows disclosures without patient authorization for such wide-ranging purposes as “treatment, payment and health care operations activities” (HIPAA, 45 C.F.R.§164.506), which includes disclosing information to any other providers who are working with the patient. Some state laws allow similarly broad disclosures without patient consent. (For example, see Virginia §32.1-127.1:03 [7], which allows disclosure without client consent “to third-party payors and their agents for purposes of reimbursement [D,17];” or simply “in the normal course of business in accordance with accepted standards of practice within the health services setting” [D, 8].)

Ethically speaking, however, voluntarily disclosing information without client consent in the absence of a legal requirement constitutes a breach of confidentiality.  This raises ethical issues very different from those raised by legally required disclosures. Whereas a legal requirement can create a true ethical/legal conflict . . . a voluntary disclosure involves no ethical/legal conflict at all. There is thus a vital ethical difference between legally mandated disclosures (which can be legally compelled regardless of whether a client gives consent) and those merely legally allowed (which you remain free not to make, and for which a client remains free not to give consent).” (Fisher, 2009, p. 461, emphasis added).

Ethics-based training would therefore teach that “legally allowed” may not be synonymous with

“ethically appropriate” and that the non-clinical staff person is not qualified to make that determination.

  1. Responding Ethically If Disclosure is Legally Demanded:  How should staff be trained to respond if presented with a subpoena or some other legal demand for confidential patient information? Legal-based HIPAA training might teach non-clinical staff that a legal demand is a sufficient basis for disclosing information, even without patient consent. Legally speaking, this is sometimes true. Ethically speaking, however, the first order of business is to determine (a) whether disclosure is truly legally required (e.g., is a court-ordered disclosure, not simply a discovery subpoena) and (b) whether the legal demand conflicts with our ethical duties.  If so, mental health professionals are ethically required to attempt to resolve the ethical-legal conflict in a way that conforms to both law and to ethical practice. (See ACA Ethical Standard I.1.c, “Conflicts Between Ethics and Laws; APA Ethical Standard 1.02, “Conflicts Between Ethics and Law…”; and NASW Ethics Code “Purpose.”)  Even if the information is not legally protectable, nonclinical staff should not be responsible for deciding whether to disclose it. They should be trained to notify the patient’s clinician, who can use a structured decision-making process for deciding whether to “follow the law despite the ethical concerns” or whether “a conscientious objection is warranted” (Knapp et al., 2007, p. 54).

Ethics-based training is critical.  An example of a specific topic in this area would be how to comport oneself when a subpoena is delivered . . . Ethics training activities may be applicable to support staff and clinicians alike, with topics such as informed consent and confidentiality. (Pohlman, 2017, p.174, citing Fisher 2009)

Ethics-based training can instruct nonclinical staff on matters such as how to behave if someone delivers a subpoena, but clinicians themselves must be the ones who weigh the competing values (Behnke, 2001) and make the decision about whether to disclose.  If a patient declines to give consent for the release of legally demanded information, it may be possible to minimize the disclosure and sometimes the information can be protected completely (APA Committee on Legal Issues, 2006; APA Practice Organization, 2008, 2012; Fisher, 2020; and APA Legal and Regulatory Affairs Staff, 2005).

  1. Protecting Confidentiality with Protocols for Use of Electronic Technology:   Ethical mandates about usage of electronic technology are expanding.  In the latest Ethics Code for Counselors, an entire section is devoted to the topic of “Distance Counseling, Technology, and Social Media” (ACA, 2014, Section H).

In the latest NASW Ethics Code (2017), the “Preface” acknowledges the increasing use of technology in mental health settings, and stipulates that all Standards in the Ethics Code will apply to the use of technology, whether or not technology is mentioned in the Standard:

With growth in the use of communication technology in various aspects of social work practice, social workers need to be aware of the unique challenges that may arise in relation to the maintenance of confidentiality, informed consent, professional boundaries, professional competence, record keeping, and other ethical considerations. In general, all ethical standards in this Code of Ethics are applicable to interactions, relationships, or communications whether they occur in person or with the use of technology.  For the purposes of this Code, technology-assisted social work services include any social work services that involve the use of computers, mobile or landline telephones, tablets, video technology, or other electronic or digital technologies; this includes the use of various electronic or digital platforms, such as the Internet, online social media, chat rooms, text messaging, e-mail, and emerging digital applications. Technology-assisted social work services encompass all aspects of social work practice, including psychotherapy; individual, family, or group counseling; community organization; administration; advocacy; mediation; education; supervision; research; evaluation; and other social work services. Social workers should keep apprised of emerging technological developments that may be used in social work practice and how various ethical standards apply to them. (p. 4)

Other ethics-based recommendations can be found in the technology guidelines now published by national professional associations. For example, the American Psychological Association (2013) has published Guidelines for the Practice of Telepsychology, which provide guidelines for use of telephone, FAX, email, etc.   Similarly, the National Association of Social Workers (2018) has provided technology resources at Clinical Social Work Practice Tools: Technology.  In addition, NASW (2017) has also joined several other national social work groups to publish Technology in Social Work Practice.

Until recently, most of the legal mandates about use of technology were found in the federal HIPAA regulations, but state laws and regulations about technology are now expanding.  For example, in Virginia, several licensing boards have adopted “Guidance Documents About Use of Technology.”  (For example, see Virginia Board of Counseling, 2015; Virginia Board of Psychology, 2018; and Virginia Board of Social Work, 2018.)

See explicit policies about technology in Section IV, A, 1, below.

The checklist below includes some components of ethics-based staff training about confidentiality.  It is adapted from the Fisher (2016) APA book, Confidentiality Limits in Psychotherapy:  Ethics Checklists for Mental Health Professionals. 

____ Train all staff about professional ethical standards; provide Ethics Codes for all the professions represented in the setting.

____ Include clinical and non-clinical staff in ethics-based confidentiality training.

____ Train clinical and non-clinical staff about record-keeping responsibilities.

____ Review record-keeping practices regularly; enforce record security measures.

____ Require everyone in the setting to sign a “confidentiality contract.”


     E. Boundaries and Dual Relationships

It can be important to define these two concepts, because they overlap and are often treated as if they were almost synonymous. For training purposes, it can be helpful to conceptualize boundaries as “where we must draw the line” and to conceptualize dual relationships as “wearing more than one hat with the same person.”  The overlap can occur because dual relationships can become ethically problematic when the two relationships require different boundaries.

Mental health professionals have Ethical Standards regarding boundaries and dual relationships with their patients.  Practitioners can expect non-clinical staff members to also monitor their relationships with patients in order to avoid unnecessary complications.

Training about boundaries and dual relationships can be especially important in communities where social circles will likely overlap.  For example, Koocher & Keith-Spiegel (2016) note that staff are likely to have prior relationships with prospective patients in “university towns, distinct cultural communities, or rural settings.” In cases involving high-profile clients or family members of employees, “safeguards might include placing sensitive files in secure locations unavailable to the staff” (p. 335).

     F. Billing and Third-Party Reimbursement

Mental health professionals have Ethical Standards about billing and reimbursement.  Among these is the ethical requirement to obtain the patient’s informed consent before disclosing information to others for reimbursement purposes.  Obtaining informed consent requires more than simply obtaining the patient’s signature on a form.  It means that patients must be given the opportunity to make the decision about whether or not to seek third party reimbursement only after they have first been informed about the implications of that decision. The clinician will have this discussion with patients and, where appropriate, will obtain their consent to submit claims.  It is therefore important that non-clinical staff send no information to third parties until specifically so authorized by the clinician. 

Even though the third party payer is providing reimbursement to us with the patient’s consent, we have no ethical basis for releasing any further information about the patient, beyond what is necessary for obtaining that reimbursement.  In other words, the fact that someone is paying the bill does not, in itself, entitle them to information about the patient without the patient’s explicit consent.  This would apply to any adult patient, whether the third party payer is an insurance company or a family member.

It is also ethically important that the information sent to third party payers be accurate.  If staff have any questions about billing codes, or about the accuracy of the information they are about to submit, they should be trained to consult the clinician and request a review before sending or transmitting a claim for reimbursement.

When billing for reimbursement for services to adult patients, the same Ethical Standards would apply whether the third party is an insurance company, a family member, referring agency, or other entity:

Counselors:. . . disclose information to third-party payers only when clients have authorized such disclosure” (ACA Ethical Standard B.3.d., Third Party Payers).

Psychologists. . . take reasonable steps to ensure the accurate reporting of the nature of the service provided or research conducted, the fees, charges, or payments, and where applicable, the identity of the provider, the findings, and the diagnosis” (APA Ethical Standard 6.06, Accuracy in Reports to Payors and Funding Sources).

Social Workers “. . . should not disclose confidential information to third-party payers unless clients have authorized such disclosure” (NASW Ethical Standard 1.07h, Privacy and Confidentiality).  and “. . . should establish and maintain billing practices that accurately reflect the nature and extent of services provided and that identify who provided the service in the practice setting. (NASW Ethical Standard 3.05, Billing).

HIPAA does legally allow disclosures to be made for reimbursement purposes without patient authorization if they were initially presented with a Notice of Privacy Practices containing that information.  Ethically, however, professional ethics codes require that patients knowingly authorize such disclosures, as indicated above. It is impossible for clients to give “truly informed” consent at intake, because the content of reimbursement disclosures cannot be known beforehand. Therefore, before the reimbursement request is submitted, the clinician must take responsibility for informing the client of exactly what information will be disclosed to the third party payer

     G. Patient Access to Records

Patients sometimes request copies of their own records.  Some state laws, as well as the federal HIPAA regulations, give patients the legal right to obtain that information.  However, both HIPAA and state laws can specify exceptions — certain circumstances under which a patient’s request may need to be refused.

For example, there may be a potential for the patient to respond to what is in the record by harming him/herself or someone else.  In multiple-client cases, as in couple or family cases, there can also be legal guidelines that govern who has a legal right to obtain the record.  In such cases, there are legal requirements that determine when and how refusals of patient access to records must be carried out. Non-clinical staff do not have the authority to make that determination.

Staff should therefore be trained to always refer a patient’s request for copies of his/her own records to the clinician who treats (or who previously treated) that patient.  If that clinician is no longer available, the request can be referred to the primary clinician in the practice.


H. Other Policies with Ethical and/or Legal Implications

1. Operating Within Your Specified Job Description: In general, it is helpful for staff to notice things that need doing, and to be willing to do them even if it is not formally required by their job description.  This cooperative attitude should be applauded and encouraged in all general office activities.  However, staff should not engage in activities that reach beyond their job description without authorization from a supervisor if the extra activity involves interactions with patients (e.g., completing intake forms) or electronic transmission of patient information (e.g., FAXing claim forms), or if it allows access to more extensive patient information than is allowed in their job description (e.g., reading patient records).

Legally, the federal HIPAA regulations limit employee access to only the client information that they need for performing their specific job in the setting.  Additionally, some states have legal statutes that impose penalties for using computers to obtain access to private information without authorization.

Whether or not the job description requires a staff member to interact with patients, a patient may initiate interactions with a staff member by asking a question or making a request.  (See above.) Regardless of job description, staff members should ordinarily not offer advice to patients, even if asked.  This would include personal advice about life decisions, over-the-counter remedies, nutrition/diet issues, etc., since such advice might mistakenly be taken as (or reported to be representative of) the official advice from this office. Staff members should be trained to be polite but to decline to offer advice on such matters and to return to their usual duties.  If, in spite of their non-response, such patient requests persist, staff should notify that patient’s clinician.

Staff might be provided with the following general guidelines:

IV. Are Policies and Expectations Clear? Written?

Obviously, the first step in creating clear expectations for staff behavior will be to develop specific policies about topics such as those described in all the above sections.  (See APA Corporate Relations and Business Strategy Staff, 2005).  Staff should be presented with copies of clear written policies during their initial ethics-based training.

Barnett & Klimik (2012) recommend that mental health care providers should keep copies of their general policies in a central location, update them regularly, and review them periodically with all staff. Ethics-based policies and expectations can be kept as a separate document or notebook labeled as such, simply written, and not combined with the reams of other general agency policies.

A. Policies about Employee Behavior

  1. What are the Policies About the Use of Electronic Technology? Training about confidentiality should include instructions to staff about how to assure security of patient information in their use of electronic technology such as computers, FAX machines, photocopiers, telephones, etc.   This will support the ethically required confidentiality standards in clinician’s Ethics Codes, while also conforming to the legally required regulations in the HIPAA Security Rule and Technology Rule.

National professional associations also provide guidelines about the use of technology in clinical settings.  For example, the American Psychological Association provides the following recommendations in its 2013 Guidelines for the practice of telepsychology.

Psychologists are encouraged to conduct an analysis of the risks to their practice settings, telecommunication technologies, and administrative staff in order to ensure that client/patient data and information are accessible only to appropriate and authorized individuals. Psychologists strive to obtain appropriate training or consultation from relevant experts when additional knowledge is needed to conduct an analysis of the risks.  Psychologists strive to ensure that policies and procedures are in place to secure and control access to client/patient information and data within information systems. (p. 797)

The protocols about use of electronic technology should be setting-specific.  However, the training manual Ethics-Based Training Manual for Non-Clinical Staff in Mental Health Settings (Fisher, 2018) contains samples of detailed protocols that could be adapted for training purposes in any setting.

For example, regarding email or text, guidelines such as the following might apply:

(a.)  Transmit no identifiable patient information via email or text unless explicitly authorized to so do by a clinician in a specific case.

(b.)  Use office computers only for official business.  Send or receive personal email on office computers only if so authorized.

(c.)  Double-check the destination address, and include a confidentiality message in the “signature” at the bottom of each sent message.

(d.)  Remember that e-mail or text messages, once sent, can be copied, printed, or forwarded by the recipient.  Monitor the content and tone of everything you have written before hitting “SEND.”

[NOTE: Many of the recommendations below for use of FAX machines would also apply to email or text.]

The same manual (Fisher, 2018) also contains a sample list of recommendations for training about the use of FAX for transmitting patient-identifiable information.  Samples include the following:

(a.)  Everything FAXed from this office contains the “return address” for our office.  You should obtain permission before using the FAX machine for your personal use, and you should FAX nothing that would compromise, or would reflect negatively upon, this office.

(b.) The FAX machine used for sending patient information is located in a secure area that remains inaccessible by any individual who has not signed our Confidentiality Contract.  The area (or the machine) should be locked when the FAX machine is unattended.

(c.)  A FAXed document containing patient information should be accompanied by our cover sheet that includes language clearly outlining the confidential nature of the information being FAXed and provides a warning to any recipient who is not authorized to have access to that information:

The information contained in this facsimile message is privileged, confidential, and only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this message in error, please immediately notify us by telephone and return the original message to us at the address listed above via the US Postal Service. Thank you for your cooperation.

(d.)  Some FAXed documents containing patient information (e.g., copies of patient records; summaries of patients’ treatment) should also contain the following notation: The person who receives this information may not re-disclose it to anyone else without the patient’s further separate written consent, unless such recipient is a provider who makes a disclosure required or permitted by law.

(e.)  In order to reduce dialing errors as much as possible, we have pre-programmed some frequently-dialed numbers into the FAX machine.  You should use those whenever available, in order to prevent patient information being erroneously sent to an unauthorized third party.

(f.)  If you become aware that you have erroneously sent patient information via FAX to an unauthorized third party, contact the clinician immediately.

(g.)  When possible and appropriate, advise the recipient that the information is being sent “now.”  This is especially important if you know that the receiving FAX machine is shared with others, or if you believe the receiving FAX machine is located in an open, unsecured area.  When possible and appropriate, follow up with the intended recipient to verify that the FAX was received.

(h.)  Immediately remove any identifiable confidential information that may have been automatically saved inside the FAX machine records, unless that is password-protected.  If a record of the transmission is needed, print it, file it in a secure place in paper form, then delete the record from the machine so that others may not obtain access.

(i.)  After FAXing, do not use an open trash can to discard papers that contain patient information.  File or shred.  Destroy or return to owner any confidential papers left on the machine by others.

From the same source (Fisher, 2018), there are extensive recommendations about the use of computers that contain patient-identifiable information. As with the above recommendations, these would apply to all personnel in the setting who have access to the electronic equipment, whether employees, students, volunteers, or others.

(a.)  If your job description or other assigned duties require you to use our computers, you will be given a password, which will be changed periodically.  Your use of the computer should be limited to the tasks required for your assigned duties.  Do not give out your password to anyone else.  Do not use your password to give someone else access to the computer without specific authorization in a specific instance.

(b.) Computers containing patient information should remain inaccessible to unauthorized individuals. [As required by HIPAA Regulations, they are both password-protected and kept in a room that is locked when no one is in attendance in order to adequately prohibit access to protected health information files by unauthorized individuals.]

(c.) Do not attempt to obtain access to information you are not authorized to see or use.  (It is illegal in some states under “computer invasion of privacy” laws.)

(d.)  Position the computer in such a direction that the screen is not visible to patients or visitors to the office.

(e.) When you are not sitting at the computer, exit from any files containing patient information, so those files will not be visible on, or accessible from, the screen without your password.

(f.)  Copy no patient information onto CD or other computer storage disk except during authorized backup procedures, in which case the backup information will be stored securely according to established office security procedures.

(g.)  Copy no patient information from our computer, or from other records, onto your own personal laptop or personal computer storage disks.

(h.) Remove no computerized patient information from this office, either on laptop or on disk, without specific authorization.  This includes information that you intend to use for working from your home or elsewhere

(i.) Transmit no patient information to any location outside this office unless specifically authorized to do so, or unless this is a specified part of your job description (e.g., sending electronic reimbursement claims to third party payers).

(j.) When connected to the Internet, our firewall protection software helps protect the computers, and thus individuals’ health information files, from being accessed by unauthorized individuals through their Internet connection.  However, we request that you close the internet connection whenever your work does not immediately require internet access, in order to further reduce that danger.

(k.) For transmitting patient information, our computers are equipped with encryption software (as required by HIPAA Regulations).  If you are authorized to transmit information, confirm that the individuals authorized to receive it at the point of termination have the necessary software.  Make sure that files are password-protected prior to transfer and that individuals authorized to receive the files at the point of termination have password access to those files.

Finally, the telephone is also an instrument of electronic technology.  The American Psychological Association, in its Guidelines for the Practice of Telepsychology (2013), notes that in addition to the use of the telephone for providing direct clinical services (e.g., telephone therapy), the telephone, texting, and email can also be used for non-direct services, such as scheduling, and that this use can often fall to non-clinical staff.  Mental health professionals are reminded that they should inform their clients of “limits to confidentiality and the risks of possible access to or disclosure of confidential data and information that may occur during service delivery, including the risks of others gaining access to electronic communications (e.g., telephone, e-mail)” (p. 797).  In training non-clinical staff, clinicians should be cautious about applying a general rule to all clients, and should instead take responsibility for being “aware of the potential benefits and limitations in their choices of technologies for particular clients in particular situations” (p. 792).

  1. What are the Policies About Staff Interactions with Patients & Others?

In this part of the non-clinical staff training, staff members can be encouraged to share “hypothetical” examples of problematic interactions with patients and others.  Role playing can be an important part of this aspect of the training. Non-clinical staff can play the role of difficult patients or demanding attorneys or pushy family members, while the clinical staff can demonstrate the appropriate responses to such situations by taking the role of the non-clinical staff member.

General policies should be available that clarify expectations for how staff will interact with others in specific circumstances.  For example, there can be protocols about how to respond to requests for records by the patient, by attorneys, by third party payers, and by others.  The non-clinical staff training manual provided by the Center for Ethical Practice provides examples of detailed staff instructions about each of these circumstances.  (See Fisher, 2018).

That manual also includes a separate Section about staff relationships with patients, “Understanding Roles, Maintaining Boundaries, & Avoiding Dual Relationships” (Fisher, 2018).  It recommends that employee training might include instructions such as these:

Employees in mental health settings are responsible for maintaining their own boundaries appropriate to this setting and should not unnecessarily create a second relationship with patients.  For example, while wearing the “professional hat” of employee in our office, you should not interact with patients in a manner that seems to invite personal friendship.  Do not seem to be promising to add a “personal hat” of friendship by discussing personal life events or shared histories, or trading personal advice, even if the patient initiates the interaction. . .

However, sometimes another relationship already exists.  For example, a new patient may turn out to be your neighbor/friend/relative; if this occurs, you should alert the clinician to this fact as soon as you become aware that you have a prior relationship, whether or not the patient raises the issue with you.  Sometimes this creates no problems, but that decision is not yours to make.  Ordinarily, it will be up to the clinician and the patient to decide together whether your dual relationship (or potential conflict of interest) is problematic enough that the patient should be seen elsewhere (or that special scheduling accommodations or confidentiality accommodations should be made).

Even if the clinician and patient are both comfortable with a situation involving dual relationships on your part, whenever you are personally uncomfortable wearing more than one “hat” (i.e., adding this staff role to your existing relationship with that person), you should be sure the clinician knows about your discomfort/concern before a decision is made. (Fisher, 2018, Virginia version p. 19; National version p. 14)

This section of staff training can also include discussion of how to respond to patient’s questions or comments, and how to deal with patients’ friendship overtures.  (This would overlap with the topics, “Environment and Staff-Patient Interactions” (III.B., above) and “Boundaries and Dual Relationships” (III, E, above). Examples of training topics might include the following:

Finally, it is important to note that clinicians should be careful about what tasks they delegate to employees.  According to Koocher and Keith-Spiegel (2016), “there are times when it may simply be inappropriate for mental health clinicians to delegate certain client calls or other nontherapeutic tasks to others” (p. 335).

  1. What are the Policies About Responding to Attorneys?

Ethically and legally, this is one of the most important parts of the training. Legal demands for information can come not only from an attorney waving a subpoena, but also from a sheriff with a gun on his hip, an FBI agent who brandishes his badge, or other law enforcement personnel.  In each case, an untrained staff member can feel threatened when approached with a demand for information or records.  Often there is a claim that the person has a “legal right” to receive the records “on the spot,” and there can be warnings about dire consequences for the clinician if the staff member does not comply with the request immediately.  In this circumstance, confidential and privileged information can be disclosed by a frightened receptionist or other staff member.

Harris and Younggren (2011), in their article, “But That’s What the Lawyer Told Me,” warn that clinicians themselves are easily intimidated by attorneys, which means they must educate themselves in order to adequately train their non-clinical staff:  “Most mental health professionals are not lawyers.  In fact, at best, lawyers make most mental health professionals quite anxious, and this anxiety can result in responses to legal demands that can harm their clients’ interests and put themselves at risk” (p. 13).

Clinicians themselves need to be well informed about such things as the ethical and legal difference between a subpoena and a court order.  The Trust (formerly the APA Insurance Trust) alerts mental health professionals to the ethical and legal pitfalls created by bad advice, citing situations in which attorneys have lied and “misrepresented the legal obligations engendered by a subpoena” and threatened the clinician with legal action “for failing to respond to a subpoena when, in fact, the subpoena from an attorney alone does not permit the psychologist to reveal information” (Knapp et al., 2017, p. 143, emphasis added).  Similarly, Harris and Younggren (2011) describe intimidating misrepresentations by attorneys, including such things as claiming “My subpoena is actually a court order”. . .  The fact that an attorney representing one side tells you that a subpoena is a court order does not mean that it compels the release of information about your clients” (p. 13).

If an attorney is invited to lead or co-lead this aspect of the staff training, it is important that it be an attorney who understands and respects the ethical responsibilities of mental health professionals.  In fact, it can sometimes be unethical for clinicians to not contest a subpoena, and the attorney should be willing to support their right to contest legal demands unless they are actually ordered by a judge.  “Attorneys are experts about the law, but therapists must take responsibility for being experts about the ethics of their own profession.  They should be familiar with their ethical responsibilities, able to describe them clearly, and prepared to ask their legal questions from that perspective” (Fisher, 2013, p. 48).

It may therefore be important for this aspect of the training to be attended by clinical staff, as well as non-clinical staff.  The clinical staff attendees can be responsible for ensuring that the training include not only legal information, but a discussion of the ethical responsibilities involved in responding to legal demands.  It can also be very useful if the training includes some role-play time, with staff playing the role of someone with aggressive demands for information (including demanding attorneys) and clinical staff playing the role of non-clinical staff members responding appropriately to those demands.

B. What Are Your Personal Policies about Your Own Behavior Toward Employees?

It is important for staff to know how to reach you for consultation.  Staff also deserves to   understand your expectations about their behavior and to know how this might affect their employment.

  1. Are You Available for Consultation? Mental health treatment settings can

require staff to deal with very difficult situations.  Even if well trained, they may sometimes need some help from a skilled clinician in the event of a clinical emergency.  Other situations can be less urgent but may nevertheless require consultation with a clinician about certain administrative questions or other matters related to their job.  Policies should be clear about when (and whether) a supervising clinician can be interrupted during a client session.

  1. What Might Lead You to Remove an Employee? The answer to this should

be readily available to all staff, because conditions of employment should be stipulated in their hiring contract.  In addition to being proficient in their specific administrative or clerical job, they should be maintaining the ethical requirements described above.  For example, every contract should stipulate that protection of patient confidentiality is a condition of maintaining employment.

C. What Other Policies in Your Setting Have Ethical/Legal Implications?

  1. Are Staff Clear about Procedures in Non-Clinical Emergencies? Non-clinical emergencies can include things that affect the security of client data, such as breaches of confidentiality that must be reported to HIPAA; environmental emergencies that can destroy client records and appointment books, such as flood or fire; weather emergencies that can cause the office to close, or cause clinicians to be unavailable, such as snow or ice.

Below are some of the plans that can be put in place. Staff training should include information about emergency contact information for reaching clinicians, and perhaps contact information for reaching clients, depending upon the nature of the emergency

Staff can be asked to add other items, as appropriate:

  1. Are Staff Members Operating Within their Specified Job Descriptions? Each staff member should have one person assigned as their primary supervisor.  This can be either a clinician or a non-clinical staff member who holds a supervisory position.  Staff can be rewarded for their initiative, but they should be trained not to engage in activities outside their job description until they have cleared that with their supervisor if the expanded activity involves interactions with patients (e.g., completing forms for them), if it involves electronic transmission of patient information, or if it allows access to more extensive patient information that is allowed in their job description.  HIPAA Privacy Rules require that staff be given access only to the level of patient information required for their own job.

Staff should be instructed not to engage in any clinically-based activities (e.g., testing, interviewing) unless they have received specific training and have been given explicit clinician approval and adequate supervision.  If asked to do otherwise, they should discuss their concerns with their supervisor.

  1. Are All Staff Taking Responsibility for Monitoring Compliance with Ethical and Legal Standards in the Workplace?  The task of creating and maintaining an ethical workplace requires cooperation of all personal, both clinical and non-clinical.  Staff might be provided with recommendations such as these from Fisher, 2018:

V. Who Will Take Responsibility?

      A. Who Will Provide the Training?

When it comes to ethics training about policies within the setting, the responsibility can be undertaken by clinicians themselves, because most staff behavior remains within the clinician’s control. It is recommended that the clinicians in the setting also attend the ethics training that is provided to non-clinical staff, since it is important that everyone understand exactly what policies will apply in the setting.

The ethics-based staff training manuals (Fisher, 2018) – both the manual for Virginia clinicians and the manual for clinicians nationally – are designed for use by mental health service providers who lack specialized ethics training, but they can also be used with an invited ethics-trained co-leader. (Also see “Will You Pool Resources,” below.)   

Regarding training about confidentiality and its limits, as noted above, attorneys can be available to provide (or to advise about) the relevant legal issues (e.g., HIPAA requirements or state laws).  But such legal training does not replace the need for training about the ethical issues (e.g., What are the appropriate ethical responses to HIPAA or to laws requiring disclosure?).

     B. Who Will Test Employees?

Regardless of who conducts the training, it can be important afterward to assess the staff’s understanding of important policies.  The staff training manual provided by the Center for Ethical Practice (Fisher 2018) contains a sample test for this purpose. This can be a time to have all staff members – both clinical and non-clinical — renew things like the requirements in their hiring contracts, as well as the confidentiality contracts they may have already signed (Fisher, 2010).

     C. Will You Pool Training Resources?

In agencies or other settings where there are clinicians of several disciplines, multidisciplinary training can help foster collegial relationships that will be useful when confronting later ethical or ethical-legal dilemmas. This can also be a time to have them renew the confidentiality contracts they may have already signed.  (See Fisher, 2013, Chapter 13.)  The manuals described above (Fisher, 2018) can be used for such interdisciplinary training.

In individual private practice settings or in small private group practice settings, clinicians who feel unqualified to provide the ethics-based training themselves can pool their financial resources to hire an ethics specialist to train or co-train their combined staff. Although national specialists (e.g., authors of ethics texts) are always available, there can be advantages in hiring someone in your own state who is familiar with the laws that will affect ethical practice in your own setting.  These can usually be found through inquiries in college or university clinical training programs, most of which have professors who teach clinical ethics courses.


On the basis of the ethical and legal considerations described above, mental health care providers might apply the following principles when planning ethics-based staff training:

(1) Create clear written policies that both conform to your Ethics Code and meet the legal requirements that apply in your setting.  If your policies are vague, unclear, or inconsistent, so will be the training.

(2) Ethics-based training can extend beyond the topics in your Ethics Code. Although it covers most situations, it is not exhaustive, and you should cover all policies in your setting that are designed to protect patients’ rights

(3) Maintain an ethical focus. On topics that have both ethical and legal content, it is recommended that Ethical Standards be presented first, with legal requirements then discussed within that ethical context (Fisher, 2009, p. 464).

(4) Do not treat attorney-led training on any topic as a substitute for ethics training on that topic. For example, if staff receive law-based HIPAA training elsewhere, the ethical implications of HIPAA regulations can be clarified in the confidentiality section of the ethics-based training. Alternatively, an attorney familiar with mental health law might be invited to co-train about confidentiality and privacy, which would allow on-the-spot opportunities to place the legal requirements into ethical context and to maintain a focus on ethics (i.e., protection of patients) rather than on legal compliance, risk-management and self-protection.

(5) Remember that staff training is not a one-time thing.  Regular updates and refresher training are recommended, and staff meetings can address ethical issues whenever they arise in the setting.

(6) Invite all personnel to attend this training.  This can include clinical and nonclinical staff, interns, students, and volunteers.  Inappropriate behavior by anyone in the setting can harm a patient or reflect badly on the practice and/or on the profession. If needed, further specialized ethics training and ethical consultation can be available separately to clinical staff, students, and clinical supervisees (Fisher, 2009).

(7) Assess staff understanding.  Use oral or written examinations, administered immediately after the training and repeated annually, or during job performance evaluations. Certificates can document staff completion of training. (See sample at Fisher, 2010.)

(8) Encourage self-monitoring.  It requires the attention of everyone in the setting, because all must share responsibility for maintaining a culture of safety (Knapp, VandeCreek, & Fingerhut, 2017).

(9) Consider asking all personnel — clinical and nonclinical — to sign a confidentiality contract or a more general ethics contract. (See sample in Fisher, 2007.) This signing can be repeated annually, or as appropriate, to emphasize its importance and to reflect any changes in policy or laws.

VII. Sample Staff Training Manual – Outline

Below is the outline of a sample staff training manual, adapted from the Appendix of the article, “Ethics-Based Training for Non-Clinical Staff in Mental Health Settings” (Fisher, 2009 and from Appendix VIII in the book, The Ethics of Conditional Confidentiality: A Practice Model for Mental Health Professionals (Fisher, 2013).  This outline, and details within the outline, would need to be adapted to each setting.  For example, under the topic of “Privacy and Confidentiality,” details about “Policies” might be different in your setting, and laws about confidentiality will vary from state to state.

Sample Table of Contents for Ethics-Based Staff Training Manual
in an Outpatient Mental Health Setting

  1. Guiding Principles
  2. Environment
  3. Informed Consent
    A. Ethical Standards Requiring Informed Consent
    B. Legal Requirements and Implications (state laws; HIPAA)
    C. Our Policies Protecting Patients’ Informed Consent Rights
    1. Obtaining Initial Informed Consent Before Providing Services
    2. Obtaining Informed Consent Before Disclosing Information
    3. Conducting Ongoing Informed Consent Conversations
  4. Privacy and Confidentiality
    A. Ethical Standards About Confidentiality
    B. Legal Requirements About Confidentiality (state laws; HIPAA)
    C. Ethical & Legal Consequences of Unethical/Unlawful Disclosures
    D. Policies Protecting Privacy & Confidentiality In This Setting
    1. Protecting Patient’s Right to Privacy While In Our Office
    2. Protecting Patient’s Right to Confidentiality (Non-Disclosure)
    a. Rule: Disclose Information Only With Patient Consent
    Policies: Handling Requests for Information
    Handling Telephone Interactions
    b. Rule: Protect Confidentiality in Storing, Transmitting, &
    Disposing of Information
    Policies: Using Computer, Copier, FAX, E-Mail;
    Transporting Data Outside the Office
    3. Responding to Legal Demands
    c. Rule: Disclose Only if Legally Required
    Policies: Refer Subpoena, Attorney, to Clinician
  5. Relationships With Patients
    A. Ethical Standards About Boundaries & Dual Relationships
    B. Legal Implications of Patient Relationships
    C. Our Policies About Relationships with Patients
  6. Billing and Third Party Reimbursement
    A. Ethical Standards Related to Billing & Reimbursement
    B. Legal Requirements and Limitations
    C. Policies re Staff Responsibilities (Billing, Claims Transmission, etc.)
  7. Other Policies With Ethical and/or Legal Implications
    A. Maintaining Competence and Remaining Within Job Description
    B. Understanding Procedures in Non-Clinical Emergencies (e.g., computer failure; flood; etc.)
    C. Maintaining a “Culture of Safety” — Monitoring Ethical Compliance in the Workplace
  8. Demonstrating Understanding and Signing Ethics Contracts


Ethics Codes of the Mental Health Professionals in the Setting Summaries of Relevant Legal Requirements (state laws; HIPAA) Sample Documents (e.g., Certificate Documenting  Completion of Training; Confidentiality Contract) [Training Outline Adapted from the Appendix in Fisher, 2009, and from Appendix VIII in Fisher, 2013, pp. 253-254)


American Counseling Association (2014). ACA Code of Ethics. Alexandria, VA, Author.  Retrieved from http://www.counseling.org/docs/ethics/2014-aca-code-of-ethics.pdf?sfvrsn=4 [8]

American Psychological Association (2013, Dec.). Guidelines for the practice of telepsychology.  Retrieved from https://www.apa.org/pubs/journals/features/amp-a0035001.pdf [9]

American Psychological Association (2017). Ethical Principles of Psychologists and Code of Conduct.  Washington D.C., Author.  Retrieved from http://www.apa.org/ethics/code/index.aspx [10]

American Psychological Association Committee on Legal Issues (COLI). (2006). “Strategies for Private Practitioners Coping With Subpoenas or Compelled Testimony for Client Records or Test Data. Professional Psychology: Research and Practice, 37 (2), 215-222. Retrieved from http://apa.org/about/offices/ogc/private-practitioners.pdf [11]

American Psychological Association Corporate Relations and Business Strategy Staff (2005, March 29).  Put it in writing:  Your office policies and procedures.  Online for members of APA Practice Directorate at http://www.apapractice.org/apo/insider/practice/pracmanage/business_strategies/policy.GenericArticle.Single.articleLink.GenericArticle.Single.file.tmp/Download_Office_Policies_article.pdf [12]

American Psychological Association Practice Organization, Legal and Regulatory Affairs Staff (2008, December 17).  How to Deal with a Subpoena.  Retrieved from http://www.apapraceicecentral.org/update/2008/12-17/subpoena.aspx [13]

American Psychological Association Legal and Regulatory Affairs and Technology Policy and Projects Staffs (2005).  Contingency planning:  Do you know what HIPAA requires?  Retrieved from http://www.apapractice.org/apo/insider/hipaa_reg/hipaa/hipaa_security_rule/contingency.html [14]

American Psychological Association Practice Organization (2008, Fall). How to deal with subpoenas: Pointers for mental health professionals. Good Practice, pp. 2-5; 20.

American Psychological Association Practice Organization (2012, Winter). How to handle subpoenas and depositions.  Good Practice, pp. 10-11; 20.  Retrieved from https://www.apaservices.org/practice/update/2012/10-11/legal-regulatory [15]

Bennett, B.E., Bricklin, P.M., Harris, E., Knapp, S. VandeCreek, L., & Younggren, J.N. (2006). Assessing and Managing Risk in Psychological Practice: An Individualized Approach.  Rockville, MD, American Psychological Association Insurance Trust.

Center for Ethical Practice (2010). Ethical Practice Model (Annotated).  Retrieved from http://www.centerforethicalpractice.org/EthicalPracticeModelAnnotated

Center for Ethical Practice (2016).  Ethical Responsibilities About Informed Consent.  Retrieved from  http://www.centerforethicalpractice.org/informedconsentchart

Donner, M. B. (2008). Unbalancing confidentiality. Professional Psychology: Research and Practice, 39, 369–372. DOI: 10.1037/0735-7028.39.3.369

Fisher, M.A. (2008). Protecting confidentiality rights:  The need for an ethical practice model. American Psychologist, 63, 1-13. DOI: 10.1037/0003-066X.63.1.1  (Online in html at http://www.centerforethicalpractice.org/articles/articles-mary-alice-fisher/protecting-confidentiality-rights/ )

Fisher, M.A. (2009). Ethics-based training for non-clinical staff in mental health settings.  Professional Psychology: Research and Practice, 40, 459-466. doi:  10.1037/a0016642 (Online in html at http://www.centerforethicalpractice.org/ethics-based-training-for-non-clinical-staff/ [16]

Fisher, M.A. (2010).  Staff training:  Sample contracts, checklists, and documentation.  Retrieved from http://www.centerforethicalpractice.org/staff-training

Fisher, M.A. (2012). Confidentiality and Record Keeping. Chapter 13 in S. Knapp,  M. Gottlieb, M. Handelsman, & L. VandeCreek (Eds.) APA Ethics Handbook for Psychologists(pp. 333-375).  Washington DC: American Psychological Association. DOI: 10.1037/13271-013.

Fisher, M.A. (2013).  The Ethics of Conditional ConfidentialityA Practice Model for Mental Health Professionals. New York, Oxford University Press.  ISBN13: 9780199752201

Fisher, M.A. (2016). Confidentiality Limits in Psychotherapy: ü   Ethics Checklists for Mental Health Professionals. Washington D.C., American Psychological AssociationISBN 13: 978-1433821899

Fisher, M.A. (2018). Ethics-Based Training Manual for Non-Clinical Staff in Mental Health Settings. The Center for Ethical Practice, 977 Seminole Trail, #312, Charlottesville VA 22901. www.CenterForEthicalPractice.org  [This manual can be ordered at http://www.centerforethicalpractice.org/ce-home-study/home-study-manuals-tests/ .]

Fisher, M.A. (2020). Ethical Consequences of Role Confusion in Court-Related Cases. (Online CE Course #5), retrieved from https://centerforethicalpractice.org/ce-online-courses/ethics-courses-for-mental-health-professionals/ [17]

Harris, E. & Younggren, J. (2011, July-August).  But that’s what the lawyer told me.  The National Psychologist, pp. 13, 17.

Health Insurance Portability and Accountability Act of 1996 (HIPAA). Pub. L. No. 104–191, 104th Cong. (1996). [See as USDHHS regulations at http://www.hhs.gov/ocr/privacy ]

Knapp, S. (undated). Responsibilities of HIPAA Privacy Officers.  Retrieved from http://www.apadiv31.org/Coop/HIPAAPrivacyOfficers.pdf

Knapp, S. (undated) : What Should Your Employees Know About Confidentiality?   A HIPAA Training Guide.  Retrieved from http://www.apadiv31.org/Coop/WhatShouldYourEmployeesKnowAboutConfidentiality.pdf [18]

Knapp, S. (2002), April).  Accidental beaches of confidentiality.  Pennsylvania Psychologist, 62, 6-7.

Knapp, S., Gottlieb, M., Berman, J., & Handelsman, M.M. (2007). When laws and ethics collide:  What should psychologists do? Professional Psychology: Research and Practice, 38, 54-59. DOI: 10.1037/0735-7028.38.1.54

Knapp, S. J., VandeCreek, L.D., & Fingerhut, R. (2017). Practical ethics for psychologists: A positive approach (3rd ed). Washington, D.C., American Psychological Association

Koocher, G.P., & Keith-Spiegel, P. (2016). Ethics in Psychology and the Mental Health Professions: Professional Standards and Cases (4th ed.).  N.Y., Oxford University Press.

National Association of Social Workers (2017). Code of Ethics.  Washington D.C., Author Retrieved from https://www.socialworkers.org/About/Ethics/Code-of-Ethics/Code-of-Ethics-English [19]

National Association of Social Workers (2018). Clinical Social Work Practice Tools: Technology.  Retrieved from https://www.socialworkers.org/Practice/Clinical-Social-Work/Technology [20]

National Association of Social Workers (with ASWB, CSWE, and CSWA), 2017. Technology in Social Work Practice. Retrieved from https://www.socialworkers.org/includes/newIncludes/homepage/PRA-BRO-33617.TechStandards_FINAL_POSTING.pdf [21]

Pohlman, C. (2017). Issues in hiring and supervising professional staff and support personnel.  In: S. Walfish, J.E. Barnett, & J. Zimmerman (Eds). Handbook of Private Practice: Keys to Success for Mental Health Practitioners. New York, Oxford University Press, pp. 170-179.

Pope, K.S. & Bajt, T.R. (1988). When laws and values conflict: A dilemma for psychologists. American Psychologist, 43, 828-829.

Virginia Board of Counseling (2015, Nov 13). Guidance Document 115-1.4: Guidance on Technology-Assisted Counseling and Technology-Assisted Supervision. Retrieved from https://www.dhp.virginia.gov/counseling/counseling_guidelines.htm [22]

Virginia Board of Psychology (2018, Oct 20). Guidance Document 125-7: Electronic Communication and Telepsychology. Retrieved from https://www.dhp.virginia.gov/Psychology/psychology_guidelines.htm [23]

Virginia Board of Social Work (2018, Dec 7). Guidance Document 140-3: Guidance on Technology-Assisted Therapy and the Use of Social Media. Retrieved from  https://www.dhp.virginia.gov/social/social_guidelines.htm [24]

Woody, R.H. (2000). Risk management and office personnel.  Florida Psychologist, 51(1).

(© 2016), Mary Alice Fisher, Ph.D.

Portions of this course were adapted from Chapter 13, “Ethics-Based Staff Training About Confidentiality” in the book, The Ethics of Conditional Confidentiality, published by Oxford University Press in 2013. This course is also based on the manual Providing Ethical-Legal Training for Non-Clinical Staff in Mental Health Settings [2] published by The Center for Ethical Practice in 2014. That staff training manual addresses additional areas and provides further resources. To order that staff training manual please follow this link [25] for more information.


Purchase Test Now [26]


continuing education for American Psychological AssociationThe Center for Ethical Practice is approved by the American Psychological  Center for Ethical Practice is approved by the American Psychological Association (APA) to sponsor continuing education for psychologists. The Center maintains responsibility for this program and its content.

continuing education for National Board for Certified Counselors (NBCC)The Center for Ethical Practice has been approved by National Board for Certified Counselors (NBCC) as an Approved Continuing Education Provider (ACEP No. 6768). The Center is solely responsible for all aspects of the programs. Programs that do not qualify for NBCC credit are clearly identified.

The Center for Ethical Practice (provider #1287), is approved to offer social work continuing education by the Association of Social Work Boards (ASWB) Approved Continuing Education (ACE) program. Organizations, not individual courses, are approved as ACE providers. State and provincial regulatory boards have the final authority to determine whether an individual course may be accepted for continuing education credit. The Center for Ethical Practice maintains responsibility for this course. ACE provider approval period: 3/21/2021-3/21/2024. Social workers completing this course receive 3 ethics continuing education credits.



The Center for Ethical Practice
977 Seminole Trail, Charlottesville VA 22901
Tel: 434-971-1841
CenterForEthicalPractice.org [27]