Important Disclaimer: This document is for informational purposes and general guidance only and is not advice on any specific regulatory or legal matter. Always consider getting qualified advice on the facts of any matter before proceeding.
In a world in the midst of the COVID-19 pandemic, therapists have had to adapt rapidly to continue offering psychotherapy. The main form of adaptation has been to transition to delivering remote therapy, whether via telephone or video conferencing. Existing bodies of research have shown online therapy to be effective, but clients and therapists often still have concerns about privacy and security. Now is the time to directly address those concerns and it has fallen on me, as Numinus’s Clinic Manager to take on this challenge. My background as both a therapist and information technology professional helps me to understand and explain our approach to the delivery of remote sessions in the province of Quebec.
Numinus has always had a few therapists providing remote sessions to their clients; now it is the entire team. We have always abided by the rules governing the practice of teletherapy in our jurisdiction and will continue to do so. The Ordre des psychologues du Québec (OPQ), the governing body for psychologists and psychotherapists in Quebec, has produced several documents outlining the ethical and practical guidelines for remote therapy (in French only). I will briefly summarize these documents:
OPQ Guidelines for Psychologists/Psychotherapists practicing in Quebec
- Quebec considers where the therapist is located to dictate whether or not they can legally deliver therapy to the client. As long as the therapist is licensed to practice in Quebec, and delivers services from Quebec, teletherapy is acceptable to the OPQ. The OPQ considers the client to have virtually travelled to the therapist’s office. Most other jurisdictions consider where the client is located to be the deciding factor in where the therapist has to be licensed, as they consider the therapist as having virtually travelled to the client. The OPQ also dictates that all remote therapy should also follow the guidelines of the client’s home jurisdiction. In normal circumstances, this means that Numinus’s therapists can only provide online therapy to those who are resident in Quebec. However, due to the current COVID-19 crisis, many jurisdictions are temporarily granting permission or licenses for remote therapists. This can be discussed during intake to Numinus, and if you are outside of Quebec, we may be able to match you with a therapist who is already licensed where you live, or who can be temporarily licensed to offer you services.
- The OPQ documents list a variety of software options that are being used for remote sessions, including Microsoft’s Skype, Google’s Hangouts (now called Meet), Apple’s FaceTime, and Cisco’s Webex. They do not pass judgement on, or make a recommendation for, any of them. All use encryption to some extent, and the OPQ notes that they are acceptable, though paid solutions (such as the corporate Google Meet platform that Numinus uses) are preferable. The OPQ also states that password protection can add an extra layer of security — all while noting that no online platform is perfectly secure. In a recent update, the OPQ also notes the ubiquity of Zoom and notes the more secure ways in which it can also be used.
- As with all psychotherapy, clear and informed consent is required before engaging in sessions, remote or otherwise. The implications and limitations of the types of therapy should be described by the therapist and agreed to by the client.
Encryption, End-to-End Encryption, and You
Encryption is a way to obfuscate the contents of a message, or video, so that only someone with the proper decryption key can undo the encryption and see the contents of the encrypted communication. End-to-End (E2E) encryption adds an extra layer of security so that even the provider of the tool or service cannot decrypt the contents of communications, even if compelled to by law, or hacked by a malicious actor who inserts themselves as a “man in the middle” at the corporate level (e.g., at a software company’s servers that offer the teleconferencing solution).
The most common questions that arise from these guidelines relate to encryption. Does your therapist use a tool that encrypts your communication, preventing casual electronic eavesdropping by unsophisticated attackers? Good odds that the answer is yes, and at Numinus, we definitely do. All the tools listed by the OPQ use some form of encryption in order to prevent electronic eavesdropping.
PIPEDA, HIPAA, and Quebec’s “substantially similar” legislation
You may have heard people talking about various names for electronic privacy legislation passed in various jurisdictions and how they relate to remote practice. In the United States, there is HIPAA, in Canada there is PIPEDA. In Québec’s there is An Act Respecting the Protection of Personal Information in the Private Sector, An Act to amend the Act respecting health services and social services, the Health Insurance Act and the Act respecting the Régie de l’assurance maladie du Québec, all of Québec’s privacy laws relating to health records. The most important things to know about all of these laws, from Numinus particular perspective:
- HIPAA does not apply, as we are located in Québec and only practicing in Québec.
- PIPEDA is superseded by Québec’s personal information privacy act, as it is considered to be “substantially similar”.
- Focusing on the Quebec acts, the most pertinent sections are:
- A person carrying on an enterprise must take the security measures necessary to ensure the protection of the personal information collected, used, communicated, kept or destroyed and that are reasonable given the sensitivity of the information, the purposes for which it is to be used, the quantity and distribution of the information and the medium on which it is stored.
- Consent to the collection, communication or use of personal information must be manifest, free, and enlightened, and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.
- Numinus, through its use of encrypted tools, fulfills the requirements of necessary protection. And all Numinus practitioners have a special consent form that they will explain and get signed by all clients who are engaging in remote therapy.
What you can do to help ensure that your sessions remain confidential
When it comes to security, you are more likely to have your remote session’s privacy violated by a person physically listening in from a nearby location than by a sophisticated state actor capable of breaking encryption or inserting themselves as a “man in the middle” attacker (e.g., the National Security Agency in the United States). The corporations offering these communication services have a vested interest, both legal and financial, in maintaining the privacy of these communications, so unless compelled by court order, they will not intercept any remote communications or turn over any recordings (which they all state that they do not even make in the first place). One could argue that you are as likely to have an in-person session bugged by law enforcement as to have a court order issued mandating that a session be captured and decrypted. If this is a real concern of yours, due to your work or other factors (e.g., you are a high level government official, famous actor, or crime lord), then online sessions might be best avoided! If you are not generally at risk of being a target of a state-level actor or law enforcement, you can also do some basic things to best assure your privacy:
- Make sure you are initiating sessions from a place where you can monitor, and ideally control, your environment to prevent someone from physically listening in.
- Do not use public WiFi networks when engaging in remote therapy unless there is absolutely no other choice. And if you must use public WiFi, then you must use a Virtual Private Network (VPN) software solution to provide an additional layer of protection to your communications.
- Regularly run virus and malware scans of your computer, or use your mobile device for your remote session, as they are far less prone to viruses and malware.
I hope this helps to inform you and address any concerns you might have, whether as a therapist delivering remote sessions, or a client on the receiving end!