Legal & Ethical Considerations
Legal Considerations
Federal Regulations
The Health Insurance Portability and Accountability Act (HIPAA) establishes the foundation for protecting client privacy in teletherapy. HIPAA's Privacy Rule and Security Rule require covered entities to implement safeguards protecting electronic protected health information (ePHI). For teletherapy providers, this means using platforms with end-to-end encryption, obtaining signed Business Associate Agreements (BAAs) from technology vendors, implementing secure authentication procedures, and maintaining encrypted storage of session recordings and clinical notes. Counselors must ensure that any platform used for service delivery, including video conferencing software, messaging systems, and electronic health records, meets HIPAA compliance standards. The Federal Trade Commission (FTC) enforces regulations regarding online privacy and data security that apply to teletherapy platforms and providers. The FTC has taken enforcement action against companies that misrepresent their security practices or fail to protect consumer health information adequately. Mental health professionals must be aware that even if they are not directly covered by HIPAA (such as providers who do not submit insurance claims), they may still be subject to FTC oversight regarding privacy practices. During the COVID-19 public health emergency, the Department of Health and Human Services (HHS) issued temporary enforcement discretion allowing the use of non-HIPAA-compliant platforms for telehealth. However, as emergency measures expire, counselors must return to full HIPAA compliance. Additionally, federal laws regarding prescribing controlled substances via telemedicine (Ryan Haight Act) impact psychiatrists and other prescribers but generally do not affect non-prescribing counselors directly.
Oregon State Regulations
Oregon licensure laws require that counselors providing services to clients physically located in Oregon must hold an active Oregon license, regardless of where the counselor is physically located. This means if the licensed counselor is licensed in Oregon and providing services via teletherapy to a client who is in another state, the licensed counselor may need to be licensed in that state as well, unless interstate compact provisions apply. The Counseling Compact is an interstate agreement that facilitates teletherapy across state lines. Oregon enacted the Counseling Compact in 2020. This compact allows counselors with a compact privilege to provide teletherapy to clients in other member states without obtaining additional licenses. To practice under the compact, counselors must hold an active, unencumbered license in their home state, meet eligibility requirements, and register for compact privileges. Oregon law requires counselors to establish the client's physical location at the start of each teletherapy session and document this in the clinical record. This service multiple purposes: ensuring appropriate licensure jurisdiction, facilitating emergency response if needed, and determining which state laws govern the therapeutic relationship. Oregon also requires that counselors provide clients with information about how to contact the counselor between sessions and how to access emergency services in their local area. Informed Consent: Oregon regulations require counselors obtain specific consent for teletherapy services, separate from general treatment consent. This consent must address the technology being used, potential risks including technological failures and privacy limitations, procedures for handling emergency situations, and alternatives to teletherapy. Counselors must also inform clients about how electronic communications and data will be stored and secured. Oregon Administrative Rules (OAR 833-020-0041) specifically outline telehealth requirements including verification of client identity, establishment of client location, and compliance with all applicable privacy and security laws.
Additional Legal Considerations
Counselors must also consider liability insurance coverage for teletherapy services. Not all professional liability policies automatically cover technology-mediated services, and practitioners should verify their coverage explicitly includes teletherapy across all states where they practice. Documentation standards for teletherapy sessions mirror those for in-person services, but counselors should also document the modality used, client's location, any technological difficulties encountered, and verification of identity for new clients. Mandated reporting obligations remain fully applicable in teletherapy. Counselors must be prepared to take appropriate action regarding child abuse, elder abuse, danger to self, or danger to others, even when providing services remotely. This requires advance planning regarding how to access emergency services in the client's location and maintaining updated emergency contact information. Some jurisdictions have specific protocols for remote mandated reporting that counselors must follow.
Ethical Considerations
Competence and Training (ACA CODE H.1, H.4.a)
Standard H.4.a requires that counselors practice only within the boundaries of their competence, based on education, training, supervised experience, state and national credentials, and appropriate professional experience. For teletherapy, this means counselors must obtain specific training in distance counseling technologies, understand the limitations of technology-mediated communication, and develop competencies in adapting therapeutic interventions for virtual delivery. Counselors should seek continuing education in teletherapy best practices, familiarize themselves with various platforms and their features, practice using technology before working with clients, and understand how to address technical difficulties therapeutically. Standard H.1.a emphasizes that counselors have a responsibility to understand both the benefits and limitations of technology applications and inform clients accordingly.
Informed Consent (ACA Code H.2.a, H.2.b, H.3.c)
The ACA Code requires enhanced informed consent procedures for teletherapy. Standard H.2.a specifies that counselors must inform clients of the benefits and limitations of technology applications, explain the procedures for accessing services, address confidentiality and security concerns, and provide information about the counselor's credentials and contact information. Clients have the right to understand how teletherapy differs from traditional services and to make informed decisions about their participation. Standard H.2.b addresses boundaries and relationship issues specific to distance counseling. counselors must establish clear expectations about response times to electronic communications, explain the counselor's availability and after-hours procedures, and set boundaries around appropriate use of technology platforms. This includes clarifying what types of communication are appropriate between sessions and how emergencies will be handled. Standard H.2.c requires counselors to verify client identity using appropriate procedures and to obtain authorization for electronic communication. This may involve using video verification for initial sessions, requiring secure authentication for accessing therapy portals, and documenting verification procedures in client records.
Confidentiality and Privacy (ACA Code H.3.a, H.3.b, H.3.c)
Maintaining confidentiality in teletherapy requires vigilance on multiple fronts. Standard H.3.a emphasizes that counselors must ensure confidentiality in electronic communications to the extent possible. While no technology is completely secure, counselors have an obligation to use reasonably secure platforms, educate clients about privacy risks, and take appropriate precautions. This includes using encrypted platforms, securing devices with passwords, ensuring private physical environments for sessions, and properly disposing of electronic files containing client information. Standard H.3.b addresses the unique challenge of privacy in the client's location. Counselors should discuss with clients how to ensure privacy on their end, including finding a private space for sessions, using headphones when appropriate, and considering who might overhear conversations. While counselors cannot control the client's environment, they can help clients plan for privacy and problem-solve potential intrusions. Standard H.3.c requires counselors to inform clients of the difficulty of maintaining confidentiality when using certain technologies and social media. This includes educating clients about risks such as hacking, data breaches, accidental disclosure through screen sharing or visible notifications, and the potential for third parties to access electronic communications. Transparency about limitations allows clients to make informed choices about what information to share through different channels.