Digital Ethics: Keeping Confidentiality Click-Safe

ethics Jul 02, 2026

The way mental health professionals communicate and document client care has changed dramatically in recent years. Telehealth has expanded at a pace few could have anticipated, messaging with clients has become routine, and electronic records now follow clinicians across devices and platforms. These shifts offer real benefits. They also introduce a new class of ethical risk, one that can surface not from bad intentions but from a single uninformed click.

Why digital ethics demands attention now

Telehealth use increased roughly 38 times over pre-pandemic levels and hasn't returned to its former baseline. Clinicians now conduct sessions over video, exchange messages between appointments, and store sensitive notes in cloud-based systems, often on the same devices they use for personal communication. Clients, meanwhile, have come to expect convenience, sometimes preferring speed over security.

In this environment, data breaches and inadvertent disclosures aren't rare exceptions anymore. Client information is now one of the most significant areas of clinical risk, and the ethical obligations that apply in a traditional office setting apply with equal force online.

The difference between legal and ethical standards

A helpful way to think about digital practice is that law and ethics occupy different positions. HIPAA and state regulations set the floor: the minimum standard a clinician must meet to avoid legal liability. Professional ethics codes set the ceiling, describing the aspirational practices that actually protect clients and demonstrate professional integrity.

Documentation is the bridge between the two. A text exchange, a video session, an email thread: each becomes part of the clinical record and is subject to legal discoverability. Treating digital communication as anything less than formal clinical documentation is an ethical and practical mistake.

Telehealth-specific risks clinicians must address

Providing care via video or phone introduces risks that don't exist in a private office. Clients may join sessions from cars, parks, or shared living spaces where others can overhear. Technology can fail at precisely the wrong moment, during a crisis disclosure or a high-stakes conversation. Clinicians also need to be aware that inadvertently conducting a session with a client located in another state may constitute unlicensed practice.

Informed consent for telehealth should address these realities directly. Clients deserve to understand the risks of hacking and privacy trade-offs, to have a clear emergency protocol tied to their physical location, and to know that unauthorized recording of sessions is prohibited.

Messaging and email in clinical practice

Standard SMS text messaging is not a secure channel. It functions, in effect, as a digital postcard, readable by more parties than most users realize. Despite this, texting has become common in clinical communication, often because clients initiate it and clinicians feel pressure to respond. The convenience comes at a cost: blurred boundaries, after-hours expectations, and the risk that sensitive health information ends up stored on an unsecured personal device.

Email carries its own hazards. The familiar "Reply All" error can cause accidental disclosure, and email isn't appropriate for crisis communication because of delivery delays. Email exchanges with clients are also a permanent part of the client chart, so every message sent and received has to be treated accordingly.

Platform security and social media boundaries

Clinicians choosing platforms for telehealth or client communication should prioritize end-to-end encryption and confirm that any third-party vendor has signed a Business Associate Agreement (BAA), a HIPAA requirement. Audit logs, records of who accessed client data and when, are another essential feature of responsible digital practice.

Social media raises a separate but related set of concerns. Most therapists maintain some social media presence, and platform algorithms can inadvertently reveal professional-client relationships. A clinician's public profile may also expose political views, personal affiliations, or lifestyle details that complicate the therapeutic frame. Keeping a deliberate distinction between personal and professional digital identities isn't optional; it's an ethical responsibility.

Digital ethics isn't a separate category from clinical ethics. It's the same set of core principles applied to a new environment. Beneficence and nonmaleficence require that technology choices do no harm. Fidelity requires maintaining trust across every platform a clinician uses. Professional integrity requires accurate and honest digital representation. Clinicians who bring the same care to their online presence and digital communication that they bring to the treatment room will be best positioned to protect both their clients and their careers.

For deeper exploration of these principles in practice, visit www.justitiafoundation.com.

Based on a presentation by Tommy Black, Ph.D., LPC, LMHC, CPCS, ACS, Executive Director, Justitia Foundation — [email protected]