Caught in the Middle: Ethical/Legal Mandates and Test Security

By Marcia M Andberg, Marcia Andberg Associates LLC
Email: Marcia Andberg 

Presented at the American Psychological Association Convention, Honolulu, Hawaii, July 28, 2004

Symposium: Recent Developments in Psychological Testing – Update for Assessment Professionals

It may not have happened yet in your practice, but it is possible that one of your patients or clients will request a copy of his or her records. If you included tests in your evaluation of the client, the request may include copies of the tests. At that point, you’ll be faced with advice, guidelines, and laws that may influence your actions. You will need to consider the 1996 Health Insurance Portability and Accountability Act (HIPAA), The APA Ethical Principles of Psychologists and Code of Conduct, The Standards for Educational and Psychological Testing, Copyright and Trade Secrets laws, among others.

This presentation is not intended or given as legal advice. In fact, it is recommended that you consult your HIPAA compliance officer or attorney in any given situation. This presentation will simply provide some background, highlight some of the issues, and suggest some alternatives you and your compliance officer can consider.

Three important areas of concern will be discussed today. First, what directives allow release of client/patient data? Second, what constitutes client/patient data in a testing situation? Third, under what conditions can this information be released or withheld?

What directives provide guidelines on the release of information?

If you are in a health care setting, your patient/client has the right, under certain conditions, to inspect and copy records that contain his or her Protected Health Information (PHI) under the 1996 Health Insurance Portability and Accountability Act (HIPAA). Protected Health Information (PHI) is the set of designated records with the patient’s individually identifiable health information that are maintained by health plans, doctors, hospitals, clinics, nursing homes, and other entities covered by HIPAA. Typically this is the information that you may have used or will use to make decisions about the individual’s diagnosis, treatment, or outcomes. Among other rights, individuals have relatively unlimited rights to inspect and copy their PHI.

A second important directive is The APA Ethical Principles of Psychologists and Code of Conduct (The Ethics Code) which became effective on June 1, 2003. The Ethics Code addresses the HIPAA disclosure requirements for PHI in Standards 9.04 (Release of Test Data) and 9.11 (Maintaining Test Security). The Ethics Code requires that in most circumstances you must provide test information when the client or his representative requests it.

What constitutes Protected Health Information when using psychological tests?

PHI in a test situation is defined in Standard 9.04 of The Ethics Code:

“The term test data refers to raw and scaled scores, client/patient responses to test questions or stimuli, and psychologists’ notes and recordings concerning client/patient statements and behavior during an examination. Those portions of test materials that include client/patient responses…”   (The APA Ethical Principles of Psychologists and Code of Conduct, 2002, p. 14)

Test publishers often define test data as answer sheets, record forms, or protocols that are identified by the patient’s ID number and stored by the covered entity. This would include record forms where the patient has marked the bubbles or filled in the blanks or the examiner has recorded the patient’s responses. It also includes profile, summary, or interpretive reports stored by the covered entity that are identified by the patient’s ID number and which contain information that the covered entity uses to make decisions about the individual.

Stephen Behnke, the APA Ethics Director, succinctly stated that test data “includes any information the psychologist collects that is unique to a particular client.” (Behnke, S., 2003, p 70)

It should also be noted that Standard 9.11 of The Ethics Code (Maintaining Test Security) makes a distinction between test data and test materials. It states: “…test materials refers to manuals, instruments, protocols, and test questions or stimuli and does not include test data.” (The APA Ethical Principles of Psychologists and Code of Conduct, 2002, p. 14). Thus, to qualify as test materials under this definition, the material cannot include individually identifiable health information.

This distinction is further underlined by test publishers who typically list test materials as test booklets or protocols (when the answers are entered on a separate form), test questions (with no personal responses), test manuals, normative data, test user guides, and other supporting materials such as scoring templates or keys and computer scoring programs.

In support of that view, Dr. Behnke, in the Monitor article mentioned earlier, summarized by saying that test materials are those that “do not include anything unique to this particular client.” (Behnke, Monitor on Psychology, 2003, p 70).

There appears to be a common understanding, then, between HIPAA, The Ethics Code, and test publishers on what constitutes Personal Health Information in a test situation. If a patient requests a copy of their personal information and, in that designated set of materials, there is test information that has that patient’s personal information on it, it is included as Personal Health Information. If on the other hand, the patient requests other material such as a test manual or scoring keys, those materials are not considered Personal Health Information and should not be released as such.

Under what conditions can this information be released or withheld?

This question is not as easily answered. HIPAA and Standard 9.04 of the Ethics Code allow for exceptions to the release of test data.  Some of these fall under psychologists’ professional judgment/discretion and some under circumstances regulated by federal or state law. If there is conflict between ethics, law, and regulations, then understanding when to release data can be unclear. Standard 1.02 of the Ethics Code speaks to resolving the conflicts between Ethics, Law, and Regulation:

“If psychologists’ ethical responsibilities conflict with law, regulations, or other governing legal authority, psychologists make known their commitment to the Ethics Code and take steps to resolve the conflict. If the conflict is unresolvable via such means, psychologists may adhere to the requirements of the law, regulations, or other governing legal authority.” (The APA Ethical Principles of Psychologists and Code of Conduct, 2002, p. 4)

In these situations, psychologists may want to seek legal advice and consult with their HIPAA compliance officer or attorney.

Possible Situations

Four situations are mentioned in this paper:

  1. Protection of client/patient;
  2. Copyright and trade secrets law;
  3. Court ordered release; and
  4. Use in civil, criminal, or administrative actions or proceedings.

These situations should not be considered an exhaustive list.

Protection of Client/Patient

The Ethics Code allows the psychologist to use discretionary professional judgment on release of test data. “Psychologists may refrain from releasing test data to protect a client/patient or others from substantial harm or misuse or misrepresentation of the data or the test…” (Standard 9.04 The APA Ethical Principles of Psychologists and Code of Conduct, 2002, p. 14)  Licensed psychologists (or in the case of HIPAA, the covered entity) can deny access to these records if, in their professional judgment, release is likely to cause substantial harm either to the client or to others. If, however, there is a conflict between the psychologist’s professional judgment and a court order, then Dr. Behnke, as well as others, recommend the psychologist seek legal counsel.

Copyright and Trade Secret Laws

Tests typically are protected by copyright law, and test authors and publishers are reluctant to give permission to release test data. Of critical importance to these parties is the maintenance of the integrity of the test so that it will continue to be a valid and useful tool. Authors and publishers explain that the dissemination of record forms (which may disclose test questions and answers) may result in the “next” patient having knowledge of test content prior to testing.  This may lead to invalid recommendations. To explain further: when the client has knowledge of the content or the underlying constructs, and/or perhaps the responses, that person is no longer comparable to a naïve normative group. As a result, decisions, and diagnostic and treatment recommendations for this patient may no longer be valid when based on the normative distribution.

In past years, instances of exposure of test materials have been reported. The advent of the Internet has increased this risk through its ease of publishing and disseminating information to a broad audience. At times the exposed test content has been accompanied by coaching and hints so that clients could prepare their responses before being tested and thus have a better chance at winning a child custody case or qualifying for workman’s compensation or another program. After such exposure of the test, the practitioner is left not knowing whether or not his client is a naïve test taker, and thus, whether the comparisons to normative and research data are valid.

Protection of copyrighted material is addressed by The Standards for Educational and Psychological Testing and the Ethics Code.

Standards 11.7 and 11.8 state:

“11.7: Test users have the responsibility to protect the security of tests, to the extent that developers enjoin them to do so.”

“11.8: Test users have the responsibility to respect test copyrights” (Standards for educational and psychological testing, 1999, p. 115).

And The Ethics Code Standard 9.11 states in part: “Psychologists make reasonable efforts to maintain the integrity and security of test materials and other assessment techniques consistent with law and contractual obligations, and in a manner that permits adherence to this Ethics Code.” (The APA Ethical Principles of Psychologists and Code of Conduct, 2002, p. 14).

Court rulings also confirm that tests deserve protection under copyright law. Most commercially available tests are copyrighted. That means that, in general, it is illegal to reproduce the test product in any format without permission.  To reinforce this, one test publisher clearly states: “Tests, test protocols, test items, norms, score reports and other related materials…are copyrighted.  They are not to be reproduced or transmitted in any form or by any means….without permission in writing from the publisher.  The reproduction of any part of the publisher’s copyrighted tests and related materials ….is a violation of federal copyright law.” (The Psychological Corporation, 2003).

Further, many test publishers require that you sign an agreement in order to purchase the test. These agreements typically state that you agree to adhere strictly to copyright laws and to not provide copies of test information to unqualified individuals. Almost all clients or patients do not meet the qualifications that would allow them access to this material.

HIPAA and Copyright and Trade Secrets Law

Because of the advent of HIPAA and the new Ethics Code, a publisher sought guidance on copyright and trade secrets laws in reference to HIPAA. The publisher contacted the U.S. Department of Health and Human Services (HHS) which is responsible for HIPAA. Richard Campanelli, the Director of the Office of Civil Rights at HHS, responded about copyright protection as follows:

“[I]t is not apparent that copyright laws and the Privacy Rule cannot be reconciled or that copyright law operates so as to prohibit disclosures of protected health information that are mandated by the Privacy Rule’s right of access by individuals.” (Campanelli, August 6, 2003)

It appears that issues of copyright protection have yet to be defined by case law.

HIPAA suggests an alternative to releasing test data is to provide summary information to the individual. This is allowed if you and your covered entity and the individual agree to this in advance. The individual still retains the right to later request and obtain access to the underlying documents. Many test publishers suggest this approach. You and your HIPAA compliance officer or attorney may want to consider it.

In the same communication, Mr. Campanelli considered Trade Secrets law. He wrote:

“[A]ny requirement for disclosure of protected health information pursuant to the Privacy Rule is subject to Section 1172(e) of HIPAA, ‘Protection of Trade Secrets.’ As such, we confirm that it would not be a violation of the Privacy Rule for a covered entity to refrain from providing access to an individual’s protected health information, to the extent that doing so would result in a disclosure of trade secrets.”  (Campanelli, August 6, 2003)

In other words, Trade Secrets law takes precedent over the disclosure requirements of HIPAA’s Privacy Rule. Whether this opinion has the force of law or is advisory only remains to be determined.  However, at least two publishers make the argument that their products are trade secrets and therefore should not be released to unqualified persons.

Court Ordered Release

The Ethics Code provides additional protection for the patient/client by prohibiting the release of PHI without a law or court order in the absence of a client/patient release.

If the situation arises where the court has ordered the release of copyrighted material to unqualified individuals, many publishers have requested that all test data be maintained as sealed records or not included in the records of the proceedings.  In addition, some publishers have requested that the court require that test data be returned to the originating professional at the end of the proceedings and that the court expressly prohibit the reproduction of test data in any manner.

Use in Civil, Criminal, or Administrative Actions or Proceedings

HIPAA provides for denial of access to protected health information if there is reason to believe that the test data would be used in correctional facilities, civil, criminal, or administrative action or proceedings. In a list provided by one publisher, situations where that might occur include: in forensic applications such as child custody disputes, commitment hearings (mental health institutions), competency to stand trial/commitment hearings, civil/criminal/pre-trial/pre-sentence criminal evaluations, insanity defense, personal injury lawsuits/neurological evaluations, and determinations of malingering and lying; in civil, criminal trials, such as those needed to support or impeach expert testimony; in correctional settings to support classification, treatment, and management decisions at intake and throughout incarceration; and in marriage and family counseling for parental fitness, and adoption evaluations. (Pearson Assessments, p. 118).


In summary, we know HIPAA and the new APA Ethics Code have stated that patients/clients have a relatively unrestricted right to inspect and copy their Protected Health Information which may include tests.  We have also learned that the psychologist may be able to provide summary information rather than the underlying records under certain circumstances. In addition, there are a number of circumstances that limit access to these materials. Whether any of these circumstances apply in your individual situation is best determined by you in consultation with the test publisher, your HIPAA compliance officer, or attorney keeping in mind the other risks, laws, and regulations that may allow you to deny access to these records.


American Educational Research Association, American Psychological Association, and National Council on Measurement in Education. (1999). Standards for educational and psychological testing. Washington, DC: American Educational Research Association.

American Psychological Association. (2002). The APA Ethical Principles of Psychologists and Code of Conduct. Washington, DC: American Psychological Association.

Association of Test Publishers (2003, Fall/Winter). HIPAA – Not just a healthcare issue. Test Publisher, 10(2), 7.

Behnke, Stephen. (2003, July/August) Release of Test Data and APA’s new Ethics Code,Monitor on Psychology, 70-72.

Campanelli, R.M.,J.D., Written communication to Barry J. Hurewitz, Esq. (2003, August 6). U.S. Department of Health and Human Services (HHS), Office of Civil Rights.

Health Insurance Portability and Accountability Act of 1996. (1996, August 21). Retrieved July, 2004 from

HIPAA Position Statement, Legal Policies from Harcourt Assessments, retrieved July, 2004, from

Standards for privacy of individually identifiable health information, 67 Fed. Reg. 157 (August 14, 2002).

2003 Pearson Assessments Catalog. HIPAA Frequently Asked Questions (2003). Minneapolis, MN: Pearson Assessments, 117-118.

2003 Catalog for Psychological Assessment Products, (2003), San Antonio, TX: The Psychological Corporation, 2003.

Posted with permission: ® Marcia M Andberg, Marcia Andberg Associates LLC


Leave a Reply