Those Confidentiality Disclaimers At The End Of Your Email..

Huge numbers of clinicians have disclaimers at the end of email messages that say something like this:

“The information contained in this email is CONFIDENTIAL. If you have received this message in error or without the express direction of the original author, please notify the sender and delete this email immediately.”

But what does that mean? Should you have one of these disclaimers? And if you do, does it have any effect?

This raises the following questions:

1. Should confidential information be sent via email?
2. Are these disclaimers enforceable?
3. If they aren’t enforceable, why append them to emails?

With regard to the question of whether confidential information should be sent via regular email, the answer is “probably not.” The answer includes the word “probably” because some clinicians may have secure email.

In California, mental health clinicians owe a duty of confidentiality to their patients. This means, among other things, that clinicians must safeguard the privacy of patient data and not expose those data to unauthorized persons. The use of email to transport patient data is problematic because it is insecure, and the use of insecure methods when it comes to confidential information is likely in violation of that duty of confidentiality.

According to Roger Keesee of Kinetix Technology Services, a technology support provider for medium-sized businesses, regular email travels across the Internet as easily readable text. Anyone, anywhere along the path between sender and receiver can read the email without anyone knowing. Because of this, regular email is definitely not secure. Some people have secure (called “encrypted”) email, and when this is the case it is obvious that the email is secure. Both the sender and receiver need to have their computers configured to send and receive encrypted email. Indeed, it can be somewhat complicated to set up; many email users who are not familiar with security measures choose to have an expert set up their email. The general rule is that unless you are sure your email is secure, it probably isn’t. Individuals who use the more common email providers such as Hotmail, Yahoo!, AOL, GMail, etc., without significant custom modifications are not using a secure email. Thus, email shouldn’t be used to transmit confidential information because it could violate a clinician’s duty of confidentiality.

Considering all of this, the answer to the question of whether confidential information should be sent via email is “no,” unless you are sure you have secure email.

So if most email isn’t secure, and confidential information shouldn’t be sent via email, why bother including a warning that confidential information sent to the wrong address should be destroyed? Isn’t it pointless? Well, sort of. But there are some good reasons why people choose to do so:

One possibility is that people are actually sending confidential information via unsecured email. Bad idea (see above).

Another possibility is that they don’t intend to send confidential information via email, but in the event that they make a mistake and do transmit confidential information they want to make sure that they have some sort of instruction in case the message strays. Again, it’s just not a good idea to send confidential information via email at any time.

Other clinicians do not send confidential patient data, but sometimes engage in confidential communications with parties to whom they do not owe a psychotherapist-patient duty of confidentiality. An example of this is a forensic clinician who is acting as a consultant and communicates with the hiring party. In this case the relationship between the clinician and client is not a treatment relationship per se, and the information (e.g., litigation strategy) may not be subject to the same levels of security that patient data might require, but the information nevertheless remains confidential and the clinician desires to forewarn any unintended recipient.

This inevitably raises the question of what happens when an email goes awry. Does an unintended recipient have to do what the addendum says? In a word, “no.” However, that doesn’t make the text worthless. Such an addendum effectively puts the unintended recipient on notice that such information is sensitive and that others may be harmed by the publication thereof. He or she cannot do whatever they would like with the information (e.g, redistribute it, etc.) and still claim ignorance of the possibly harmful effect of such an action.

Note that this isn’t a recommendation or endorsement of the practice of appending a “don’t-forward-this-mistakenly-sent-confidential-information” statement to the end of every email. If you put such an addendum at the end of every email it makes it look like you don’t really mean it. For example, if you are a member of a listserv and all of your posts to the list include a standard addendum, it makes your claim that the unintended recipient should have known it was a critical confidential communication much less credible.

Here’s an example of the addendum I use for my listserv posts:

“CONFIDENTIALITY NOTICE: This email and the contents thereof are not confidential because the message was sent to a whole listserv. If you received this message in error, you don’t have to destroy it or return the original to the sender. I mean, you can if you want, but really it’s not necessary to go to so much trouble. This is especially true since this email is just silly pitter-patter and not a clinical or top secret legal communication between you and me. If you want to see confidential stuff, you’ll have to break into my file cabinet after hours or rifle through my trash can. But if you do that watch out, because sometimes I throw away broken pop bottles and you could cut yourself and get a nasty infection from the week-old coffee grounds and moldy leftovers I throw in the trash too.”

Hopefully this post provides some clarification, and also a fair warning to not dig around in my trash. Feel free to post your comments or questions.

IMPORTANT: This website is for basic information only. Nothing in this website should be construed to be formal legal advice, nor does it create an attorney-client relationship. Please see the “Important Information” page at the top of the screen.



8 Responses to “Those Confidentiality Disclaimers At The End Of Your Email..”

  1. Holly says:

    Can a patient send confidential information to the therapist? If the therapist responds to the email in some minimal way, does that violate confidentiality?

  2. Clinical Lawyer says:

    Dear Holly,

    The duty of confidentiality is something that clinicians owe to their patients, not the other way around, so it likely wouldn’t be *legal* problem if a patient spontaneously sends their own confidential information to the therapist via unsecure channels. However, it could be a problem if the therapist responds via the same channel. In addition, this could be problematic if the therapist knows that the patient will do this and doesn’t say anything in the session about how or why it might not be such a good idea.

    Many states are developing laws and regulations that address these issues, so the answers could be variable depending on jurisdiction.

    As for therapists responding, it’s generally a good idea to address these things in the session. Communications outside the session sometimes are just about practicalities (i.e., rescheduling), but other times they can reflect boundary difficulties. Some states have held that, owing to the stigma that still surrounds mental health treatment, the mere fact that someone is in treatment is confidential. In these states if responding to the email identifies/confirms someone as a patient is a breach, this could be a violation of the duty of confidentiality. Remember, you never know who is sending the email or who is reading it.

    By talking about these things ahead of time, it possible to avoid unintended breaches of the duty of confidentiality. Some therapists have their patients sign waivers, but the validity of these waivers would depend on (1) state-specific laws, (2) the language of the waiver, (3) whether the therapist is a HIPAA covered entity, (4) the length of time the waiver purports to cover, and (5) the kinds of information the parties contemplate sending via email.

    Thanks for the question. This is an issue that will become increasingly more prevalent as time goes on. If you have follow-up questions, please feel free to post them as comments.

  3. I’m not sure about your answer here. My understanding is that the client sets the standard of confidentiality. For example, in most state laws if the client sues the therapist all restraints on confidentiality are off. Additionally, if the client publicly discloses treatment by the therapist, then it gets very muddy as to protection of confidential info. So if the client emails the therapist then the standard of email communication has been set by the client. One might argue between email information about resetting an appointment vs. being sexually abuse by a parent, but the client ultimately sets the level of confidentially.

  4. Dear Michael,

    Thanks for your comment. As to the legal relationships between the parties, the default position on therapist-patient confidentiality is that the therapist owes the patient a duty of confidentiality, and the patient has a legal right to those confidences (subject to the standard exceptions of harm to others, self, etc.). You are correct that the patient has the option of waving those rights to confidentiality, which then releases the therapist from his/her duties. However, (and this is a big however) the therapist is only released from those duties the patient has explicitly waived.

    My position, which is echoed by every licensing board I know of, is that therapists should never assume that the actions of their patients implicitly waive the duties owed by therapists to their patients. Patients have the option of waiving the obligations owed to them by their therapists, but such a waiver should be explicit and knowingly and intelligently made.

    I think an argument could be made that a patient who shouts from the rooftops the contents of his/her therapy sessions with “Therapist X” no longer has a reasonable expectation of privacy with respect to the information the patient divulged, but that is a different legal question than whether Therapist X is still obligated to keep his/her patient’s confidences. I would rather not have to make the argument in front of a jury or licensing board that Therapist X could shout the same information, simply because his/her patient did. I think that’s a losing argument.

    It is very risky to engage in the practice of “if they did it I can too,” because our patients don’t have the same legal obligations we have.

    Some points of clarification: in California, when a patient sues his/her therapist the patient can use otherwise confidential information to construct a defense. That is to say, a patient can’t sue his/her therapist and then prevent the therapist from introducing exculpatory evidence at trial on the basis of the psychotherapist-patient privilege. It’s just not fair to sue someone and use the confidential relationship to prevent them from articulating a defense. But that’s an entirely different thing than a blanket waiver of those rights. I’m not sure if you are saying that the therapist, after being sued by the patient, is then free to disseminate the confidential information in whatever way he/she chooses to whomever he/she chooses. If you are saying that, it is probably incorrect.

  5. Frank says:

    What about this on a non-medical front.

    What if a person, call him A, sends an email to person B, complaining about a company.

    And person B replies and at the end has a CONFIDENTIAL NOTICE and how the email can not be redistributed.

    Is that legally enforceable? Or can person A take that reply and post parts of it on a website?

    Frank

  6. Hi Frank,

    Great question. The answer is: “it depends.”

    And the variables upon which it depends include (but are not limited to):

    – Whether the parties have a legal relationship where one or both of the parties owe each other a duty of confidentiality.

    – Whether the parties have agreed to keep their communications confidential.

    – Whether the communications are covered under a law that mandates confidentiality of some sort.

    – …. and many other possibilities.

    But having said all that: one person simply telling another that “this is confidential,” in the absence of any other agreement or requirement that the communication be kept confidential, doesn’t necessarily mean that you have to keep the communications confidential. If some random person tells you that you need to keep a secret, you don’t necessarily need to agree to it.

    For example, if I send an email to a company complaining about the quality of their potato chips I just purchased, and a customer service representative responds to me with an email laden with explicatives, but the email is concluded with a confidentiality notice saying that I can’t forward the offending email, the confidentiality notice isn’t likely to be enforceable.

    But when in doubt, always consult a local attorney.

  7. Taylor Craig says:

    If your not supposed to read an email that wasn’t suppsoed to be sent to you, then how do you know that unless you read it?

  8. Excellent point! My sense, however, is that those notices are intended to give notice that the material shouldn’t be distributed because it is private. I also think some believe they may have “CYA” value.