WordPress database error: [Duplicate entry '22292' for key 1]
INSERT INTO wp_bas_visitors (visit_ip, referer, osystem, useragent, lasthere) VALUES (644300604, 1, 205, 1322, '2008-08-20 12:51:50');

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND referer = referer_id AND osystem = os_id AND useragent = ua_]
SELECT * FROM wp_bas_visitors, wp_bas_refer, wp_bas_ua, wp_bas_os WHERE visit_id = AND referer = referer_id AND osystem = os_id AND useragent = ua_id

WordPress database error: [You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' '2008-08-20 12:51:50', 0, 382)' at line 1]
INSERT INTO wp_bas_log (visit, stamp, outbound, page) VALUES (, '2008-08-20 12:51:50', 0, 382);

Clinical Lawyer » Those Confidentiality Disclaimers At The End Of Your Email……..

Those Confidentiality Disclaimers At The End Of Your Email……..

July 31, 2007 on 6:28 pm | In Legal Basics, Practice Management, Forensic Practice |

Huge numbers of clinicians have disclaimers at the end of email messages that say something like this:

“The information contained in this email is CONFIDENTIAL. If you have received this message in error or without the express direction of the original author, please notify the sender and delete this email immediately.”

But what does that mean? Should you have one of these disclaimers? And if you do, does it have any effect?

This raises the following questions:

  1. Should confidential information be sent via email?
  2. Are these disclaimers enforceable?
  3. If they aren’t enforceable, why append them to emails?

With regard to the question of whether confidential information should be sent via regular email, the answer is “probably not.” The answer includes the word “probably” because some clinicians may have secure email.

In California, mental health clinicians owe a duty of confidentiality to their patients. This means, among other things, that clinicians must safeguard the privacy of patient data and not expose those data to unauthorized persons. The use of email to transport patient data is problematic because it is insecure, and the use of insecure methods when it comes to confidential information is likely in violation of that duty of confidentiality.

According to Roger Keesee of Kinetix Technology Services, a technology support provider for medium-sized businesses, regular email travels across the Internet as easily readable text. Anyone, anywhere along the path between sender and receiver can read the email without anyone knowing. Because of this, regular email is definitely not secure. Some people have secure (called “encrypted”) email, and when this is the case it is obvious that the email is secure. Both the sender and receiver need to have their computers configured to send and receive encrypted email. Indeed, it can be somewhat complicated to set up; many email users who are not familiar with security measures choose to have an expert set up their email. The general rule is that unless you are sure your email is secure, it probably isn’t. Individuals who use the more common email providers such as Hotmail, Yahoo!, AOL, GMail, etc., without significant custom modifications are not using a secure email. Thus, email shouldn’t be used to transmit confidential information because it could violate a clinician’s duty of confidentiality.

Considering all of this, the answer to the question of whether confidential information should be sent via email is “no,” unless you are sure you have secure email.

So if most email isn’t secure, and confidential information shouldn’t be sent via email, why bother including a warning that confidential information sent to the wrong address should be destroyed? Isn’t it pointless? Well, sort of. But there are some good reasons why people choose to do so:

One possibility is that people are actually sending confidential information via unsecured email. Bad idea (see above).

Another possibility is that they don’t intend to send confidential information via email, but in the event that they make a mistake and do transmit confidential information they want to make sure that they have some sort of instruction in case the message strays. Again, it’s just not a good idea to send confidential information via email at any time.

Other clinicians do not send confidential patient data, but sometimes engage in confidential communications with parties to whom they do not owe a psychotherapist-patient duty of confidentiality. An example of this is a forensic clinician who is acting as a consultant and communicates with the hiring party. In this case the relationship between the clinician and client is not a treatment relationship per se, and the information (e.g., litigation strategy) may not be subject to the same levels of security that patient data might require, but the information nevertheless remains confidential and the clinician desires to forewarn any unintended recipient.

This inevitably raises the question of what happens when an email goes awry. Does an unintended recipient have to do what the addendum says? In a word, “no.” However, that doesn’t make the text worthless. Such an addendum effectively puts the unintended recipient on notice that such information is sensitive and that others may be harmed by the publication thereof. He or she cannot do whatever they would like with the information (e.g, redistribute it, etc.) and still claim ignorance of the possibly harmful effect of such an action.

Note that this isn’t a recommendation or endorsement of the practice of appending a “don’t-forward-this-mistakenly-sent-confidential-information” statement to the end of every email. If you put such an addendum at the end of every email it makes it look like you don’t really mean it. For example, if you are a member of a listserv and all of your posts to the list include a standard addendum, it makes your claim that the unintended recipient should have known it was a critical confidential communication much less credible.

Here’s an example of the addendum I use for my listserv posts:

“CONFIDENTIALITY NOTICE: This email and the contents thereof are not confidential because the message was sent to a whole listserv. If you received this message in error, you don’t have to destroy it or return the original to the sender. I mean, you can if you want, but really it’s not necessary to go to so much trouble. This is especially true since this email is just silly pitter-patter and not a clinical or top secret legal communication between you and me. If you want to see confidential stuff, you’ll have to break into my file cabinet after hours or rifle through my trash can. But if you do that watch out, because sometimes I throw away broken pop bottles and you could cut yourself and get a nasty infection from the week-old coffee grounds and moldy leftovers I throw in the trash too.”

Hopefully this post provides some clarification, and also a fair warning to not dig around in my trash. Feel free to post your comments or questions.

IMPORTANT: This website is for basic information only. Nothing in this website should be construed to be formal legal advice, nor does it create an attorney-client relationship. Please see the “Important Information” page at the top of the screen.

2 Comments »

RSS feed for comments on this post. TrackBack URI

  1. Can a patient send confidential information to the therapist? If the therapist responds to the email in some minimal way, does that violate confidentiality?

    Comment by Holly — October 4, 2007 #

  2. Dear Holly,

    The duty of confidentiality is something that clinicians owe to their patients, not the other way around, so it likely wouldn’t be *legal* problem if a patient spontaneously sends their own confidential information to the therapist via unsecure channels. However, it could be a problem if the therapist responds via the same channel. In addition, this could be problematic if the therapist knows that the patient will do this and doesn’t say anything in the session about how or why it might not be such a good idea.

    Many states are developing laws and regulations that address these issues, so the answers could be variable depending on jurisdiction.

    As for therapists responding, it’s generally a good idea to address these things in the session. Communications outside the session sometimes are just about practicalities (i.e., rescheduling), but other times they can reflect boundary difficulties. Some states have held that, owing to the stigma that still surrounds mental health treatment, the mere fact that someone is in treatment is confidential. In these states if responding to the email identifies/confirms someone as a patient is a breach, this could be a violation of the duty of confidentiality. Remember, you never know who is sending the email or who is reading it.

    By talking about these things ahead of time, it possible to avoid unintended breaches of the duty of confidentiality. Some therapists have their patients sign waivers, but the validity of these waivers would depend on (1) state-specific laws, (2) the language of the waiver, (3) whether the therapist is a HIPAA covered entity, (4) the length of time the waiver purports to cover, and (5) the kinds of information the parties contemplate sending via email.

    Thanks for the question. This is an issue that will become increasingly more prevalent as time goes on. If you have follow-up questions, please feel free to post them as comments.

    Comment by Clinical Lawyer — October 6, 2007 #

Leave a comment

XHTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>