With the advent of a growing number of therapists turning to the online world to conduct some form of counseling or therapy online, legitimate concerns are raised about limitations of this modality. This article seeks to clarify some of the most relevant issues related to confidentiality when offering mental health services online.
Technical Limits to Confidentiality in the Real World
Confidentiality is not an absolute. It never has been in the real world, nor should it be held up to an impossible or ideal standard in the online world. Every area below is an area which I am personally familiar with; other areas may exist but are not included here. Confidentiality is broken under specific circumstances, both legitimately and illegitimately:
- By a court order – The therapist/client relationship is not well-protected in most courts (only the lawyer/client relationship is absolute). Most therapists honor subpoenas, but try and keep as much information confidential as possible when responding to it.
- Life or death – When the client’s life is in danger, or the client threatens to harm someone else, the clients rights to confidentiality are set aside. Life is more important than a person’s right to privacy in this equation.
- Abuse – Our society no longer tolerates child, elder, or any other kind of abuse. Therapists often break confidentiality when they become aware of such an issue, either to protect the client, or to protect the victim.
- Peeking at the records – Secretaries and other office personnel often have to handle a client’s entire chart even though all they are concerned with are billing or appointment issues. Confidentiality is often inadvertently broken in this manner. Doctors, therapists, and nurses who are not directly treating the client may also look at that client’s chart in most facilities and organizations without being questioned about their activity.
Obtaining unauthorized access to a client’s chart may be as simple as going into an unlocked or loosely-monitored filing room and browsing through the files. In larger organizations, this activity can go unquestioned and unnoticed by other staff. In some hospitals, access to confidential chart material can be gained by wearing a doctor’s white coat and by simply looking like you know what you’re doing. Never underestimate the power of attitude.
The problem with authorized access by staff or clinic personnel examining parts of a client’s record in which they have no valid purpose doing so may present a more commonplace and troublesome breech of confidentiality.
- Overheard conversations – I’ve worked in facilities which were less than ideal. People’s conversations could regularly be heard through paper-thin walls. Sound machines were employed to try and reduce this problem, but I honestly don’t believe they worked as well as some would believe (and not everyone used them). I’ve sat in waiting rooms where I could clearly hear what was being discussed in a next-door office.
- No proper authorization – Informal conversations about patients occur frequently between members of the staff and colleagues at the same organization. Unless they are done in the context of formal supervision, a case conference, or a formal consultation, however, such conversations are usually forbidden by law and ethics codes. Conversations which are okay may include consulting with a supervisor or another therapist without necessarily revealing identifying information, or the presentation of a case with the client’s written, informed consent. Conversations which can cross the line are those where identifying information is often the first thing revealed when discussing a case with a colleague or staff person. This is a gray area in real-world confidentiality, and one which is often misunderstood and abused.
- Failure to remove identifying information – When presenting a case in a case conference or staff meeting, clinicians sometimes fail to remove sufficient identifying information so that the client’s identity is inadvertently revealed to the staff members. Since different professions have different ethical standards in regards to confidentiality, such accidental information may be then further disseminated amongst the less-professional staff.
- Seeing a person walk into a mental health clinic or clinician’s office – Confidentiality and privacy are very much lost when anyone can observe the public comings and goings of an individual as they make their way to or from a mental health clinic or a therapist’s office. The therapist or office staff never have to say a word to anyone — the whole world can see that Person H is in therapy or has an appointment with a psychiatrist.
Technical Limits to Confidentiality in the Online World
- Contact information – The same areas of legitimate limits to confidentiality exist online as much as they do in the real world. The main differentiating factor is that, whereas clinicians in the real world are relatively confident of having accurate contact information (although the validity of that confidence may only be tested when a therapist goes to contact a person for whatever reason and finds the information to be false), clinicians in the online world may have not gathered or verified such contact information.
Best practice dictates that real-world contact information is imperative, however, to ensure an emergency situation can be properly handled. (Putting off obtaining or verifying such information is not recommended; the nature of an emergency is that it is unexpected and traumatic, so you cannot count on gaining that information at that later moment.)
- Accidental recipient – A client or therapist may accidentally send a confidential e-mail to an unintended recipient. This is done all the time on electronic mailing lists (or listservs). Someone replies to someone else in what they thought was private e-mail, but it actually ends up on the mailing list for all hundreds of subscribers to read. One can imagine this is a legitimate concern and risk in the area of electronic communication (a much higher risk than unauthorized interception of one’s electronic communication).
One solution to this problem is to emphasize the importance of double-checking one’s recipient list in the e-mail before pressing the Send button.
- Unauthorized access to your e-mail – Another legitimate risk is the unauthorized access to your e-mail by either another member of your staff, the public, or your family. People share computing resources all the time. The most popular operating system in use today, Windows 3.x/95/98, has pitiful to non-existent user-based security, if it’s even used at all. So it is quite possible — and some would argue even likely — that if an individual uses e-mail from a family PC at home, their privacy or confidentiality of electronic communications cannot be easily ensured.
One solution to this problem is for the client to use a Web-based e-mail system, such as Hotmail or Freemail. While this may solve this kind of unauthorized access to your e-mail by the users sharing your computer, it may open you up to additional illegitmate risks in confidentiality (noted below). Such systems are also not usually capable of using encryption.