This is a particularly troublesome dilemma and one that most clinicians dread. We take great care to avoid such a situation, and in the event that a fax or letter gets to the wrong person most clinicians are unsure about whether the unintended recipient has any legal responsibilities to avoid further disclosure. Another common question is whether unintentional disclosures such as these render the information non-confidential.
There are a few different ways to look at this question because there are (at least) a few different things happening. First, there is the question of mistakenly sending confidential health records. Second, there is the question of whether the unintended recipient has a duty to keep the records confidential. And third, there is the question of whether the unintended recipient may publicize the information. It might seem odd, but these second and third questions are more than semantic differences. Let’s discuss them in order, below:
The first question is the easiest. When clinicians mistakenly send confidential information that is a breach of the duty of confidentiality. That is relatively simple and likely not a surprise to anyone. However, it’s important to remember that the duty of confidentiality arises out of the psychotherapist-patient relationship and absent this relationship this same duty does not exist. The unintended disclosure of confidential information doesn’t invalidate the duty of confidentiality; it violates the duty of confidentiality.
The second question is about whether the unintended recipient then has a duty of confidentiality. I doubt that very much. The information is probably still confidential, and the fact that the clinician mistakenly sent the information to the wrong party doesn’t eliminate the original sender’s duty of confidentiality. But the duty of confidentiality attaches to the clinician and not the records; it typically doesn’t transfer unless there is an existing relationship between the clinician and the recipient.
So if there is no duty of confidentiality (because it usually arises out of a psychotherapist-patient relationship or connection thereto), that begs the question of whether there are any restrictions on what can be done with those very private records that went awry? There are restrictions, but they probably don’t arise out of a duty of confidentiality that the unintended recipient owes to the patient. There is no relationship between the unintended recipient and the patient that would give rise to such a duty. But the lack of a duty doesn’t mean that they are off-the-hook. One source of the restrictions is likely in statutes surrounding medical records. Another (better) source is in the old common law, which provided for a cause of action for invasion of privacy where there is a publication of private facts; this is an old-fashioned tort claim.
Because of concerns that information might go astray and land in the hands of an unintended recipient, many clinicians include a paragraph in their communications as a precaution. These “confidentiality notices” put recipients on notice that the information is private. The real purpose of the disclaimers isn’t to remind the unintended recipient that they have a legal duty to keep the information confidential, but rather to tell them that the information is private and that the continued distribution of it could constitute a cause of action. It’s a subtle but important difference; instead of having an affirmative duty to do something, they should instead refrain from taking further action with the sensitive data.
This raises the point that I made in another article, which is that these notices are really not very helpful if they are used all of the time. The information that they accompany really should be private or else it looks like you don’t mean it.
IMPORTANT: This website is for basic information only. Nothing in this website should be construed to be formal legal advice, nor does it create an attorney-client relationship. Please see the “Important Information” page at the top of the screen.