All mental health disciplines have ethical codes that provide guidelines for maintaining confidentiality of patient clients among other things. Here is what the NASW Code of Ethics says, as an example: “Social workers should not disclose identifying information when discussing clients for teaching or training purposes unless the client has consented to disclosure of confidential information.”
Central to this discussion is an operational definition of “identifying information”. If it means an actual name or some ID number like a social security number then online discussion of cases pose few problems. Names are rarely used. However if identifying information can mean any combination of facts about a person that can lead someone to zero in on a person then online discussion of case material can be problematic. Of course not everyone has the resources or the desire to track and trace an individual with only a snippet of information, however, the more information an individual has to work with the easier it becomes to trace and individual. I have heard estimates that with as little as 3-4 pieces of demographic information combined with current technology experts can zero in on just about anyone.
Question(s):
J.R. What in your opinion would be a reasonable definition of “identifying information”?
LWG: My view of “identifying information” is based partly on the HIPAA Privacy Rule, which went into effect in 2003. It means any information that can identify the therapist by name, location, and practice or patient by name, location, or details of their emotional problems. HIPAA says this information should be left out of reports to non-covered entities or non-Business Associates. The relevant part of the Rule says “individually identifiable health information” must not be used by covered entities; it must be “de-identified”. This means any name, geographic location, month and day, phone number, fax number, email address, IP address, details of diagnosis and treatment, and identifying numbers (social security number, driver’s license, etc.) The information most commonly identifiable in internet open listserv communication is the therapist’s location, the month, and details of diagnosis and treatment. Even though it might not be intentional on the part of anyone who lived in the same area as the therapist, the identity of the patient might be obvious.
Many therapists are neophytes when it comes to the internet. They think of information shared with colleagues on a listserv as having the same degree of confidentiality as information shared in a peer consult group. The idea that information may be available to millions of people not on the listserv, and that there may not even be complete knowledge of everyone who is on a listserv, is foreign to their view. When therapists do realize the potential confidentiality violations involved in putting information on a listserv, they generally are much more careful. Until we are all at that point, it is up to the owners of a list to maintain confidentiality by setting rules for the list and deciding which posts will be allowed.
JR: Many internet groups may have hundreds of members most of whom are unknown to each other. In some cases there is no way to be sure of the identity of the membership since the majority do not post and can not easily have identities, email address checked. There is no way to be assured that all who may obtain the information is a mental health profession. Are there any ethical principles that may be involved in the above? What liability if any in terms of malpractice or ethics violation would a clinician possibly face in such a situation?
LWG: Unintentional breaches of privacy are still breaches of privacy. In a worst case scenario, a client could find him or herself reading a description of information they had entrusted to a therapist confidentially if the therapist sends a message on unsecured sites like Yahoo, AOL, Comcast, etc. The message could be sent as a variety of “Forwards” until it comes to a list the client is on. While case law is still being developed on the seriousness of such a violation and the penalties involved, the prudent clinical social worker should educate him or herself about the meaning of posting information about clients on the internet.
All social work Codes of Ethics emphasize the importance of maintaining the confidentiality of patient information and communication of this information. "Jennifer Bier, a civilian clinical social worker in Colorado, is currently facing possible arrest for refusing to give records of her work with a woman in the military who had allegedly been raped." Her stance is the one that fits social work ethical guidelines. Imagine her posting information about her client on the web, to get ideas from colleagues on how to treat this client, and you can see how at odds that would be with Ms. Bier’s overall attitude. There should be no difference with any of our clients.
JR: Next, let’s suppose, as far as we know, that the patient is not recognized. Some if not all professional organizations caution their members about discussing cases in public forums. For example in the NASW Code of Ethics we see: 1.07 Privacy and Confidentiality (i) Social workers should not discuss confidential information in any setting unless privacy can be ensured. Social workers should not discuss confidential information in public or semipublic areas such as hallways, waiting rooms, elevators, and restaurants. Are internet discussion groups the electronic equivalent of hallways, waiting rooms, elevators, and restaurants or other public or semi public areas?
LWG: In my view, they are very similar to those locations. Internet groups may in fact provide the illusion of more privacy than a hallway or restaurant, because the communication is all through words. Listening to people on cell phones has become a daily occurrence. The internet lacks visual or auditory sensory cues directly from the other person at this time. Seeing only words may create the impression that a web post is like writing a letter, and will only be read by the recipient. My view is that sending a message on the internet is like writing a postcard, available to be read by anyone, though addressed to a specific person or people.
JR: Some discussion group owners and moderators recognize the potential dangers and in an effort to minimize risk of identifying the patient insist that the case is presented by a third party often one of the discussion group moderators. The idea is that by making the actual clinician and their location unknown there is little chance of identifying the patient. Assuming that these efforts are successful, that may reduce the risk of liability but does that change the ethical considerations? Do social workers or other clinicians have a responsibility to obtain informed consent from the patient/client prior to disclosing sensitive information about them even if names are removed? Do patients/clients have the right to be appraised of potential consequences, before the disclosure is made?
LWG: As I mentioned above, many social workers are naïve about the confidentiality of information posted on open web sites. Codes of Ethics have not caught up with the reality of internet communication. But I believe that the clinician is still responsible for knowing how any potentially identifiable information will be protected. As the old saying has it “Ignorance of the law is no defense.”
The question of whether patients should be consulted before information about them, even disguised, is shared with others, is part of a major debate among mental health professionals. There are clinicians who believe it is unethical to write about a patient for publication without the patient’s consent, even if the case is terminated. A well-known psychoanalyst, Glen Gabbard, wrote an excellent article taking this point of view. There are clinicians who believe the patient should never be consulted, as it could interfere with the transference the patient needs to maintain, even after a case has terminated. This is the more traditional psychoanalytic point of view. The social work Codes of Ethics are unclear about whether a patient should be consulted before information about them is used in an article or presentation.
The most important thing a clinician can do, in my view, is decide what their own stand is, and stick to it. This would include documenting any disclosures in formal articles or on the internet, and why they were made. The chances of a patient’s privacy being violated are lessened when information is disguised, but not guaranteed.
J.R.: What if efforts to maintain confidentiality are unsuccessful? We know of situations where the third party fails to omit the name or identity of the actual client, through human error and or lack of technological skills Once the clinician identifies the actual patient/client, maintaining privacy becomes a formidable task. In such a case would either the clinician or the third party assume responsibility for disclosing information that leads to compromising patient privacy?
LWG: If you mean when confidentiality is breached in an overt way, such as name or address, I don’t think there is much disagreement in the field that without the patient’s consent, such an event is to be avoided. The responsibility for privacy breaches by third parties ultimately lies with the clinician, in my view. HIPAA acknowledges this by having clinicians disclose information only to other covered entities, or those who have signed a Business Associate Agreement (BAA).
Gabbard makes the case for getting a patient’s consent when writing an article or giving a talk about a patient, and not disguising any information. Specific details make the case more understandable. But for most clinicians, this is still a fairly extreme point of view.
JR: Sometimes there are internet discussions in which professionals not only describe their patient/client, but also family members. At times family members are described in unflattering terms. I have read where family members who may or may not have ever been examined are described as abusers both physically and/or sexually or are described as borderline, passive aggressive and a number of terms that may cause the family member concern. If there is sufficient information to identify the patient, it also means that the family member can be identified also. Can this pose any additional ethical or liability concerns? Specifically, do social workers and other mental health professionals have any responsibility to use care in describing family members of our patients/clients in public forums?
LWG: Technically, I would say we are primarily responsible for the privacy of our patient. In fact, I can imagine a situation where a patient may want to reveal a family member as abusive, out of anger based on conscious or unconscious retaliatory reasons. It is up to us to protect the privacy of the patient’s feelings. If a patient chooses to disclose their feelings about family members publicly, that is their right, not ours. I would say most patients who have experienced abuse have at least some conflict about the experience, and it could be particularly harmful to reveal any information about abusive experiences while the conflict is being discussed in treatment.
JR: Ordinarily when mental health professionals seek advice, consultation or supervision from another professional, there is usually a formal relationship of some kind. The advice giver and advice receiver may be part of the same organization or agency or some type of consultation or supervisory agreement exists which all parties agree to take steps to protect confidentiality etc. On the internet discussion group this type of agreement is difficult to impossible since there may be as many as hundreds of members with a number totally unknown. What responsibilities do mental health professionals have when they seek advice, consultation, or supervision? Is it different when it is in cyberspace as opposed to ordinary space? Do they have a responsibility to know the qualifications of those with whom they seek advice?
LWG: Anyone can seek advice from anyone they choose. Seeking advice from those who are not qualified professionals is likely to lead a clinician to make poor decisions. I think there is a tendency to idealize the level of advice given on listservs for the most part; on the other hand, there is a tendency to malign those who are seen as judgmental or ‘off’ in their advice, so it can go both ways. I’ve seen some wonderful clinical advice on listservs and some that sounds pretty unsound. We as clinicians need to be clear what we are trying to get advice about, what we are conflicted or unsure about in a case, in a face to face supervision situation, or online. I think it can feel like an easy way to not have to look at our own process, and that is not in the best interest of the clinical work, in my view.
JR: Some practitioners who have presented cases on internet discussion groups have defended their decision stating that it is no different presenting a case material at a professional conference or grand rounds at a hospital or in professional journal articles. They see no problem with discussing cases as long as no names are used. Do you think that online discussion groups can be reasonably compared with conferences, grand rounds, and articles?
LWG: I believe grand rounds have an assumption of confidentiality and that the information about patients is not used outside the teaching purpose of grand rounds. Conferences are similar, and I have often heard presenters specifically ask that the presented case not be discussed outside the meeting. There are differences of opinion about articles, due to the reasons I discussed above.
JR: Again, using the NASW Social Work Code of Ethics as an example, it states “Social workers should not disclose identifying information when discussing clients for teaching or training purposes unless the client has consented to disclosure of confidential information.” This would suggest that informed consent is required when presenting case material for training purposes. Do you think that consent should be necessary based on the ethical principle above, whether the medium is a face to face conference, or online?
LWG: As I’ve been saying, I think there is room for disagreement about whether to ask a client for consent for using his or her information in an article or in face to face teaching/supervision. Most disciplines have supervision guidelines that require clinicians in training to disclose this to the patient. This implies that the clinician is being supervised and that the information stays confidential between the supervisee and supervisor. To contrast with online disclosure, I doubt any client would say yes to the question, “Can I use your material for supervision purposes an online discussion on a non-secure website without knowing who will be reading it or where it might be sent, even if I disguise details of your life?”
JR: Many of these online discussions are initiated by private practitioners in part to deal with the isolation of being in solo practice and the difficulty and costs of consultation. We find clinicians working at agencies/clinics and even students going to the Internet for advice. But that means that they often reveal not just information about the client, but the agency, field placement and/or school. If employees or students reveal patient information, can the agency, field instruction center, or the school be held liable for the actions of an employee or student?
LWG: I believe agencies, schools, and supervisors will increasingly be held responsible for unauthorized disclosures of patient information. HIPAA has raised public awareness of the right to privacy, and complaints are more likely to be made if unauthorized disclosure occurs. There will also be more complaints from schools and agencies, who are exposed if their personnel disclose confidential information. Until there are clearer ethical standards in this area, I think it is up to the agencies and schools to set a policy on disclosures by their students or employees. Otherwise, they risk being held responsible as a party to a Violation of Privacy complaint.
JR: Given that more and more consumers (prospective and active patients) are using the Internet to research their therapist or a potential therapist, what might be the ramifications to therapists having discussions about their patients online?
LWG: f a potential patient "googles" a therapist and finds the therapist has discussed their work with other patients online, I think that would give anyone pause with regard to privacy of their information. Again, many therapists are naive about the likelihood that anything discussed on "open" servers has the potential to be sent to hundreds of other servers, and theoretically millions of other people will have access to the information. Of course, the meaning of a patient wanting to learn about a potential or current therapist online, instead of in the face-to-face relationship, should be explored if a relationship develops. But as therapists, we also need to be far more educated about the way information on the Internet is shared. We may be unknowingly engaging in violations of privacy.
J.R: Any other comments?
LWG: There is not a clear "apples to apples" comparison between confidentiality of information in a face-to-face setting and on the Internet. The Internet can be a help for those who do not have access to the kind of consultation they need, but only when the servers are fully secure. Until we have encryption, audit trails and a reasonable assumption of privacy online, it is up to us as clinicians, teachers, and administrators, to educate ourselves about the risk of sending identifiable information online, and the many ways that can happen unintentionally.
Also, there is a debate taking place about the way we use any patient material and responsible clinicians are trying to grapple with what the answers will be.
Many thanks to you, John, for bringing up these issues, and giving clinicians a chance to think about privacy in a whole new way. I appreciate your giving me a chance to offer thoughts on this important area.
Laura Groshong, LICSW, BCD, has a private practice in Seattle where she works with patients who have self-disorders and personality disorders. She is also Legislative Chair for WSSCSW, a Washington Social Work Licensure law, and has consulted on/written Social Work Laws in over 30 other states. She was recently inducted into the National Academies of Practice. She is Government Relations Chair for CSWF (Clinical Social Work Federation)
Return to the Confidentiality Series Site Map