As more health care data are stored and transmitted electronically, the risk of "inadvertent disclosure and intentional misappropriation"—legal talk for mess-ups and theft—has substantially increased, according to David Wolowitz, a senior litigation attorney in Portsmouth, N.H.

"I can never talk to a group of health care professionals without scaring the hell out of them!," he said in March at the Dartmouth-Hitchcock Medical Center in Lebanon, N.H. The occasion was a conference on the ethical and legal problems therapists face as they use the latest technology to transmit or store patient information.

So what are some of the things that can go wrong here?

The technology most subject to litigation regarding disclosure of confidential information is faxing, reported Wolowitz, who works for the law firm McLane, Graf, Raulerson, & Middleton, P.A.

Secretaries may simply push the wrong buttons and send material to the wrong addresses. There have been instances of legal secretaries inadvertently faxing legal material to the opposing parties. Lawyers and health care professionals can be held legally responsible for such snafus.

Computerized medical records can also get therapists into ethical and legal trouble, Wolowitz pointed out. There was a case of a teenager who pirated information from a computer in the hospital where her mother worked. The teen called some of the patients and lied to them, saying that they had medical conditions, such as being HIV positive. As a result of the teen’s prank, some patients were seriously traumatized psychologically, the teen was prosecuted as an adult, her mother lost her job, and the hospital came close to losing its license.

E-mail is yet another technological wonder that can get clinicians into hot ethical and legal soup, said Jerry Finn, Ph.D., a professor of social work at the University of New Hampshire in Durham and the other conference speaker. Finn has also served as a consultant to human service agencies on computer-database and Web-site development. He pointed out that messages can be read by anyone who has access to the practitioner’s computer and can be intercepted in transit by computer hackers. As with the fax machine, it is easy to send messages to the wrong party.

With online therapy (one form of telemedicine), which is just getting established, therapists face still more ethical and legal issues, Finn divulged—issues that have yet to be fully addressed by professional codes of ethics and the courts.

The therapist needs to verify that the person online is really the individual he or she claims to be, and doing so is not easy, Finn said.

Another consideration is the patient’s location—not in terms of where the patient lives but where the patient actually is when the therapist provides information to him or her, Finn stressed. Even when that issue is settled, however, there is the problem that therapists are allowed to provide treatment only in states where they are licensed. Having to be licensed in every state to provide treatment over the Internet would be a nightmare, Finn exclaimed, yet California has already legislated that anyone providing online therapy to a California resident must be licensed in California. A few states, however, now have laws that permit telemedicine practice.

In short, there are a lot of "ifs" and "buts" about the geography of therapy. "I don’t know that it is a high-risk area [currently], but it is one to keep on your radar screen," Wolowitz advised.

Finn agreed: "We are entering an information age in which geography and the delivery of health and human services need no longer be linked."

A third ethical-legal challenge of online therapy is: Does it work? There is anecdotal evidence that it helps some people—say, individuals who would be afraid to interact with a therapist on a face-to face basis. Yet when therapists treat patients online, Finn said, they cannot use certain cues deployed in face-to-face therapy and may be missing certain cues from patients, such as "the smell of the breath of a substance-abuse client."

In contrast, he pointed out, future fiber-optic networks will promote the merger of television, telephone, and computers in an interactive system allowing two-way, real-time video and audio transmission, and then therapists and patients will be able, while online, to provide each other with spoken words, visual cues, and sound cues. So whether online therapy is currently effective or not, it may well become so soon. Online therapy "is evolving so quickly it is hard to keep on top of it," Wolowitz admitted.

Still a fourth ethical-legal dilemma of online therapy can be posed by practice standards. Psychiatrists and mental health professionals are expected to have expertise in their area of practice, Finn pointed out, yet there are no expert online practitioners because no one has been doing it long enough to be an authority.

Then there is the challenge of being available to online patients in an emergency, said Finn. Assisting a patient in an emergency from four states away poses its own challenges.

Although the challenges posed by the new communications technology can be daunting, therapists can employ certain strategies to minimize the ethical and legal risks while transmitting or storing patient information.

When faxing, said Wolowitz, therapists should attach a cover sheet with a warning stating that the information is confidential. Further, a call by the sender to the recipient should precede each transmission to make sure that the recipient is expecting the information and to confirm the accuracy of the fax number. The recipient should then be instructed to call the sender upon receipt to confirm receipt of the information. Any instance in which information is transmitted and not received should be investigated right away.

Other things can be done to help safeguard the integrity of computerized medical records, Wolowitz said. For instance, therapists should never change computerized records, but only add to them. Say, if the therapist enters the wrong date in a record before clicking on "save," it is all right to correct it. But after a document has been saved, the therapist should add the correction, not replace the original date. The therapist also should insist that employees who have access to computerized medical records use passwords.

A member of the audience at the conference said that he had the impression that standards for computerized medical records are stricter than for paper ones. Wolowitz replied that the risks with computer information gathering, storing, and transmitting are so much greater that "we have to have a higher standard of care."

While both portable and cell phones can pose risks to patient privacy, these are easily manageable, Wolowitz said. The transmissions from both types of phones can be intercepted, so it is wise to avoid discussing or transmitting patient information on portable or cell phones.

Wolowitz also had some comments to make about e-mail. When he asked audience members whether they had received e-mail from patients, most indicated that they had. But when he asked how many had kept those e-mails, most said that they had not. That is bad practice, he chastised them; therapists should keep such correspondence to protect themselves.

One clinician, however, earned Wolowitz’s praise. He reported that some patients were sending him e-mail although he had told them in his informed-consent forms that he would not deal with their problems via e-mail. Wolowitz told him that he was doing the right thing: "You set a boundary; they are ignoring it."

As for online therapy, Wolowitz likewise had some recommendations. Mental health professionals who engage in it should demonstrate good-faith efforts to identify their patients via home address, telephone, Social Security number, or some other manner. Those therapists who engage in it should also become familiar with the licensing practices of any states in which they have remote contact with patients since penalties for unlicensed practice can be severe.

And last but not least, Wolowitz cautioned, therapists should protect patient information from former employees. For instance, when an employee resigns, the therapist should change passwords to computerized medical records and to e-mail. Sound excessive? Perhaps. But Wolowitz was involved in a case where a disgruntled former employee came back and wiped out patient files for revenge!