The Legal Risks of E-mail
Businesses, health care organizations and many health care professionals use e-mail extensively because of its speed, reliability, convenience and low cost. The factors that make the use of e-mail so advantageous can also make it dangerous and pose significant legal risks. Being aware of these risks can decrease your potential liability. In this article four of the major areas of concern will be addressed.
The first area of concern relates to confidentiality. You should be aware that e-mail communications are susceptible to unauthorized access by third parties. Actual breaches of privacy have occurred in the private sector and serve as a warning of problems that could arise in the health care sector. A well publicized incident occurred in Canada and the United States in 1999. This incident involved hackers who accessed the e-mail accounts of 40 million people, including 2.5 million Canadians who subscribed to Microsoft's free Hotmail service. To the embarrassment of Microsoft, information from the accessed accounts including an e-mail message from Microsoft's own president Paul Ballmer were posted on a Web site. 1
Privacy and confidentiality are also important considerations if e-mail is being considered as a method of transferring patient health records or health information. Because the security and confidentiality of e-mail systems are not guaranteed, it is not the recommended method for transmission of health information. If this method of transmission is used, legal writers recommend that any e-mail messages containing confidential health information be encrypted. Additionally, the patient should be informed of the risks of disclosure and presented with alternative methods of communication; if the patient agrees to the transmission of the health information by e-mail, it is prudent to obtain written consent from the patient for the transmission. This requirement for informed consent also appears in some provincial health care legislation. In Alberta, for example, the new Health Information Act (Bill 40) requires that a custodian who "intends to disclose individually identifying diagnostic, treatment and care information about an individual by electronic means must obtain the individual's consent to the disclosure or ensure that the individual's consent has been previously obtained." 2
A second area of concern is the introduction of e-mail messages as evidence in a court of law or other legal proceedings. It is important to realize that e-mail messages are another type of document and, if they are relevant can be subject to disclosure in legal proceedings . Recently, e-mail messages have played an important role in the outcome of a number of high profile American cases and investigations. For example, in the U.S. congressional investigation of the Iran-Contra affair Oliver North's testimony was contradicted by information that was found on e-mail back-up tapes. Mr. North thought that the messages had been deleted and he was unaware that the back-up tapes existed. And, in the Microsoft anti-trust trial, both sides introduced e-mail evidence to further their positions. 3
Like Oliver North, most e-mail users believe that their message will only be seen by the intended recipient; therefore, the contents of the message is frequently more candid than what would normally be sent in a letter. Often the message is written hastily, is unedited and reflects the author's true thoughts. In the course of a lawsuit, evidence of a party's true thoughts can sometimes be detrimental to the defence of their case. This was evident in the Microsoft antitrust trial when the judge and jury tended to believe e-mail messages over paper communications because they were written spontaneously with little thought given to the potential implications that could arise from the messages.
Because the information contained in e-mail messages can come back to haunt you in legal proceedings, you should carefully draft your messages with the expectation that they may be closely scrutinized by lawyers and even a judge and jury sometime in the future. As well, take time to think before sending or responding to e-mail.
The third area of concern relates to waiver of solicitor-client privilege. If a client communicates with a lawyer by e-mail for the purpose of obtaining legal advice, the e-mail messages sent between the lawyer and client are usually protected from disclosure in legal proceedings by solicitor-client privilege. This privilege can be lost, however, if the messages are indiscriminately copied to other parties. For example, if the vice-president of patient care (VP) sends an e-mail message to the hospital's lawyer asking for legal advice about an incident involving patient injury, the lawyer's response back should be protected by solicitor-client privilege. If the VP forwards the lawyer's response to multiple members of the management team or other parties, the privilege that would normally protect the communication from disclosure in a court of law may be lost. Because of this risk, e-mail responses from legal counsel should not be shared with other parties without first discussing with your legal counsel whether dissemination of the information to other parties is appropriate in the circumstances.
The fourth area of concern relates to the employee's privacy rights when using e-mail at work for personal purposes. Many employees believe that such use of e-mail during working hours is a personal matter without any consequences. This is a misconception. There have been cases where using an employer's e-mail system for personal communication, or, including inappropriate language and jokes in e-mail messages, have resulted in disciplinary action by employers and even termination of employment. A case on point involved two employees of Nissan Motor Corporation 4 who were given written warnings for violating a company policy prohibiting the use of the company's computer system for personal use. These employees had used Nissan's e-mail system to send non-business related messages containing inappropriate jokes and language. After protesting against Nissan's conduct, one employee resigned and the other was later terminated. The employees involved then sued Nissan alleging invasion of privacy. The trial court dismissed the lawsuit and concluded that the employees had no reasonable expectation of privacy because they had signed the company's e-mail policy and were aware that the employer had access to the e-mail communications.
To protect the interests of the employees and the employer, employers should have written policies in place that clearly state their expectations and requirements related to the use of e-mail. Otherwise, if the expectations are not communicated to the employees, there is a risk that any disciplinary action taken by the employer for alleged inappropriate use of the e-mail system may be found unjustified in a subsequent wrongful dismissal case or grievance proceedings.
To limit the potential legal risks related to e-mail communications there are proactive risk management steps that can be implemented. Health care organizations should consider: educating staff about electronic data risks; developing policies related to privacy, confidentiality and use of e-communication; developing style guides for business communications; and conducting periodic audits. By taking these precautions the potential legal liability of the health care organization and its health care professionals will be decreased.
Note: This article has been reprinted with permission from Canadian Nurse, March 2001.
All articles appearing in this section are for information purposes only and should not be construed as legal advice. Readers should consult legal counsel for specific advice.
Clause 59 of Alberta's Health Information Act was repealed in 2003 (2003 c23 s3).