Risk Management Tools & Resources


Protecting Patient Confidentiality: A Legal and Ethical Obligation

Trust is a fundamental element of the provider–patient relationship, and building trust helps ensure that patients disclose accurate and thorough health information to doctors, nurses, and other healthcare personnel. In turn, healthcare providers and staff members have an ethical and legal responsibility to protect patient confidentiality and prevent unauthorized disclosure of patients’ protected health information (PHI).


Both state and federal laws address patient confidentiality and release of health information. Some state laws are more specific than federal laws about certain aspects of confidentiality, such as the definition of an emancipated minor or information pertaining to the treatment of mental illness. Providers and staff members should understand these legal requirements and their role in upholding them.

Additionally, providers and staff members should be aware of important exceptions to confidentiality protections, such as the duty to protect the patient from self-harm, the duty to warn a named individual about threats of harm from the patient, and obligations related to state-required infectious disease or incident reporting (e.g., reporting gunshot and knife wounds, suspected abuse, etc.).

Developing written policies and procedures that define legal and ethical standards for confidentiality can help educate providers and staff members, guard against unauthorized use or disclosure of patients' PHI, and reinforce an organizational commitment to protecting patients. Some of the areas that confidentiality policies should address include:

  • The definition of confidentiality.
  • A synopsis of applicable state and federal laws, including any specific requirements for certain health conditions (such as mental illnesses or HIV/AIDS).
  • Requirements for the release of health records, including who can consent to records release and required information for the written authorization of records release.
  • The process for handling subpoena and court order requests for records.
  • Confidentiality exceptions, such as required reporting to state/local authorities and the duty to warn. The policy should specify the individual who has authority to make decisions about exceptions.
  • Researcher access to health information, if applicable.
  • The definition of a business associate as defined by the HIPAA Privacy Rule, and requirements for executing business associate agreements or contracts.
  • Confidentiality requirements for electronic transfer of PHI via email, network system, fax, telephone, voicemail/answering machine, text, and other forms of electronic communication.
  • Information about implied consent (i.e., the assumption of consent based on a patient’s actions or conduct rather than direct communication). The concept of implied consent and any related requirements may evolve over time as federal and state laws change, so healthcare organizations should periodically review their policies to ensure compliance. When in doubt about the correct policy to follow, it is prudent to obtain a signed patient consent for release of information.
  • Situations that constitute a breach of confidentiality and requirements for providing notification of a breach.
  • Disciplinary actions and consequences related to unauthorized disclosure of PHI, including the potential for dismissal.

All healthcare providers and staff members should be required to read and sign their organization's confidentiality policies annually as a condition of employment. Further, they should receive periodic training regarding these policies to reinforce the importance of confidentiality.

For more information about confidentiality and disclosure of PHI, see MedPro’s Health Records Release guideline, Risk Q&A: Duty to Warn, and Risk Resources: HIPAA.

MedPro Twitter


View more on Twitter