NOTE: The UW Dept. of Bioethics & Humanities is in the process of updating all Ethics in Medicine articles for attentiveness to the issues of equity, diversity, and inclusion.  Please check back soon for updates!


Jessica De Bord, DDS, MSD, MA 

Wylie Burke, MD, PhD, Emeritus Professor, UW Dept. of Bioethics & Humanities

Denise M. Dudzinski, PhD, MTS, Professor and Chair, UW Dept. of Bioethics & Humanities

Core ClerkshipsInternal Medicine I Psychiatry I Urology

Related Topics:  Physician-Patient Relationship I Clinical Ethics and Law 

Topics addressed:

  • Why is confidentiality important?
  • What does the duty of confidentiality require?
  • What if a family member asks how the patient is doing?
  • What other kinds of disclosures are inappropriate?
  • When can confidentiality be breached?
  • A Test for Breach of Confidentiality
  • What are the confidentiality standards regarding adolescents?

Confidentiality is one of the core duties of medical practice. It requires health care providers to keep a patient’s personal health information private unless consent to release the information is provided by the patient.

Why is confidentiality important?

Patients routinely share personal information with health care providers. If the confidentiality of this information were not protected, trust in the physician-patient relationship would be diminished. Patients would be less likely to share sensitive information, which could negatively impact their care. Why is confidentiality important?

Creating a trusting environment by respecting patient privacy encourages the patient to seek care and to be as honest as possible during the course of a health care visit. (See also Physician-Patient Relationship.) It may also increase the patient’s willingness to seek care. For conditions that might be stigmatizing, such as reproductive, sexual, public health, and psychiatric health concerns, confidentiality assures that private information will not be disclosed to family or employers without their consent.

What does the duty of confidentiality require?

The obligation of confidentiality prohibits the health care provider from disclosing information about the patient's case to others without permission and encourages the providers and health care systems to take precautions to ensure that only authorized access occurs. Appropriate care often requires that information about patients be discussed among members of a health care team; all team members have authorized access to confidential information about the patients they care for and assume the duty of protecting that information from others who do not have access. Electronic medical records can pose challenges to confidentiality. In accordance with the Health Information Portability and Accountability Act of 1997 (HIPAA), institutions are required to have policies to protect the privacy of patients’ electronic information, including procedures for computer access and security.

What if a family member asks how the patient is doing?

While there may be cases where the physician feels naturally inclined to share information, such as responding to an inquiring spouse, the requirements for making an exception to confidentiality may not be met. If there is not explicit permission from the patient to share information with family member, it is generally not ethically justifiable to do so. Except in cases where the spouse is at specific risk of harm directly related to the diagnosis, it remains the patient's (and sometimes local public health officers’), rather than the physician's, obligation to inform the spouse.

What other kinds of disclosures are inappropriate?

Unintended disclosures may occur in a variety of ways. For example, when pressed for time, providers may be tempted to discuss a patient in the elevator or other public place, but maintaining privacy may not be possible in these circumstances. Similarly, extra copies of handouts from teaching conferences that contain identifiable patient information should be removed at the conclusion of the session in order to protect patient privacy. And identifiable patient information should either be encrypted or should not be removed from the security of the health care institution. The patient's right to privacy is violated when lapses of this kind occur.

When can confidentiality be breached?

Overriding concerns can lead to the need to breach confidentiality in certain circumstances.

Exception 1: Concern for the safety of other specific persons

Access to medical information and records by third parties is legally restricted. Yet, at the same time, clinicians have a duty to protect identifiable individuals from any serious, credible threat of harm if they have information that could prevent the harm. The determining factor is whether there is good reason to believe specific individuals (or groups) are placed in serious danger depending on the medical information at hand. An example is homicidal ideation, when the patient shares a specific plan with a physician or psychotherapist to harm a particular individual.

The California Tarasoff case exemplifies the challenges providers face in protecting confidentiality. In that case a graduate student, Prosinjit Podder, disclosed to a counselor affiliated with Berkeley University that he intended to obtain a gun and shoot Tatiana Tarasoff. Dr. Moore, the psychologist, found Podder’s threat credible. Dr. Moore then faced dual obligations: protect Tatiana Tarasoff from harm and protect Mr. Podder’s confidentiality. Dr. Moore sent a letter to campus police about the threat. They spoke to Mr. Podder, told him to stay away from Tatiana, but determined he was not a danger to her. He later stalked, stabbed and killed Tatiana. Tatiana’s parents sued campus police and the university’s health service for failure to warn Tatiana. The lower court refused to hear the case, claiming that Dr. Moore had an obligation to protect Podder’s confidentiality. Tarasoff’s parents appealed and the California Supreme Court ruled that, “the discharge of this duty may require the therapist to take one or more of various steps. Thus, it may call for him to warn the intended victim, to notify the police, or to take whatever steps are reasonably necessary under the circumstances.” (Ref. Tarasoff case).

The implication of this ruling is that a duty to warn third parties of imminent threats trumps a duty to protect patient confidentiality, however, it is usually difficult for a therapist or health care provider to accurately ascertain the seriousness and imminence of a threat. Tarasoff has subsequently been interpreted to endorse the provider’s duty to warn when a patient threatens an identifiable victim. Ethically, most would agree that a duty to warn an innocent victim of imminent harm overrides a duty to confidentiality, but these cases are rare and judgment calls of this sort are highly subjective. Hence, the duty to maintain confidentiality is critical, but may be overridden in rare and specific circumstances.

Exception 2: Legal requirements to report certain conditions or circumstances

State law requires the report of certain communicable/infectious diseases to the public health authorities. In these cases, the duty to protect public health outweighs the duty to maintain a patient's confidence. From a legal perspective, the State has an interest in protecting public health that outweighs individual liberties in certain cases. For example, reportable diseases in Washington State include (but are not limited to): measles, rabies, anthrax, botulism, sexually transmitted diseases, and tuberculosis. Suspected cases of child, dependent adult, and elder abuse are reportable, as are gunshot wounds. Local municipal code and institutional policies can vary regarding what is reportable and standards of evidence required. Stay informed about your state and local policies, as well as institutional policies, governing exceptions of patient confidentiality.

A Test for Breach of Confidentiality

In situations where you believe an ethical or legal exception to confidentiality exists, ask yourself the following question: will lack of this specific patient information put another person or group you can identify at high risk of serious harm? If the answer to this question is no, it is unlikely that an exception to confidentiality is ethically (or legally) warranted. The permissibility of breaching confidentiality depends on the details of each case. If a breach is being contemplated, it is advisable to seek legal advice before disclosure.

What are the confidentiality standards regarding adolescents?

In many states adolescents may seek treatment without the permission of their parents for certain conditions, such as treatment for pregnancy, sexually transmitted infections, mental health concerns, and substance abuse. Familiarize yourself with state and local laws, as well as institutional policies, regarding adolescents and healthcare.

  • Boyte WR, Blackston JW, Douglas S, Crook ED. Caring for adolescent family members of physician colleagues. The American Journal of the Medical Sciences 2002; 323: 49-53.
  • Clark PA. Confidentiality and the physician-patient relationship -- ethical reflections from a surgical waiting room. Medical Science Monitor 2002; 8: SR31-34.
  • Clayton EW. Ethical, legal, and social implications of genomic medicine. The New England Journal of Medicine 2003; 349: 562-569.
  • Diaz A, Neal WP, Nucci AT, Ludmer P, Bitterman J, Edwards S. Legal and ethical issues facing adolescent health care professionals. The Mount Sinai Journal of Medicine 2004; 71: 181-5.
  • Freedman B. Violating confidentiality to warn of a risk of HIV infection: ethical work in progress. Theoretical Medicine 1991;12: 309-23.
  • Green SA. The ethical limits of confidentiality in the therapeutic relationship. General Hospital Psychiatry 1995;17: 80-4.
  • Sankar P, Mora S, Merz JF, Jones NL. Patient perspectives of medical confidentiality: a review of the literature. Journal of General Internal Medicine. 2003; 18: 659-669.
  • Sobel R. The HIPAA Paradox: the privacy rule that’s not. Hastings Center Report 2007; 37: 40-50.
  • Waz W. The need to know: disclosure of information to pediatric patients. Ethics and Medicine2010; 26: 75-79.


Case 1

Your 36-year-old patient has just tested positive for HIV. He asks that you not inform his wife of the results and claims he is not ready to tell her yet.

What is your role legally? What would you say to your patient?

Case Discussion

Case 1 Discussion

Because the patient's wife is at serious risk for being infected with HIV, you have a duty to ensure thatshe knows of the risk. While public health law requires reporting both your patient and any known sexual partners to local health officers, it is generally advisable to encourage the patient to share this information with his wife on his own, giving him a bit more time if necessary. 

Case 2

A 75-year-old woman shows signs of abuse that appears to be inflicted by her husband. As he is her primary caregiver, she feels dependent on him and pleads with you not to say anything to him about it.

How is this case different from Case 1? How would you handle this situation?

Case Discussion

Case 2 Discussion

In this case, the doctor may feel conflicted. A vulnerable elderly woman needs protection and may be fearful of her abusive husband. Reporting to Adult Protective Services, required if the physician suspects elder abuse (, may also make the patient fear that she will be exposed to further abuse by her enraged husband. The therapeutic alliance with the patient provides a unique opportunity to support the patient’s health and safety. The physician should discuss services that might be available to assist her; encourage the woman to seek help; provide medical care and counseling; and explain the physician’s duty to report. It should also be noted that anyone who suspects elder abuse is required to report it - neighbors, social workers, family members, etc. Whenever the safety of an individual is at stake, confidentiality may be breeched and there are usually specific agencies (public health, Child Protective Services, Adult Protective Services) designated for reporting. These agencies then assume responsibility for investigating the reports and taking appropriate steps to ensure the person’s safety.