Five Exceptions to Patient Confidentiality

COURTNEY KIMMELL; DAVID J. SATIN

Maintaining confidentiality is critical to patient trust, but there are common situations when the law permits or even requires the sharing of patient information.

COURTNEY KIMMELL, AND DAVID J. SATIN, MD

Fam Pract Manag. 2025;32(2):25-31

This content conforms to AAFP criteria for CME.

Author disclosures: no relevant financial relationships.

The HIPAA Privacy Rule protects patients' health information by determining who can access it and how it can be used. While exceptions to the confidentiality rule exist, they are commonly buried in dense legal readings and minimized or excluded from HIPAA training.

The Hippocratic Oath captures the default position that our patients can trust us to keep their personal information private: “whatsoever I shall see or hear in the course of my profession … I will never divulge, holding such things to be holy secrets.” Yet the Hippocratic tradition combined with a cursory understanding of HIPAA can create unrealistic expectations about confidentiality for both clinicians and patients.

Physicians face situations every day in which patient information may need to be shared, but they (and their teams) may not understand when the law permits sharing, or even requires it. Although many of the exceptions to confidentiality are likely detailed in the paperwork patients sign as part of their consent to treatment, physicians may have an ethical duty in certain situations to personally educate patients before they disclose information that may be shared.

This article does not provide legal advice, because every situation is unique. Rather, it offers five categories of exceptions to patient confidentiality (discussed and summarized below) so that family physicians have a structured approach for appropriately disclosing information.

KEY POINTS

While it's important to maintain patient confidentiality, there are five types of exceptions where the law permits or even requires the sharing of patient information.
Exceptions include public health risks such as reporting infectious diseases or suspected abuse, decision-maker requirements involving pediatric patients, third-party interests, administrative and operational disclosures, and rare but important exceptions such as duty to warn or protect.
Even when you can legally share patient information, it may be wise to inform patients so they are not surprised by an unwanted disclosure.

SUMMARY OF THE FIVE EXCEPTIONS TO CONFIDENTIALITY

Category Examples

Public health risks and mandatory reports Infectious and other diseases
Suspected abuse of vulnerable populations

Decision-maker required Pediatric exceptions
Substitute judgment due to an adult patient's lack of capacity

Third-party interests Department of Transportation
Workers' compensation
Sports team physicians
Immigration physicals
Government functions

Administrative and operational disclosures Insurance
Regulatory agencies
Members of the health care team
Family Educational Rights and Privacy Act
Family member and caregiver allowances
Research and quality improvement
Health care professional exposures
Disaster relief efforts
Death investigations
Unintentional disclosures

Rare but important exceptions Duty to warn/protect
Court orders

PUBLIC HEALTH RISKS AND MANDATORY REPORTS

Statutory laws require the disclosure of patient information in the interest of protecting public health and vulnerable populations.

Infectious and other diseases. Specific infectious diseases, bioterrorism agents, foodborne outbreaks, and certain non-infectious diseases (e.g., lead poisoning 5 μg/dL or greater) can all pose public health risks and must be reported to state health officials.^1,2 State health departments determine these standards and can implement additional guidelines outlined by the Centers for Disease Control and Prevention (CDC) for contact tracing and disease surveillance.² (See an example of one state's reportable infections.)

Suspected abuse of vulnerable populations. All 50 states require clinicians to report suspicion of child abuse or neglect to state authorities.³ Most states also require clinicians to submit vulnerable adult reports to state officials.³ For state-specific information, view the American Bar Association's summary of “Adult Protective Services Reporting Laws” or visit your state's child or adult protective services website.

EXAMPLES OF REPORTABLE INFECTIONS BY STATE (MINNESOTA)

Report immediately¹

Report within one working day¹

Anthrax, Botulism, Brucellosis, Cholera, Diphtheria, Free-living amebic infections (e.g., Naegleria fowleri), Glanders (Burkholderia mallei), Hemolytic uremic syndrome, Measles, Melioidosis (Burkholderia pseudomallei), Meningococcal disease (Neisseria meningitidis), Middle East respiratory syndrome (MERS), Orthopox virus (including mpox), Plague, Poliomyelitis, Q fever, Rabies (includes suspected cases), Rubella and congenital rubella syndrome, Severe acute respiratory syndrome (SARS), Smallpox, Tularemia, Unusual or increased incidence of any suspect infectious illness, Viral hemorrhagic fever

Anaplasmosis, Arboviral disease, Babesiosis, Blastomycosis, Bluegreen algae, Campylobacteriosis, Candida auris, Capnocytophaga canimorsus, Carbapenem-resistant Acinetobacter baumannii, Carbapenem-resistant Enterobacterales, Carbapenemase-producing carbapenem-resistant Psuedomonas aeruginosa, Cat scratch disease, Chancroid, Chikungunya disease, Chlamydia trachomatis infections, Coccidioidomycosis, COVID-19, Cronobacter sakazakii in infants, Cryptosporidiosis, Cyclosporiasis, Cytomegalovirus, Dengue virus infection, Ehrlichiosis, Encephalitis (viral), Enteric E. coli infection, Giardiasis, Gonorrhea, Haemophilus influenzae disease, Hantavirus infection, Hard tick relapsing fever, Hepatitis (all primary viral types), Histoplasmosis, HIV, Influenza, Kawasaki disease, Kingella spp. (invasive), Legionellosis, Leprosy, Leptospirosis, Listeriosis, Lyme disease, Malaria, Meningitis (viral), Mumps, Neonatal sepsis, Pertussis, Psittacosis, Rat-bite fever, Salmonellosis, Shigellosis, Spotted fever rickettsiosis, Staphylococcus aureus, Streptococcal disease (group A, group B, and S. pneumoniae), Syphilis, Tetanus, Toxic shock syndrome, Toxoplasmosis, Transmissible spongiform encephalopathy, Trichinosis, Tuberculosis (excludes latent), Typhus, Unexplained deaths and critical illness (suspected infectious), Varicella, Vibrio spp., Yellow fever, Yersiniosis, Zika virus disease, Zoster

DECISION-MAKER REQUIRED

When patients cannot make medical decisions on their own behalf, physicians may disclose patient information to a substitute decision-maker.⁴

Pediatric exceptions. Generally, patients under 18 are considered minors, although this can vary by state.⁵ Under HIPAA, parents or guardians of minors are considered their “personal representatives”⁶ and have the right to make decisions on their behalf and access their health care information. But HIPAA also includes some protections for minors and gives deference to stateor other laws. Exceptions under HIPAA include instances when pediatric patients seek confidential services (e.g., family planning services or mental health treatment),⁵ are designated as legal adults due to emancipation,⁶ or have a parent who may pose a danger to them.⁶ (See the table.) Conversely, clinicians may use their professional judgment to disclose confidential information to parents when they feel it is necessary for the health or safety of the child, such as if the patient may be a threat to self. Because pediatric disclosure policies vary by state^7–8 and are often case-specific, a thorough exploration of pediatric confidentiality exceeds the scope of this article.

Substitute judgment due to an adult patient's lack of capacity. Informed consent requires full disclosure, capacity, and voluntariness. When the “capacity” element is missing, the patient may require a surrogate decision-maker. Capacity means the patient understands and appreciates the risks and benefits of an intervention to the level of the community standard and can therefore make decisions about their own care.⁹ This standard is determined by what clinicians generally accept as sufficient in similar circumstances. In order for the surrogate to determine what the patient would have wanted, clinicians must disclose the relevant health information. This is not a blanket disclosure but a limited disclosure of only the necessary information.

PEDIATRIC CONFIDENTIALITY: WHEN NOT TO DISCLOSE INFORMATION TO PARENTS

While parents are considered “personal representatives” and have the right to make decisions on their child's behalf and access their health care information, HIPAA provides certain protections for minors, as outlined below. However, HIPAA does give deference to state and other laws on this matter. For state-specific information,^7–8 consult the Guttmacher Institute's review of state laws.

Category	Includes
Confidential services	Sexual health Pregnancy Substance use Mental health
Legal adult	Emancipated minors (not always requiring court approval) as defined by states, often fulfilling criteria such as: Living independently from parents and managing their own finances Being legally married Serving in the military
Danger to child	A parent is no longer considered the patient's representative if there is suspected violence, abuse, or neglect on behalf of the parent to the child Disclosure of patient information would put the child in danger

THIRD-PARTY INTERESTS

When a clinician sees a patient on behalf of a third party (e.g., U.S. Department of Transportation), the clinician may disclose a patient's health information to that party. These cases are unique in that clinicians serve an additional interest beyond the patient's best interest. To fulfill their responsibility to the third party, clinicians often must complete certain requirements or fulfill specific requests, including disclosing patients' health information limited to legitimate interests.

Department of Transportation (DOT). Under federal DOT regulations, medical assessments for commercial vehicle drivers must be performed by Certified Medical Examiners who report to the Federal Motor Carrier Safety Administration.¹⁰ Additionally, drug and alcohol testing may be performed by Certified Medical Review Officers¹¹ who report to the employer and DOT if drivers “likely pose a significant safety risk” when performing their responsibilities.^12–13 Such disclosures do not require patient consent.¹² A similar arrangement exists for the Federal Aviation Administration.

Workers' compensation. Subject to state and local laws, HIPAA allows clinicians to disclose patient information to employers, workers' compensation insurers, or other authorized third parties in evaluations of workplace injuries.¹⁴ Unlike DOT evaluations, workers' compensation evaluations do not typically involve clinicians being retained by a third party and require no special certification. As such, workers' compensation evaluations are usually done in the course of regular clinical practice. Clinicians should carefully negotiate the agenda with patients at the outset of visits involving workers' compensation evaluations to ensure that they discuss only health information germane to the work-related injury.

Sports team physicians. Physicians often serve as volunteers in the locker room or on the sidelines for high school and college sports teams. Whether compensated or uncompensated, volunteers covering amateur sports should make it clear to players that, as the “team physician,” they are primarily responsible to the team. Team physicians are expected, but not legally bound, to disclose to the coaching staff information relevant to a player's ability to safely and effectively participate (e.g., concussion history). Notably, team physicians can keep confidential all health information not relevant to a player's ability to play (e.g., mental health history). The legal standard is different for physicians who treat professional athletes. When a team physician provides medical services to a paid professional athlete at the request of the athlete's employer (e.g., their team), the information the clinician obtains is legally categorized as an employment record, rather than patient information, and HIPAA does not apply.^15,16

Immigration physicals. Medical examinations required as part of the immigration process must be conducted by a clinician certified as a “civil surgeon” by the Department of Homeland Security (DHS).¹⁷ To become a civil surgeon, clinicians must have a medical degree (MD or DO), a current medical license, and at least four years of clinical practice experience following an accredited residency. During immigration physicals, civil surgeons are legally required to follow the examination guidelines outlined by DHS, refer patients elsewhere for any health-related needs beyond the scope of the exam, and fully disclose all information obtained in the visit to DHS.^18–19 In turn, DHS may share patient information with authorized government or law enforcement personnel.¹⁹

Government functions, including military exams and correctional facility care. Clinicians performing medical examinations for active military members must disclose patient information about medical suitability for military employment or for activities their command deems necessary for the execution of specific military functions or missions.¹⁴ Clinicians providing medical care to an incarcerated person may disclose patient information to the correctional facility or designated law enforcement official if necessary for the patient's health and safety or for coordinating care at the facility. Clinicians may also disclose patient information without patient consent if necessary to protect the safety of staff or others at the correctional facility.¹⁴

ADMINISTRATIVE AND OPERATIONAL DISCLOSURES

Practices may disclose patient information without the patient's knowledge or consent for several other common administrative and operational reasons. Some of these are exceptions to confidentiality, while others are simply instances that may surprise patients.

Insurance (including Medicare and Medicaid). HIPAA permits disclosure of patient information for payment and insurance policy processes.^6,20 This includes notifying insurance companies to assess coverage options and coordinating with internal billing departments. If a patient is not the insurance policyholder, the policyholder may receive a bill and an explanation of benefits (EOB), which includes protected health information such as a description of the health care services provided, and HIPAA permits this even in the absence of specific authorization from the patient.²¹ Additionally, Medicare and Medicaid may exchange patient information to identify candidates that qualify for both programs.²²

Regulatory agencies. The Occupational Health and Safety Administration (OSHA), the Joint Commission on Accreditation of Hospitals (JCAHO), and other regulatory agencies can have access to patients' information during investigations, audits, and accreditation procedures.^6,14

Members of the health care team. HIPAA permits sharing information with other clinicians and staff, even outside your organization, for purposes of coordinating care (e.g., lab work or referrals).^6,20 This permission applies only to individuals involved with a specific patient's care. Some states have more restrictive laws requiring patient consent. Such consent is typically obtained upon initial registration via a general consent form. However, because clinics cannot practically confirm who is a member of the patient's care team, it is common to have patients to sign specific releases of information (ROI) when clinicians share information with anyone outside of what a reasonable patient would expect.

Family Educational Rights and Privacy Act (FERPA). FERPA applies to all federally funded schools and serves to protect the privacy of student information, including student health information.²³ Like the above HIPAA exception for members of the health care team, FERPA allows patients' health care teams and FERPA-covered health care professionals (e.g., school nurses) to share patients' health information for the purposes of coordinating care.²³

Family member and caregiver allowances. HIPAA specifically permits some activities that share necessary information under the umbrella of “common practices in patients' best interests,”⁴ such as caregivers picking up filled prescriptions, medical supplies, x-rays, or other health-related items. Pharmacists regularly dispense medications to family members or caregivers under the presumption of patient consent.²⁴

Research and quality improvement. A detailed examination of patient information disclosure in research and quality activities exceeds the scope of this paper. However, patients and clinicians should be aware that their health information may be disclosed for research purposes as federally regulated and subsequently adjudicated by the Institutional Review Board.¹⁴ HIPAA also allows patients' health information to be shared with internal and external parties for quality improvement analyses.^6,20

Health care professional exposures. Under the Ryan White HIV/AIDS Treatment Extension Act of 2009, health care employees involved in the emergent care of an individual must be notified of exposures to potentially life-threatening infectious diseases.²⁵ In 2020, this law was expanded to include COVID-19.²⁵

Disaster relief efforts. Patient information may be shared between disaster relief organizations and covered entities (e.g., FEMA — the Federal Emergency Management Agency) for the purposes of assisting in disaster relief efforts, such as coordinating care or reporting.⁴

Death. HIPAA applies to a patient's information for 50 years post-death.⁶ However, clinicians may share patient information with coroners, medical examiners, funeral directors, law enforcement (if foul play is suspected), and public health officials (for infectious disease and vital event monitoring).¹⁴ Additionally, patient information may be shared with and monitored by organ procurement organizations and other entities involved in an organ donation and transplantation process.¹⁴

Unintentional disclosures. Clinicians must take reasonable precautions to avoid unintentional disclosures of patient information. This includes not discussing patient information in shared settings, such as elevators, hallways, or social gatherings. As mentioned previously, other health care providers within your organization are not automatically part of a patient's health care team and should not be privy to extraneous patient information. Although clinicians and health care entities must reasonably ensure compliance with HIPAA, unintentional disclosures can happen. Databases can be hacked, documents can be shared with the wrong clinician, one patient's information can be mixed up with another's, and people can overhear conversations even when reasonable efforts are made to maintain confidentiality. Patients must be notified of such disclosures if they meet HIPAA's definition of a breach.²⁶ However, breaches exclude unintentional disclosures of protected health information by a health care worker acting in good faith when the information is not further used or disclosed.²⁶

RARE BUT IMPORTANT EXCEPTIONS

Once in a career, a clinician may encounter a confidentiality exception requiring urgent attention. Knowing when and what to disclose before these situations arise can be helpful.

Duty to warn/protect. The 1976 Tarasoff case in California set a national precedent through case law. The case established that psychologists have a duty to warn individuals about potentially imminent danger, but it is generally accepted that this duty applies to clinicians more broadly. HIPAA permits clinicians to disclose patient information to prevent imminent danger to others.^14,27 Some states require disclosing imminent dangers posed to potential victims, while other states permit (but do not require) such reporting, and a few states declare no duty on behalf of a clinician to warn others. For state-specific information, see the National Conference of the State Legislatures' map. A more common occurrence of upholding the safety of others involves reporting at-risk drivers. (For more on this, see “Safe Driving for Patients With Dementia: Tips for Better Discussions at Every Stage.”) In some states, physicians are mandated to report at-risk drivers to motor vehicle authorities, whereas other states permit (but do not require) the disclosure of such information.²⁸

Court orders. Although uncommon, clinicians may share specific patient information as outlined in a court order if authorized by court or administrative tribunal authorities.¹⁴ Given the infrequency and unique nature of responding to a court order, physicians should consult their administrative colleagues, legal teams, or malpractice carriers in such situations.

KEEPING PATIENTS INFORMED

Maintaining patient confidentiality is a cornerstone of effective clinical care. We should strive to never surprise our patients with an unwanted disclosure of their information, although this is not always feasible. Up-front communication about expectations and exceptions to confidentiality can strengthen patients' trust in our ability to keep their secrets. Becoming comfortable with common exceptions can strengthen our ability to recognize them at the point of care and identify when it would be wise to clearly document our justification for disclosure and inform patients.

Reportable diseases A-Z. Minnesota Department of Health. Modified Sept. 27, 2024. Accessed Jan. 20, 2025. https://www.health.state.mn.us/diseases/reportable/index.html#NaN

National Notifiable Diseases Surveillance System. CDC Office of Public Health Data, Surveillance, and Technology. Updated Nov. 20, 2024. Accessed Jan. 30, 2025. https://www.cdc.gov/nndss/about/index.html

Sachs CJ. Mandatory reporting of injuries inflicted by intimate partner violence. AMA J Ethics Virtual Mentor. 2007;9(12):842-845.

45 Code of Federal Regulations (CFR) § 164.510(b)(3), (b)(4).

English A, Ford CA. The HIPAA Privacy Rule and adolescents: legal questions and clinical challenges. Perspect Sex Reprod Health. 2004;36(2):80-86.

45 CFR § 164.502(a)(1), (f), (g)(3), (g)(5), (j).

Privacy, please: health consent laws for minors in the information age. California Health Care Foundation. January 2013. Accessed Jan. 30, 2025. https://www.chcf.org/wp-content/uploads/2017/12/PDF-PrivacyPleaseHealthConsentMinors.pdf

Sharko M, Jameson R, Ancker JS, Krams L, Webber EC, Rosenbloom ST. State-by-state variability in adolescent privacy laws. Pediatrics. 2022;149(6):1-13.

Etchells E, Sharpe G, Walsh P, Williams JR, Singer PA. Bioethics for clinicians: 1. Consent. CMAJ. 1996;155(2):177-180.

49 CFR § 391.43(a), (g)(5).

Medical review officers. U.S. Department of Transportation. Updated Sept. 24, 2024. Accessed Jan. 30, 2025. https://www.transportation.gov/odapc/mro

49 CFR § 40.327.

49 CFR § 40.163.

45 CFR § 164.512(b)(1)(i), (d), (f)(1)(ii), (f)(4), (g), (h), (i), (j), (k)(1), (k)(5).

Keim T. Physicians for professional sports teams: health care under the pressure of economic and commercial interests. Seton Hall Journal of Sport and Entertainment Law. 1999;9(1):196-225.

Testoni D, Hornik CP, Smith PB, Benjamin DK, McKinney RE. Sports medicine and ethics. Am J Bioeth. 2013;13(10):4-12.

Designated civil surgeons. U.S. Citizenship and Immigration Services. Updated Dec. 6, 2023. Accessed Jan. 30, 2025. https://www.uscis.gov/tools/designated-civil-surgeons

Medical history and physical examination: technical instructions for civil surgeons. CDC. Updated May 14, 2024. Accessed Jan. 30, 2025. https://www.cdc.gov/immigrant-refugee-health/hcp/civil-surgeons/medical-history-physical-examination.html

Instructions for report of immigration medical examination and vaccination record. Form I-693. U.S. Department of Homeland Security. Updated March 9, 2023. Accessed Jan. 30, 2025. https://www.uscis.gov/sites/default/files/document/forms/i-693instr.pdf

45 CFR § 164.506(c).

English A, Benson Gold R, Nash E, Levine J. Confidentiality for individuals insured as dependents: a review of state laws and policies. Guttmacher Institute and Public Health Solutions. July 2012. Accessed Jan. 30, 2025. https://www.guttmacher.org/sites/default/files/pdfs/pubs/confidentiality-review.pdf

HIPAA FAQs for professionals. U.S. Department of Health and Human Services. July 26, 2013. Accessed Jan. 30, 2025. https://www.hhs.gov/hipaa/for-professionals/faq/1040/may-a-medicaid-state-agency-share-information-to-identify-enrollees/index.html

Baker C, Galemore CA, Lowrey KM. Information sharing in the school setting during a public health emergency. NASN Sch Nurse. 2020;35(4):198-202.

Sharing health information with family members and friends. U.S. Department of Health and Human Services Office for Civil Rights. 2022. Accessed Jan. 30, 2025. https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/consumers/sharing-family-friends.pdf

Infectious diseases and circumstances relevant to notification of emergency response employees. U.S. Department of Health and Human Services, Centers for Disease Control and Prevention, National Institute for Occupational Safety and Health; March 2020. Accessed Jan. 30, 2025. https://www.cdc.gov/niosh/docs/2020-119/default.html

45 CFR § 164.404.

Rodriguez L. Message to our nation's health care providers. U.S. Department of Health and Human Services Office for Civil Rights. Jan. 15, 2013. Accessed Jan. 30, 2025. https://www.hhs.gov/sites/default/files/ocr/office/lettertonationhcp.pdf

Black L. Physicians' legal responsibility to report impaired drivers. AMA Journal of Ethics Virtual Mentor. 2008;10(6):393-396.