MSD Manual

Please confirm that you are not located inside the Russian Federation

honeypot link

Confidentiality and HIPAA


Thaddeus Mason Pope

, JD, PhD, Mitchell Hamline School of Law

Reviewed/Revised Oct 2023

Health care professionals have a duty to take reasonable steps to keep personal medical information confidential consistent with the person's preferences. For example, doctor-patient medical discussions should generally occur in private and a patient might prefer that the doctor call their cell phone rather than home. Even well-meaning family members are not necessarily allowed to have information about a loved one's medical condition. (See also Overview of Legal and Ethical Issues in Health Care Overview of Legal and Ethical Issues in Health Care Most adults have the legal right to make their own health care decisions. However, poor health can jeopardize people’s ability to exercise their legal rights. Safeguarding these rights requires... read more .)

All people are entitled to confidentiality unless they give permission for disclosure. A federal law called the Health Insurance Portability and Accountability Act (HIPAA) applies to most health care professionals (see U.S. Department of Health and Human Services: For Consumers: Your Rights Under HIPAA). HIPAA regulations include provisions known as the Privacy Rule, which sets detailed rules regarding privacy, access, and disclosure of individually identifiable health information, referred to as protected health information. For example, HIPAA specifies the following:

  • People should normally be able to see and obtain copies of their medical records and request corrections if they find mistakes.

  • Anyone legally authorized to make health care decisions for a person lacking such capacity has the same right of access to the person's personal medical information.

  • Health care professionals should routinely disclose their practices regarding privacy of personal medical information.

  • Health care professionals may share the person’s medical information, but only among themselves as is necessary to provide medical care or for the payment of treatment.

  • Personal medical information may not be disclosed for marketing purposes.

  • Health care professionals should take reasonable precautions to ensure that their communications with the person are confidential.

  • People may file complaints about privacy practices of health care professionals (directly to the health care professional, the privacy compliance officer designated by the institution in compliance with HIPAA, or the Office for Civil Rights in the United States Department of Health and Human Services―see How To File a Complaint with the Office for Civil Rights).

The HIPAA Privacy Rule should not be interpreted to create barriers to normal communications with other health care professionals taking care of a patient, or a patient’s family or friends. The rules permit doctors or other health care professionals to share information that is directly relevant to the involvement of a spouse, family members, friends, or other people identified by a patient. If the patient has the capacity to make health care decisions, the doctor may discuss this information with the family or others present if the patient agrees or, when given the opportunity, does not object. Even when the patient is not present or it is not practical to ask the patient’s permission because of emergency or incapacity, a doctor may share this information with family members or friends when, in exercising professional judgment, the doctor determines that doing so would be in the best interest of the patient.

Health care professionals are sometimes required by law to disclose certain information, usually because the condition may present a danger to others. HIPAA permits such disclosures. For example, certain infectious diseases, such as COVID-19, human immunodeficiency virus (HIV) infection, syphilis, and tuberculosis, must be reported to state or local public health agencies. Health care professionals who notice medical signs of child, adult, or elder mistreatment, abuse, or neglect normally must report such information to protective services. In some states, conditions that might seriously impair a person’s ability to drive, such as dementia or recent seizures, must be reported to the Department of Motor Vehicles. Health care professionals are also permitted to disclose information to health information exchanges and public health agencies for public health purposes during events such as the COVID-19 pandemic.

quiz link

Test your knowledge

Take a Quiz!