Not Found

Find information on medical topics, symptoms, drugs, procedures, news and more, written in everyday language.

Confidentiality and HIPAA

By Charles Sabatino, JD, Adjunct Professor, Georgetown University Law Center; Director, Commission on Law and Aging, American Bar Association

Health care practitioners have a duty to take reasonable steps to keep personal medical information confidential consistent with the person's preferences. For example, doctor-patient medical discussions should generally occur in private and a patient might prefer that the doctor call their cell phone rather than home. Even well-meaning family members are not necessarily allowed to have information about a loved one's medical condition.

All people are entitled to confidentiality unless they give permission for disclosure or they clearly can no longer express a preference (for example, if they are severely confused or comatose). A federal law called the Health Insurance Portability and Accountability Act (HIPAA―Health Information Privacy) applies to most health care practitioners and its regulation, known as the Privacy Rule, sets detailed rules regarding privacy, access, and disclosure of information. For example, HIPAA specifies the following:

  • People should normally be able to see and obtain copies of their medical records and request corrections if they find mistakes.

  • Anyone legally authorized to make health care decisions for a person lacking such capacity has the same right of access to the person's personal medical information.

  • Health care practitioners should routinely disclose their practices regarding privacy of personal medical information.

  • Health care practitioners may share the person’s medical information, but only among themselves and only as much as is necessary to provide medical care.

  • Personal medical information may not be disclosed for marketing purposes.

  • Health care practitioners should take reasonable precautions to ensure that their communications with the person are confidential.

  • People may file complaints about privacy practices of health care practitioners (directly to the health care practitioner or to the Office for Civil Rights in the United States Department of Health and Human Services―see How To File a Complaint with the Office for Civil Rights).

The HIPAA Privacy Rule should not be read to create barriers to normal communications with a patient’s family or friends. The rules permit doctors or other health care practitioners to share information that is directly relevant to the involvement of a spouse, family members, friends, or other people identified by a patient. If the patient has the capacity to make health care decisions, the doctor may discuss this information with the family or others present if the patient agrees or, when given the opportunity, does not object. Even when the patient is not present or it is not practical to ask the patient’s permission because of emergency or incapacity, a doctor may share this information with family members or friends when, in exercising professional judgment, the doctor determines that doing so would be in the best interest of the patient.

Health care practitioners are sometimes required by law to disclose certain information, usually because the condition may present a danger to others. For example, certain infectious diseases, such as human immunodeficiency virus (HIV) infection, syphilis, and tuberculosis, must be reported to state or local public health agencies. Health care practitioners who notice medical signs of child, adult, or elder mistreatment, abuse, or neglect normally must report such information to protective services. Conditions that might seriously impair a person’s ability to drive, such as dementia or recent seizures, must be reported to the Department of Motor Vehicles in some states.