Patient confidentiality can be broken only when the patient provides a valid HIPAA authorization or when a disclosure of protected health information is permitted or required by the HIPAA Privacy Rule or other applicable law, including disclosures for treatment, payment, and health care operations, disclosures to the individual, and limited public interest disclosures such as required by law reporting, public health reporting, abuse or neglect reporting, health oversight activities, certain judicial and administrative proceedings, limited law enforcement purposes, and disclosures to prevent or lessen a serious and imminent threat to health or safety.
Under the HIPAA Privacy Rule, a HIPAA Covered Entity may use or disclose protected health information without patient authorization for treatment, payment, and health care operations when the disclosure fits within those purposes and the entity applies applicable privacy protections. These uses and disclosures are still subject to workforce role controls and the HIPAA Minimum Necessary Rule, except where the HIPAA Privacy Rule does not apply the minimum necessary standard, such as disclosures for treatment.
Patient confidentiality can be broken when disclosure is required by law. Examples include legally mandated reports to government agencies, court orders that meet HIPAA Privacy Rule conditions, and other disclosures that a statute or regulation compels. When a disclosure is required by law, the disclosure should be limited to the scope required by that law and documented according to organizational policy.
Patient confidentiality can be broken for public health activities. Covered entities may disclose protected health information to public health authorities legally authorized to receive reports for preventing or controlling disease, injury, or disability, and for related activities such as reporting vital events and conducting public health surveillance and investigations. Disclosures may also occur to persons or entities involved in public health interventions when the HIPAA Privacy Rule conditions are met.
Patient confidentiality can be broken for reports of abuse, neglect, or domestic violence to a government authority authorized by law to receive such reports, subject to the HIPAA Privacy Rule conditions and any required patient notifications or safety exceptions. Similar reporting pathways exist for certain oversight functions, including audits, investigations, inspections, licensure, and other health oversight activities conducted by government agencies.
Patient confidentiality can be broken for certain judicial and administrative proceedings and for certain law enforcement purposes, but the HIPAA Privacy Rule places conditions on these disclosures. Depending on the circumstance, the disclosure may require a court order, a subpoena with satisfactory assurances, or a law enforcement request that meets specific HIPAA Privacy Rule criteria.
Patient confidentiality can be broken in situations involving decedents and specialized functions. The HIPAA Privacy Rule permits disclosures to coroners and medical examiners for identification and determination of cause of death, and to funeral directors as necessary to carry out their duties. The HIPAA Privacy Rule also permits disclosures for cadaveric organ, eye, and tissue donation and transplantation purposes.
Patient confidentiality can be broken to avert a serious and imminent threat to health or safety when the disclosure is consistent with applicable law and ethical standards and is made to a person or persons reasonably able to prevent or lessen the threat, including a target of the threat when appropriate. These disclosures are fact specific and require staff to follow organizational procedures for assessment, escalation, and documentation.
Patient confidentiality can be broken by sharing information with a family member, caregiver, or other person involved in the individual’s care or payment for care when the patient agrees, has an opportunity to object and does not object, or when the covered entity reasonably infers agreement from the circumstances. In emergencies or when the individual is incapacitated, a covered entity may disclose information that is directly relevant to the person’s involvement in care when the covered entity determines the disclosure is in the individual’s best interests.
Other confidentiality restrictions may apply in addition to HIPAA, including state privacy laws, professional licensing rules, and federal substance use disorder confidentiality requirements for certain records. When multiple rules apply, the organization must apply the requirement that provides the tighter restriction on disclosure for the information at issue.