Health care practitioners have a duty to take reasonable steps to keep personal medical information confidential consistent with the person's preferences. For example, doctor-patient medical discussions should generally occur in private and a patient might prefer that the doctor call their cell phone rather than home. Even well-meaning family members are not necessarily allowed to have information about a loved one's medical condition. (See also Overview of Legal and Ethical Issues in Health Care.)
All people are entitled to confidentiality unless they give permission for disclosure. A federal law called the Health Insurance Portability and Accountability Act (HIPAA―Health Information Privacy) applies to most health care practitioners and its regulation, known as the Privacy Rule, sets detailed rules regarding privacy, access, and disclosure of individually identifiable health information, referred to as protected health information. For example, HIPAA specifies the following:
- People should normally be able to see and obtain copies of their medical records and request corrections if they find mistakes.
- Anyone legally authorized to make health care decisions for a person lacking such capacity has the same right of access to the person's personal medical information.
- Health care practitioners should routinely disclose their practices regarding privacy of personal medical information.
- Health care practitioners may share the person’s medical information, but only among themselves as is necessary to provide medical care or for the payment of treatment.
- Personal medical information may not be disclosed for marketing purposes.
- Health care practitioners should take reasonable precautions to ensure that their communications with the person are confidential.
- People may file complaints about privacy practices of health care practitioners (directly to the health care practitioner, the privacy compliance officer designated by the institution in compliance with HIPAA, or the Office for Civil Rights in the United States Department of Health and Human Services―see How To File a Complaint with the Office for Civil Rights).
The HIPAA Privacy Rule should not be read to create barriers to normal communications with other health care professionals taking care of a patient, or a patient’s family or friends. The rules permit doctors or other health care practitioners to share information that is directly relevant to the involvement of a spouse, family members, friends, or other people identified by a patient. If the patient has the capacity to make health care decisions, the doctor may discuss this information with the family or others present if the patient agrees or, when given the opportunity, does not object. Even when the patient is not present or it is not practical to ask the patient’s permission because of emergency or incapacity, a doctor may share this information with family members or friends when, in exercising professional judgment, the doctor determines that doing so would be in the best interest of the patient.
Health care practitioners are sometimes required by law to disclose certain information, usually because the condition may present a danger to others. For example, certain infectious diseases, such as COVID-19, human immunodeficiency virus (HIV) infection, syphilis, and tuberculosis, must be reported to state or local public health agencies. Health care practitioners who notice medical signs of child, adult, or elder mistreatment, abuse, or neglect normally must report such information to protective services. Conditions that might seriously impair a person’s ability to drive, such as dementia or recent seizures, must be reported to the Department of Motor Vehicles in some states. Health care practitioners are also permitted to disclose information to health information exchanges and public health agencies for public health purposes during events such as the COVID-19 pandemic.