A patient reveals personal information to a health care provider when making an appointment, being examined by healthcare staff, and obtaining treatment.  Much of this information is about the patient’s health, but other information may be demographic or financial information such as the patient’s address and insurance coverage.  Health information may include vital signs (blood pressure, weight, etc.), results of diagnostic lab tests, and notes written by the physician or nurse.  The physician or nurse enters notes in the medical record about the patient’s symptoms, diagnosis, medications, personal medical history, family medical history, and similar matters.  The patient likely considers most of these details to be private and expects the medical staff to keep such information confidential, to be shared only with those entities agreed upon by the patient, such as a health insurance company and other healthcare institutions.  The patient may want even the knowledge that he or she is seeing a particular physician to be kept confidential.

It is commonly recognized that there is a legal and moral requirement of confidentiality of a patient’s private healthcare information.  Moral controversies arise about whether such confidentiality is absolute or may be violated in some situations. If the requirement of confidentiality is not absolute, under what circumstances and with whom is it morally permissible to share such information?

Information in Modern Healthcare Institutions

Decades ago in the United States the medical office of a typical physician was simpler than it is today.  A patient’s medical data was kept in a paper-based “chart” and rarely left the office.  The record was seen by the physician and perhaps a nurse or assistant.  Occasional lab tests were done and the data returned on a piece of paper stored in the chart.  The charts were not accessible to patients and the office was locked when not open for patients.  Some information was shared with insurance companies, though often insurance claims were processed by the patient, not the medical office.  Health insurance was mainly for extended hospital stays and surgeries, not for routine office visits, so not many office visits resulted in insurance claims being filed anyway.  In a hospital setting the patient’s chart would be seen by a few physicians and the nursing staff.  Some personal information might be in a computer billing system but the clinical medical records were still in the form of paper-based charts and stored at the nurses’ station or the medical records department.

For some small private medical practices today the situation might be similar to the situation decades ago, but for most practices nowadays a patient’s private medical information is likely to be more extensive, stored in more locations, moved through more transmission channels, and seen by more people.  More specialists might be seen, more tests ordered, and more medications prescribed.  Patient billing, scheduling, and clinical systems are often computerized, whether in private medical offices or larger institutions.  For example, information is exchanged between a specialist’s office and a referring physician’s office, between the medical office and the lab, and between medical offices and insurance companies and government agencies.   Other hospitals and institutions might be involved.  Information in the hospital might be stored in centralized electronic medical record systems as well as individual departmental systems.  Information might be typed into a computer, exchanged through phone conversations, recorded as dictations into special recorders, left as voicemail messages, transmitted via email messages and fax transmissions, and sent through the mail on paper.  Access to this information might occur through any number of computer screens throughout the hospital or office that are located at nurses’ stations, patient rooms, physician offices, scheduling workstations, lab stations, etc.

Healthcare is different these days because more is known, more tests and treatments are available, and more technology is in use.  The greatly expanded number of people, institutions, and processes mentioned above mean that confidentiality may be harder to control and require more effort.  The amount of patient healthcare information is greater than before, more people have access to it, and the way it is stored and transmitted has changed.  The new situation in healthcare means:

  • There is much more healthcare data to protect
  • There are more parties who legitimately need access to the data
  • There are more data storage and delivery channels to secure and protect
  • There are more legal regulations about data confidentiality and security
  • There are probably more parties seeking illicit or unauthorized access to your health information

The terms “data,” “information,” and “knowledge” have slightly different connotations, though the terms are not used by everyone in the same way.  Some thinkers treat the subject as a continuum, with data at one end and knowledge at the other.  Data are relatively uninterpreted, unprocessed, “raw” numbers, values, lines, etc.  As data are used in a meaningful way, given context, and compared with other data, we gain information.  Knowledge usually refers to accepted statements, truths, or facts.  For our purposes the confidentiality of all three needs to be protected, though sometimes for research purposes de-identified patient data can be used without compromising patient privacy.

Likewise the terms confidentiality and privacy have slightly different connotations, though again not everyone uses the terms in the same way.  Confidentiality refers to protecting data or information as it is shared by limiting access to it.  Privacy refers to the ability of the patient to control what is shared about them.

There are many threats and challenges to the confidentiality of patient information and the privacy of patients.  One challenge is protecting data from unauthorized access within a healthcare institution.  Some healthcare staff not directly providing care to a particular patient may try to sneak a peek at that patient’s medical records nevertheless.  This can happen when a celebrity stays at a hospital and hospital staff are curious about the details of their record.  Or a disgruntled hospital employee may seeks out and release patient data out of spite.  Or hospital information systems staff could make a mistake and accidentally post private patient health data on an internal Web site accessible to all employees.

Another challenge is protecting data from unauthorized access from those outside the institution.  As discussed above, parties outside the hospital such as insurance companies may need to obtain patient data to process a claim, but they may be inadvertently sent much more data than they need.  A common fear about discrimination is that potential employers or insurance companies may obtain genetic, psychiatric, or other health-related information and use it to deny employment or policies to an individual, irrespective of whether there are regulations against this.  Or someone from outside could break into a hospital network and steal patient social security numbers and other identifying information and then use it for health identify theft.

Arguments in Favor of Confidentiality

In the United States protecting patient privacy in certain ways is a legal obligation announced in HIPAA regulations and other state laws.  HIPAA, the federal government’s Health Insurance Portability and Privacy Act, which was promulgated in several editions during the last 10 years, mandates security and privacy policies at healthcare institutions to protect confidential patient health information.  But quite apart from legal requirements, there are prudential and moral reasons to worry about privacy and security.

Confidentiality is needed to protect patient privacy, and ethicists and clinicians believe privacy should be protected for several reasons.  One reason is pragmatic: if patients were not assured of privacy they would be hesitant to reveal medical information about themselves and their families, and such information might be needed by clinicians for diagnosis and treatment.  Violating confidentiality may be held to violate an implicit understanding or agreement between healthcare provider and patient that such information will not be shared.  Furthermore, violating confidentiality can be considered to violate the principle of respect for patient autonomy, because autonomy involves being free to decide and control one’s own life, including what other’s know about you.  Private information made public is no longer under the patient’s control. (Beauchamp and Childress).  Finally, if revealing a patient’s private health information embarrasses the patient, or causes other problems, the patient suffers a kind of harm, and the principle of nonmaleficence requires healthcare professionals to avoid harming patients.

Because the modern healthcare system has many ways in which such information is stored, accessed, and transmitted, with many people and institutions involved, protecting patient privacy needs to be done through established security policies.  Security should consist of policies, procedures, and practices that allow needed access while protecting data against the challenges and threats originating both within and outside the institution.  For instance, employees who do not need access to patient clinical data to do their job should have computer access to such data restricted.  Or for example emailing patient data via normal email channels may need to be precluded because normal email is not very secure.  Patient clinical data that is to be used in research needs to be “de-identified” so that the original patients could no longer be recognized by name, address, etc.  Employees should be educated about proper policies and practices, networks and computers should be physically protected against intruders, and practices should be in place to prevent terminated employees from logging in, employees from being tricked into disclosing user names and passwords, etc.

Confidentiality and Minors

The assumption of patient confidentiality is commonly held to apply to child patients only in a modified sense.  Medical information about small children will be shared with their parents or legal guardians. But there is the expectation such information will be kept confidential otherwise, and this likewise applies to adolescent patients. 

With adolescents, however, the situation is not as clear cut about sharing information with their parents.  Legally, parents are in charge of payments and medical decisions until the child becomes an adult, an “emancipated minor,” or a “mature minor.”  But some clinicians believe it advantageous and morally permissible to allow the adolescent patient some confidentiality from their parents.  It’s advantageous, on this view, because the adolescent patient is more likely to share private health issue with the provider if they know it won’t be automatically passed on to parents.

It is sometimes recommended that adolescents, their parents, and their provider establish a common understanding about how, if agreed upon, some privacy and confidentiality from parents will be allowed.  Understood should be that important decisions will still have to be made by the parents, the parents will see the invoices and insurance claims (thus revealing some things), and the provider will have to inform the parents if the adolescent’s decision about care is going to harm him or her, or if the adolescent just cannot be expected to be mature enough to make the decision. 

Is Confidentiality Still Possible?

Despite such policies, in the modern age of computerized patient records maintaining patient privacy may not always be as easy as it sounds.  Some critics view the notion of full data confidentiality as unrealistic. 

Consider the following situations.  Due to a series of scheduling mistakes, a patient winds up being in the computerized medical record system twice, under two slightly different names and different patient numbers.  Later, it is realized that the patient is in the system twice, with some clinical data and notes being stored under one patient number and other clinical data and notes under a different number.  This is actually a very common mistake at large hospitals and if not identified and corrected can mislead a provider who happens to look up in effect only half the patient’s record.  Providers making medical decisions about the patient need to see all the data together.  So once the problem is identified, the medical records staff will spend considerable time merging the records.  This process of identifying and fixing the problem will involve many different nonclinical staff, including schedulers, medical record clerks, administrative supervisors, and possibly even information systems staff, who will view the patient’s private medical records in detail, even though none of these parties is caring for the patient.

A different situation occurs when a physician has problems editing a chart note written to document a patient visit and contacts the hospital information systems staff for help.  The hospital IS staff is unable to fix the problem, so they contact the vendor who supplied the system.  In order to resolve the issue, the vendor has to remotely logon to the hospital system and access that specific chart note, which contains the patient’s private health data.  Several programmers and analysts need to access the note in order to resolve the problem.  By the time the process is finished, the patient’s confidential health data has been observed by numerous nonclinical, technical staff both within and outside the institution.  Perhaps someone just happens to notice part of the note describing some embarrassing health issues facing the patient and finds it amusing.  None of this data has been “de-identified,” and though the information is not available to the general public, the patient probably had no idea their personal health problems were going to be viewed by all these people.

In the above examples, it might be that all of the parties mentioned have signed confidentiality agreements, so in a sense “confidentiality” has been maintained.  But so many people have seen the patient’s private health information that one could argue that in another sense confidentiality is surely not what it used to be.

Is Confidentiality Absolute?

There are at least three situations in which ethicists argue violating confidentiality may be morally permissible or even morally obligatory.  (In many jurisdictions there are legal obligations too.)

  • The patient has given signs he or she plans to harm a particular person.  This could occur, for instance, if a patient tells a psychiatrist about plans to kill a specific person.  In such a case the psychiatrist, it is argued, has a moral and legal obligation to inform authorities and warn the person.
  • The patient represents a risk to public health, such as if their irresponsible behavior would spread a dangerous communicable disease, or if they were drunk and about to drive away.  In such cases authorities should be notified.  But it is not clear the general public has a right to know about the individual’s disease.
  • The patient is a minor who displays signs of child abuse.

There are other situations in which opinion seems to be divided.  One example is the aforementioned situation of an adolescent (or teenager) not wishing his or her parents to know about a private health issues, when that issue is not life-threatening or serious.  What is the provider’s moral obligation of privacy and confidentiality to the patient in this case?  Some thinkers would claim that unless not telling the parents would result in harm to the adolescent patient, and if no ground rules have been established earlier, the provider is under a moral obligation not to tell the parents.  However, it should be noted that, except in certain cases of sexually transmitted diseases or pregnancy in selected state jurisdictions, the provider may be under a legal obligation to inform the parents if they specifically request the information.

Another similar situation is the question of whether the provider may permissibly reveal private health information about the patient to members of the patient’s immediate family without obtaining explicit consent from the patient.  For example, if the patient is in the recovery room after surgery, and the family is waiting outside the room, is the physician morally permitted to inform the family the patient is doing fine?  Unless the patient has already expressed a wish that the family not be told, most physicians will assume the patient implicitly allows this sort of information be shared.  Again, some clinicians advise discussing this ahead of time to avoid misunderstanding.

Currently in the United States the principle of respect for autonomy carries great weight, at least theoretically, and the patient may be considered the ultimate arbiter of what to tell the family.  In some other cultures, however, the custom may be reversed, with the cultural norm dictating the family should be informed first of any health issues and they then serving as the arbiter of what to tell the patient. 


Tom Beauchamp and James Childress, Principles of Biomedical Ethics, any recent edition