Eduovisual
Ethics, Communication & Professionalism
Confidentiality: HIPAA and permitted disclosures
— Covered entities: health plans, healthcare clearinghouses, and providers who transmit health data electronically
— Business associates (billing companies, EHR vendors, transcriptionists) are also bound via Business Associate Agreements
— A family member, employer, journalist, police officer, or another physician requests info
— A patient is incapacitated and someone wants to make decisions
— Communication via text/email/social media
— A subpoena, court order, or law enforcement request arrives
— Mandatory reporting collides with patient's request for secrecy
— Curbside consult or elevator conversation overheard
Board pearl: The Step 3 examiner is testing whether you can distinguish (1) disclosures requiring written authorization, (2) disclosures permitted without authorization but requiring opportunity to object, (3) disclosures required by law, and (4) disclosures that are never permissible. Memorize this four-bucket framework — nearly every HIPAA vignette resolves into one of these categories. Default position when uncertain: do not disclose without patient authorization, but never withhold information when disclosure is mandated by law (abuse, certain communicable diseases, gunshot wounds in most states).
— "A reporter calls asking about a celebrity admitted last night…"
— "The patient's adult daughter calls from out of state requesting an update…"
— "A police officer arrives at the ED asking whether John Doe is here…"
— "An attorney faxes a subpoena requesting the entire chart…"
— "Your colleague, not involved in the patient's care, asks about her diagnosis…"
— "The patient's employer calls to confirm the diagnosis on the work note…"
— "You receive a friend request from a current patient on social media…"
— Is the patient decisional? If yes, defer to patient's preferences
— Has the patient signed an authorization or designated a representative?
— Is the requester a treating clinician? TPO applies — no authorization needed
— Is there a court order vs. subpoena? Court order = comply; subpoena = generally need patient authorization or notice unless protective order is in place
— Is the disclosure required by state law? (e.g., reportable diseases, suspected abuse)
— Is the patient a minor or under guardianship?
— Agrees, or
— Is given opportunity to object and does not, or
— Is incapacitated, and the clinician judges disclosure is in the patient's best interest and limited to information directly relevant to that person's involvement
Key distinction: A subpoena signed by an attorney is not equivalent to a court order signed by a judge. With a subpoena alone, you generally need either patient authorization, satisfactory assurances that the patient was notified, or a qualified protective order before releasing records. A court order compels disclosure of only the information specified — still apply minimum necessary.
— Elevator/cafeteria conversations about identifiable patients
— Computer screens left unlocked in patient-visible areas
— Whiteboards in hallways listing names and diagnoses
— Faxes sent to wrong number; emails to personal accounts
— Lost/stolen laptops or USB drives containing unencrypted PHI
— Looking up a patient's chart out of curiosity (celebrity, neighbor, ex-partner, coworker, family member not under your care) — this is a firing offense and reportable
— Photos on personal phones, even de-identified, often violate institutional policy
— Sharing login credentials with students/residents
— Posting any patient case detail that could identify the patient, even without name
— Accepting friend requests from current patients (also a boundary concern)
— Discussing "interesting cases" in identifiable detail
— Breach of unsecured PHI triggers notification to (1) affected individuals within 60 days, (2) HHS, and (3) if ≥500 individuals affected, prominent media outlets in the jurisdiction
— Encrypted data that is lost is generally not a reportable breach (safe harbor)
Step 3 management: When you witness a colleague accessing a chart inappropriately, the correct action is report to the privacy officer / compliance — not confront alone, not ignore, not "ask them first." Documentation in the medical record itself should never include speculation about who breached privacy; that goes through institutional channels.
— Treatment: sharing with consulting physicians, transferring facility, pharmacist, home health
— Payment: insurer eligibility, claims, utilization review
— Operations: QI, credentialing, training, audits, accreditation
— Required by law (statute, regulation, court order)
— Public health activities (CDC, state health department, FDA adverse events, communicable disease reporting)
— Victims of abuse, neglect, or domestic violence (per state law; adult competent victims usually must consent unless required by law)
— Health oversight activities (audits, investigations)
— Judicial/administrative proceedings (court order; subpoena with safeguards)
— Law enforcement — identifying/locating suspects, victims of crime (limited info), reporting deaths, crimes on premises, gunshot/stab wounds where state mandates
— Coroners, medical examiners, funeral directors
— Organ/tissue donation
— Research (with IRB waiver or de-identified data)
— Serious threat to health or safety (Tarasoff-like duty to warn identifiable third parties)
— Specialized government functions (military, national security, custodial situations)
— Workers' compensation (per state law)
Board pearl: A father asks about his 24-year-old daughter's hospitalization. She is alert and has not authorized disclosure. The correct answer is ask the patient first; without her permission you cannot share PHI even with a parent. Adult patients control their own information regardless of family relationship.
— Marketing communications (with limited exceptions)
— Sale of PHI
— Most psychotherapy note disclosures
— Release to life insurance companies, employers (for non-injury purposes), attorneys representing the patient
— Specific description of information to be disclosed
— Names of disclosing and receiving parties
— Purpose of disclosure
— Expiration date or event
— Patient signature and date
— Statement of right to revoke and how
— Statement that treatment cannot be conditioned on signing (with narrow exceptions)
— Substance use disorder records (42 CFR Part 2) — requires specific written consent even for many TPO disclosures; recent rule changes (2024) aligned more closely with HIPAA but Part 2 still applies to federally assisted SUD programs
— HIV/AIDS status — many states require specific written consent
— Mental health records / psychotherapy notes — kept separate from medical record; require separate authorization
— Genetic information — GINA additionally restricts use by employers/insurers
— Reproductive health information — recent HHS rule (2024) adds protections against disclosure for investigating lawful reproductive care
Key distinction: Psychotherapy notes = the therapist's separately kept process notes. They are not the same as the patient's mental health diagnoses, medications, or session start/stop times — those remain in the regular record and follow standard HIPAA rules.
1. Is the requester involved in TPO? → Disclose minimum necessary; no authorization needed
2. Is disclosure required by law? (mandatory reporting, court order, public health) → Disclose what the law requires
3. Does it fall in a permitted public-interest category? → May disclose without authorization, but use professional judgment and minimum necessary
4. Is there valid written authorization from the patient (or personal representative)? → Disclose per authorization
5. None of the above? → Do not disclose; obtain authorization or decline
— Decisional patient present → ask directly, or infer from context (patient brought spouse into room)
— Decisional patient absent → use professional judgment about what they would want
— Incapacitated patient → disclose information relevant to that person's role in care, limited to what's needed
— Child abuse/neglect (all 50 states; all healthcare workers)
— Elder/dependent adult abuse (most states)
— Suspected domestic violence reporting varies — many states do not mandate reporting competent adult IPV victims
— Gunshot/stab wounds (most states)
— Reportable communicable diseases (TB, syphilis, HIV in most states, measles, etc.)
— Impaired drivers (some states, e.g., seizures)
— Death certificates, certain occupational injuries
Step 3 management: When law enforcement asks "Is John Doe in this hospital?", you may confirm presence and general condition only if the patient has not opted out of the facility directory. If the patient opted out (or is unconscious and there is reason to think they would have), you cannot confirm presence. Always check directory status first.
— Designated Privacy Officer and Security Officer
— Workforce training at hire and at least annually
— Sanctions policy for violations
— Access management — role-based, "minimum necessary" access provisioning
— Business Associate Agreements with all vendors handling PHI
— Locked file rooms; shredding bins; clean-desk policies
— Workstation positioning away from public view
— Device and media controls — disposal, reuse, tracking
— Unique user IDs, no shared logins
— Automatic logoff
— Audit controls — every chart access is logged and auditable
— Encryption of data in transit and at rest (addressable but de facto required)
— Transmission security (TLS for email, secure messaging platforms)
— Confirm fax/email recipient before sending; use cover sheets with confidentiality notice
— Use secure patient portals rather than personal email/text
— If texting with patients is offered, document patient consent to the risks and use a HIPAA-compliant platform
— Voicemails — leave minimal info ("Please call Dr. X's office") unless patient has authorized more detail
— Waiting room sign-in sheets are permitted (incidental disclosure) but limit visible information
Board pearl: Incidental disclosures — overhearing a name called in the waiting room, glancing at a nearby chart — are not violations if reasonable safeguards are in place and minimum necessary is followed. HIPAA does not require soundproof rooms or whispered conversations; it requires reasonable, not perfect, protection. The exam tests this when it presents a realistic clinical workflow.
— If patient is in the facility directory and has not opted out: confirm presence, give one-word condition (undetermined, good, fair, serious, critical), and religious affiliation only to clergy
— No diagnosis, no clinical details, without authorization
— Best practice: refer to PR/Media Relations; clinicians should not speak to press
— With warrant or court order: comply per its scope
— Without warrant: limited identifying info (name, address, DOB, ABO, type of injury, date/time of treatment) may be disclosed to locate suspect/missing person
— Crime victim: disclose with patient agreement, or without if patient incapacitated and disclosure is in best interest and not used against the victim
— Crime on premises: may report to law enforcement
— Suspect statements during treatment: generally protected unless they constitute threats covered by duty to warn
— Notify risk management/legal
— Verify whether court order accompanies the subpoena
— If subpoena only — require patient authorization or satisfactory assurances of notice/protective order
— Disclose only what is specified — never the entire chart by default
CCS pearl: In a CCS-style scenario, "Notify hospital risk management" or "Consult legal/privacy officer" is frequently the right next step when disclosure is contested or ambiguous — analogous to consulting a specialist for an unfamiliar clinical question.
— Healthcare power of attorney / healthcare proxy
— Court-appointed guardian
— Next of kin per state law if no advance directive (decisional incapacity)
— Spouse, adult children, caregivers have no automatic right to PHI
— Must obtain patient permission (verbal in informal situations may suffice for family involvement in care)
— Document the patient's stated preferences in the chart
— Use professional judgment to disclose information directly relevant to a family member's involvement in care
— Provide minimum necessary
— Reassess capacity — if patient regains capacity, defer to their preferences going forward
— Mandatory reporting in most US states for healthcare professionals
— Reporting to Adult Protective Services is a permitted disclosure under HIPAA's "victims of abuse" provision
— Inform the patient unless doing so would place them at further risk or impede investigation
— Discharge to SNF/home health is a treatment disclosure — share what's needed for continuity
— Avoid faxing entire chart; send focused discharge summary, medication reconciliation, advance directive
Step 3 management: A daughter brings her mother with mild dementia to clinic. Mother nods and gestures for daughter to stay. Document patient's apparent agreement and proceed; you do not need formal capacity assessment to allow a family member to participate in a routine visit when the patient assents.
— Care to which the minor lawfully consented under state law (varies — STI testing, contraception, prenatal care, mental health, SUD treatment commonly included)
— Minor obtained care at direction of a court or court-appointed representative
— Parent agreed to confidential care between minor and provider
— Emancipated minors — married, military, court-emancipated — treated as adults
— Adds protections specifically prohibiting use/disclosure of PHI for criminal, civil, or administrative investigations into lawfully obtained reproductive healthcare
— Providers must obtain a signed attestation when requests potentially relate to reproductive health investigations
— Pregnant patient controls her PHI; partner has no automatic access
— If partner is involved in care and patient consents, share relevant information
— Mandatory report to child protective services overrides parental objection
— Do not require parental consent before reporting; document objective findings
Key distinction: Paying the bill does not create a right to access PHI. A parent paying for an adult child's care, or a spouse paying for treatment, does not gain access without authorization. The exam loves this trap — financial responsibility ≠ informational access.
— Loss of trust in medical system, avoidance of care
— Discrimination (employment, insurance, social)
— Identity theft, financial harm
— Psychological harm from exposure of sensitive diagnoses (HIV, mental health, SUD, reproductive)
— Civil monetary penalties: four tiers based on culpability
— Did not know: ~$100–$50,000 per violation
— Reasonable cause: ~$1,000–$50,000
— Willful neglect, corrected: ~$10,000–$50,000
— Willful neglect, not corrected: ~$50,000 minimum per violation
— Annual cap: ~$1.9 million per violation type (adjusted for inflation)
— Criminal penalties (DOJ): up to 10 years imprisonment for knowingly obtaining/disclosing PHI for personal gain or malicious harm
— Loss of medical license, hospital privileges, employment
— Mandatory corrective action plans, OCR monitoring
— Reputational harm; required public breach notification
— State privacy/tort law (invasion of privacy, breach of confidence, negligence)
— State medical practice acts
— Federal anti-discrimination laws (GINA, ADA)
Board pearl: A common Step 3 distractor: "patient sues hospital under HIPAA." Wrong — patient files complaint with OCR; civil suits proceed under state law. Recognizing this distinguishes administrative remedy (HIPAA/OCR) from tort remedy (state court).
— A potential breach is suspected (lost device, misdirected fax, inappropriate access)
— Subpoena, court order, or law enforcement request received
— Media request for patient information
— Ethics consult collides with confidentiality (family demanding info patient refused to share)
— Duty-to-warn scenario emerges
— Privacy Officer / Compliance Office — first call for most breaches and disclosure questions
— Risk Management — for subpoenas, legal demands, potential litigation
— Legal Counsel — for court orders, complex disclosures, novel scenarios
— Ethics Committee — when confidentiality conflicts with beneficence (e.g., genetic info relevant to relatives)
— Information Security — for cyber incidents, ransomware, suspected hacking
1. Contain the breach (recover device, retract email, terminate access)
2. Assess risk of harm (4-factor analysis: nature of PHI, who received it, was it actually viewed, mitigation)
3. Notify privacy officer within institution
4. Document timeline, scope, individuals affected
5. Notify affected individuals within 60 days of discovery
6. Notify HHS — annually if <500 affected, immediately if ≥500
7. Implement corrective actions and retraining
CCS pearl: In any vignette involving a confidentiality question with legal ramifications, ordering "Consult risk management" or "Consult hospital legal counsel" is rarely wrong and is often the most defensible immediate step before any disclosure is made.
— Part 2 applies to federally assisted substance use disorder treatment programs
— Historically required specific patient consent even for treatment disclosures
— 2024 final rule aligned Part 2 more closely with HIPAA (single consent for TPO permitted), but still imposes additional protections
— Re-disclosure prohibitions still apply
— FERPA protects educational records — including health records held by school health services at FERPA-covered institutions (most K-12 and many universities)
— Records at a university student health center may fall under FERPA, not HIPAA
— When state law is more protective of privacy (stricter), state law prevails ("floor not ceiling")
— Examples: HIV-specific consent laws, mental health record laws, minor consent laws
— Research uses of PHI require either authorization, IRB waiver of authorization, de-identified data, or limited data set with data use agreement
— GINA prohibits employers and health insurers from using genetic information; HIPAA controls its disclosure
— ADA limits when employers can request medical info; HIPAA governs providers
— Privilege is an evidentiary rule in court; HIPAA is an administrative disclosure rule. Both may apply.
Key distinction: A student athlete is treated at the university student health center — those records may be FERPA-protected, not HIPAA-protected. If treated at an affiliated hospital, HIPAA applies. The covered-entity status determines the regulatory framework.
— Reality: With patient permission (express or inferred) or in best interest of incapacitated patient, family communication is permitted and encouraged for care coordination.
— Reality: Provider-to-provider communication for treatment is a TPO disclosure — no authorization required. Curbside consults about specific identifiable patients are PHI disclosures but fall under treatment.
— Reality: De-identification requires removing all 18 identifiers or expert determination of low re-identification risk. A "case from last Tuesday's ED shift" with diagnosis and demographics may still be identifiable.
— Reality: Permitted if the patient has been informed of risks and prefers email; document the preference. Secure portals are preferred.
— Reality: Mandatory reporting laws override HIPAA; reporting is required and protected.
— Reality: PHI remains protected for 50 years post-mortem.
— Reality: Never access charts of family, friends, or anyone you are not actively treating. This is the most common cause of provider HIPAA termination.
— Reality: Personal devices generally should not store identifiable images unless on an institution-sanctioned secure platform.
Board pearl: The single most common HIPAA exam answer pattern: when in doubt, ask the patient for permission first. This default answer is correct in the majority of family/friend disclosure scenarios.
— Initial training within reasonable time of hire
— Periodic retraining (annually is the de facto standard)
— Documentation of completion
— Targeted retraining after any incident
— Provide Notice of Privacy Practices (NPP) at first encounter; obtain good-faith acknowledgment of receipt
— Update NPP when material changes occur (e.g., 2024 reproductive health rule)
— Display NPP prominently and on website
— Periodic audits of EHR access logs, especially for VIP/high-profile patients ("break-the-glass" alerts)
— Prompt termination of access when employees leave
— Multi-factor authentication for remote access
— Right to access records (within 30 days; one 30-day extension permitted)
— Right to request amendment of inaccurate information
— Right to request restrictions on disclosures (provider may decline except for self-pay disclosures to health plans, which must be honored)
— Right to confidential communications (alternative address/phone)
— Right to accounting of disclosures (non-TPO disclosures over prior 6 years)
— Right to file complaint with provider and OCR without retaliation
— Maintain current BAAs; reassess when scope changes
— Vendor security reviews
— Incident response coordination
Step 3 management: When a patient pays out-of-pocket and requests that the encounter not be reported to their insurance, the provider must honor this restriction request under HIPAA (one of the few mandatory restriction-honor scenarios). Document the request and flag the encounter so claims are not inadvertently submitted.
— Confirm preferred contact method (home phone, mobile, email, portal); document
— Ask permission before discussing care in front of family in the room
— Discuss limits of confidentiality up front, especially in:
— Adolescent visits (confidential vs. parent-disclosed topics)
— Mental health (duty to warn, suicide risk)
— Substance use treatment (Part 2 protections and limits)
— Occupational/fitness-for-duty exams (employer access)
— Court-ordered evaluations (results go to the court)
— Forensic and IME (independent medical exam) settings: clarify at the outset that the encounter is not confidential; results go to the requesting party. Document that this was explained.
— Use HIPAA-compliant video platforms
— Confirm patient's location and who else is in the room
— Verify identity at the start of each visit
— Avoid public Wi-Fi for clinical work
— Avoid copy-paste perpetuation of sensitive information
— Use sensitive-record flags appropriately (HIV, mental health, SUD) per institutional policy
— Review chart access logs periodically for one's own patients in VIP cases
— Educate patients to use portal rather than email
— Caution against sharing portal passwords with family
— Explain that text messages on personal devices are not encrypted by default
Board pearl: In a forensic exam (e.g., court-ordered competency evaluation, employer fitness-for-duty), the physician's report goes to the requesting party, not the patient — and the patient must be informed of this before the evaluation begins. Failing to disclose the non-confidential nature is itself an ethical violation.
— Identifiable third-party threat (duty to warn; Tarasoff)
— Communicable disease exposure to identifiable contacts (often handled via public health rather than direct disclosure)
— Genetic findings relevant to family members — encourage patient to share; in rare cases, ethics committees support disclosure
— Impaired colleague who poses patient safety risk — report to medical board / physician health program (this is a professional duty, not a HIPAA violation, as it falls under permitted oversight disclosure)
— Discharge summaries must reach the receiving clinician — failure to transmit is both a safety issue and potentially a HIPAA-aligned operational lapse. Step 3 emphasizes timely (within 24-48 hours) handoffs with medication reconciliation, pending labs, and follow-up plan.
— Verbal handoffs in non-private areas risk incidental over-disclosure
— Authorization for release of records is a separate consent from treatment consent
— Blanket "authorize anything to anyone" forms are invalid — must be specific
— Revocation must be honored prospectively; prior disclosures made in reliance are not undone
Step 3 management: An impaired colleague — the correct action is to report to the state physician health program or medical board; this is a professional obligation and constitutes a permitted health oversight disclosure under HIPAA. "Confront privately and trust they'll seek help" is a distractor that risks patient harm.
Board pearl: The five "no authorization needed but document well" disclosures most tested: TPO, public health, abuse reporting, law enforcement (limited), and duty to warn. If a stem fits none of these and no patient authorization exists, do not disclose.
— Answer: Decline to comment / refer to public affairs; confirm presence and one-word condition only if patient is in directory and has not opted out, with no diagnosis.
— Answer: Do not disclose; respect competent adult's preferences.
— Answer: Notify risk management/legal; do not release until patient authorization is obtained or court order / satisfactory assurances are provided.
— Answer: Counsel and encourage disclosure; offer partner-services through public health; if state has duty-to-warn for HIV, follow it; many jurisdictions allow physician to notify partner with public health assistance.
— Answer: Do not disclose; STI care is a minor-consent service in most states, and the minor controls the record.
— Answer: Report to privacy officer/compliance; do not handle informally.
— Answer: Warn the identifiable victim and notify police (duty to warn); document.
Key distinction: "Most appropriate next step" stems often test whether you escalate (privacy officer, risk management, public health) versus act unilaterally. When the stem involves legal/media/law enforcement, escalate; when it involves a clear permitted/required disclosure, act; when it involves family without authorization, ask patient first.
HIPAA permits disclosure of PHI without patient authorization only for Treatment-Payment-Operations, a defined set of public-interest categories (including required-by-law reporting, public health, abuse, law enforcement with limits, and duty to warn), and with valid written authorization for everything else — with "minimum necessary" and "ask the patient first when in doubt" as your default operating principles.
Board pearl: When the Step 3 stem presents any confidentiality dilemma, run the five-step framework — TPO? Required by law? Permitted category? Valid authorization? None of the above? — and the correct answer almost always emerges from the first matching tier, with "ask the patient" as the universal tiebreaker.