Maintaining confidentiality in healthcare requires a combination of physical safeguards, digital security, verbal discipline, and organizational culture. Every person who handles patient information, from front-desk staff to surgeons, shares responsibility for keeping it private. The core principle is straightforward: patients decide who sees their health information, with only rare legal exceptions.
Why Confidentiality Matters
Patients who don’t trust that their information will stay private are less likely to share symptoms, mental health concerns, substance use, or sexual history with their providers. That withholding leads to worse diagnoses and worse outcomes. The American Medical Association’s ethics code puts it plainly: physicians have an ethical obligation to preserve the confidentiality of information gathered in association with patient care, and patients are entitled to decide whether and to whom their personal health information is disclosed.
This obligation doesn’t end when a patient leaves a practice or even when they die. The AMA holds that patients are entitled to the same respect for confidentiality after death as they were in life. It also extends beyond direct medical care. Disclosing patient information to third parties for commercial purposes without consent violates principles of informed consent and can damage the integrity of the entire patient-physician relationship.
Physical Safeguards in the Workplace
Some of the most common confidentiality lapses are surprisingly low-tech. A paper chart left open on a counter, a computer screen visible from a waiting room, or a whiteboard listing patient names and diagnoses can all expose protected information to people who have no right to see it.
Practical steps to prevent these exposures include:
- Screen positioning and privacy filters: Computer monitors at reception desks and nursing stations should face away from public areas. Privacy screens that narrow the viewing angle are inexpensive and effective.
- Paper record handling: File folders containing medical records should be secured promptly after use, not left in open trays or on desktops. Documents with patient information should be shredded before disposal, never tossed in regular trash.
- Whiteboard and display management: Limit what patient information appears on whiteboards, X-ray viewing boxes, and other surfaces visible to visitors or unauthorized staff.
- Physical access controls: Medical records rooms and server areas should be locked. Access to keys or pass codes should be limited to staff who need them for their specific role.
Verbal Communication Risks
Conversations are one of the easiest ways to accidentally share patient information. Discussing a case in a hospital elevator, calling out a patient’s full name and diagnosis in a waiting area, or talking loudly on the phone about test results can all violate a patient’s privacy.
Military health system guidance on oral communication of protected health information offers a useful framework that applies broadly. Providers can discuss a patient’s condition in a semi-private hospital room, but they should use lowered voices and position themselves away from others. In waiting rooms, hallways, elevators, and other public spaces, staff should speak quietly and avoid using patients’ names when possible. The goal isn’t to eliminate clinical conversation, which would be impractical and potentially dangerous, but to take reasonable precautions that minimize who overhears it.
Digital Security for Electronic Records
Hacking and IT incidents are the most common causes of healthcare data breaches, followed by unauthorized internal disclosures. Smartphones and other smart devices have also become a significant source of privacy breaches. Protecting electronic health information requires layers of defense.
Encryption is one of the most important. It converts patient data into a format that’s unreadable without the correct key, making stolen or intercepted information useless to unauthorized people. Federal guidance identifies encryption as a technology that renders protected health information “unusable, unreadable, or indecipherable to unauthorized individuals.” The Advanced Encryption Standard is the most widely supported encryption method in current systems. For data moving across the internet, Transport Layer Security (TLS) protocols protect information in transit, often invisibly to the user. For email, specialized encryption tools let senders lock messages so only the intended recipient can read them.
Beyond encryption, basic access controls are essential. Every staff member should have a unique login. Passwords should never be taped to monitors or shared between employees. Role-based access ensures that a billing clerk sees only billing information, not clinical notes, and a nurse in one department can’t browse records in another. Automatic screen locks and session timeouts add another layer when someone steps away from a workstation.
Telehealth-Specific Requirements
Since the COVID-19 public health emergency ended in May 2023, the temporary relaxations that allowed providers to use consumer-grade video tools like FaceTime or Zoom for telehealth have expired. Healthcare providers must now use telehealth platforms that fully comply with federal privacy and security rules. This means the platform must encrypt video and audio streams, control who can access sessions, and have a signed business associate agreement with the healthcare organization.
Audio-only telehealth, such as phone consultations, also falls under these requirements. If you’re a provider offering any form of remote care, the platform you use needs to meet the same security standards as your in-office electronic health record system.
Staff Training and Culture
Federal rules require covered entities to train their workforce on privacy practices, but there’s no single mandated curriculum. The rules are intentionally flexible to accommodate everything from a solo physician’s office to a large hospital system. What matters is that every employee, including volunteers, contractors, and temporary staff, understands the basics: what counts as protected health information, who is authorized to access it, how to handle it in physical and digital form, and what to do if they suspect a breach.
Training works best when it’s ongoing rather than a one-time onboarding event. Real scenarios resonate more than abstract rules. Walking staff through examples like accidentally emailing a record to the wrong patient, or a colleague looking up a neighbor’s chart out of curiosity, makes the stakes concrete. The U.S. Department of Health and Human Services provides free resources including security training games and risk assessment tools that smaller practices can use without building a curriculum from scratch.
When Confidentiality Can Be Broken
There are narrow legal exceptions where healthcare providers are required or permitted to disclose patient information without consent. These vary by state but commonly include reporting suspected child abuse or neglect, notifying public health authorities about certain infectious diseases, reporting gunshot wounds or other injuries suggesting criminal activity, and warning identifiable third parties of credible threats of violence. Court orders and law enforcement subpoenas can also compel disclosure in specific circumstances.
These exceptions exist because lawmakers have decided that public safety sometimes outweighs individual privacy. But the scope of what gets disclosed should always be as narrow as possible. Reporting a communicable disease to the health department doesn’t mean sharing the patient’s entire medical history.
Patients’ Rights Over Their Own Information
Confidentiality isn’t just about keeping information away from the wrong people. It also means giving patients access to their own records. Under federal law, patients have the right to request copies of their health information, and providers must fulfill that request within 30 calendar days. If the records are archived offsite and harder to retrieve, one 30-day extension is allowed, but the provider must notify the patient in writing with a reason for the delay and a specific date they’ll deliver.
Patients can request their records in any form they choose. If they want electronic copies and the provider stores records electronically, the provider must deliver them that way. Mail and email are considered readily producible by all covered entities. Providers can also arrange a convenient time and place for the patient to pick up or inspect their records in person.
Penalties for Violations
Financial penalties for privacy violations are tiered based on the level of fault. An unknowing violation carries fines of $100 to $50,000 per incident, with an annual cap of $25,000 for repeat violations. Violations due to reasonable cause range from $1,000 to $50,000 each, capped at $100,000 annually. Willful neglect that gets corrected in time costs $10,000 to $50,000 per violation, up to $250,000 per year. Willful neglect that goes uncorrected jumps to $50,000 per violation with an annual maximum of $1.5 million.
Beyond fines, breaches trigger mandatory notification requirements. If a breach affects 500 or more individuals, the organization must notify the media and the federal government in addition to each affected patient. The reputational damage from a public breach notification often costs more than the fine itself. For individual employees, violations can result in termination, loss of professional licensure, and in extreme cases, criminal prosecution.