The three widely recognized reasons to break confidentiality are: to protect someone from serious harm (duty to warn), to comply with mandatory reporting laws for abuse or neglect, and to meet legal or public health requirements such as court orders or disease reporting. These exceptions apply across healthcare, mental health, and social services, and they exist because certain situations make disclosure more important than privacy.
Reason 1: Preventing Serious Harm to Others or Self
When a patient or client reveals a credible threat of violence toward another person, or shows signs of imminent danger to themselves, a provider has both an ethical and legal obligation to act. This principle is rooted in what’s known as the “duty to protect” or “duty to warn.” A therapist who learns during a session that a client intends to seriously harm a specific person can break confidentiality to warn the potential victim or notify law enforcement.
This duty traces back to a landmark 1976 California case, Tarasoff v. The Regents of the University of California, where the courts ruled that psychotherapists have a legal duty to warn third parties of patients’ threats to their safety. Since then, most states have adopted some version of this requirement, though the specifics vary. Some states require providers to warn, others permit it, and a few define the obligation more narrowly.
The American Psychological Association’s ethics code addresses this directly. Section 4.05(b) allows disclosure of confidential information without consent when it’s necessary to protect the patient, the provider, or others from substantial harm. The key threshold is that the danger must be serious and reasonably foreseeable, not hypothetical or vague. A passing expression of frustration doesn’t trigger the duty. A specific, credible threat against an identifiable person does.
Reason 2: Mandatory Reporting of Abuse or Neglect
Every state requires certain professionals to report suspected child abuse or neglect. This is the most consistent reporting requirement in the country, and it overrides patient confidentiality without exception. Teachers, doctors, therapists, social workers, and many other professionals are classified as “mandated reporters,” meaning they face legal consequences if they fail to report.
The obligation extends beyond children. Most states also require reporting of suspected abuse, neglect, or exploitation of elderly adults and dependent adults. California law, for example, mandates that professionals in care settings report elder abuse under the Welfare and Institutions Code. Adult Protective Services agencies try to balance the duty to protect with an adult’s right to self-determination, but when there’s strong suspicion of abuse, reports generally move forward regardless of whether the victim consents.
What makes mandatory reporting distinct from the duty to warn is that the provider doesn’t need to confirm abuse has occurred. Reasonable suspicion is the legal standard. A therapist who notices unexplained injuries on a child during a family session, or a nurse who suspects a nursing home resident is being neglected, is required to file a report. Waiting for certainty isn’t an option, and the obligation exists even if the person being harmed hasn’t asked for help.
Reason 3: Legal and Public Health Requirements
Confidentiality can also be broken when the law compels disclosure for broader societal purposes. This category covers two main areas: court-ordered disclosures and public health reporting.
Court Orders and Legal Proceedings
A healthcare provider can share protected health information when presented with a court order, but only the information specifically described in that order. This is a narrower requirement than many people assume. A subpoena issued by an attorney or court clerk is not the same as a court order. Before responding to a subpoena, a provider must see evidence that reasonable efforts were made to notify the patient about the request, giving them a chance to object, or that a qualified protective order was sought from the court. The distinction matters: a court order compels disclosure, while a subpoena requires additional safeguards before any information changes hands.
Public Health Reporting
Healthcare providers are required to report certain diagnoses to public health authorities without patient consent. The CDC maintains a list of nationally notifiable conditions, and it’s extensive. It includes infectious diseases like tuberculosis, HIV/AIDS, measles, hepatitis (A, B, and C), COVID-19, cholera, and sexually transmitted infections such as syphilis, gonorrhea, and chlamydia. The list also covers non-infectious conditions: elevated blood lead levels, carbon monoxide poisoning, pesticide-related illnesses, silicosis, and cancer.
This reporting exists so public health agencies can track outbreaks, identify contamination sources, and coordinate responses. Your name and diagnosis go to the health department, not to the public. The information is used for surveillance and intervention, not broadcast. States may also have their own additional reporting requirements beyond the federal list.
How These Exceptions Work in Practice
Under the federal HIPAA Privacy Rule, providers can share health information without your authorization for what the law calls “public interest and benefit activities.” This umbrella covers 12 categories, including the ones described above: situations required by law, public health activities, reports of abuse or neglect, law enforcement purposes, judicial proceedings, and averting serious threats to health or safety. Other permitted disclosures include sharing information with coroners, organ donation organizations, and workers’ compensation programs.
When a provider does break confidentiality, the disclosure is supposed to be limited to the minimum information necessary for the purpose. A therapist warning a potential victim doesn’t hand over the patient’s entire file. A lab reporting a tuberculosis case to the health department sends the relevant diagnosis, not unrelated medical history. Providers are also expected to document the disclosure and, in many situations, the same breach notification rules that apply to accidental data leaks apply here as well.
The three reasons aren’t always cleanly separated. A therapist treating a client who discloses abusing a child faces both a mandatory reporting obligation and a duty to protect. A physician treating a gunshot wound may need to report to law enforcement while also managing a public health notification. But the underlying logic is consistent: confidentiality is the default, and these exceptions exist only when silence would cause greater harm than disclosure.