E12.4

Privacy & HIPAA

Patient health information is protected. Know what can be shared, with whom, under what conditions. Default to caution.

Encounter card

Setting

All clinical work involves PHI. Specific decisions about disclosure arise frequently.

Opening move

Get patient consent for disclosures when possible. Use minimum necessary information. Know the exceptions (mandated reporting, immediate safety, court order). Maintain physical and electronic security.

Sample language

"(to patient) Can I have your permission to share information with your PCP about today's medication changes?"
"(to family caller without release) I can't confirm or deny that I see this person as a patient. Have them call us."
"(in mandated reporting) I'm required to report this to [agency]. Let me tell you what that involves."

Listen for

Whether the consent is informed. Whether the disclosure is minimum necessary. Whether mandated exceptions apply.

Common pitfalls

Disclosing without consent. Disclosing more than necessary. Failing to recognize when mandated reporting applies. Discussing patients in non-private settings.

Red flags / escalate: HIPAA violation reported or alleged. Subpoena or court order requiring disclosure. Workplace disclosures by patient creating coordination issues.

Documentation

Releases obtained and on file. Disclosures documented with consent basis. Mandated reports documented with specific information disclosed.

Patient privacy is the default. Disclosure requires consent or specific legal exception. Know your jurisdiction's rules.

Warm grey-tinted clinical notebook page, graphite accent. Patient privacy as the default — disclosure requires affirmative consent or specific exception. Margin clusters on the principle.

Patient health information is protected by HIPAA (Health Insurance Portability and Accountability Act) and by professional ethical standards. The general principle: patient privacy is the default. Disclosure requires either patient consent or a specific legal or ethical exception. Within disclosures, share the minimum necessary information for the purpose.

Patient consent for routine disclosures. When you communicate with the PCP, the therapist, family members — get a release. Document the release. Specify what can be shared, with whom, for what purposes. The release is the patient's; it can be revoked.

The minimum necessary principle. Even with authorized disclosure, share what serves the purpose, no more. The PCP needs to know the medication and clinical status; they don't necessarily need to know the patient's full trauma history or relationship details. The minimum necessary discipline protects the patient from over-disclosure.

Exceptions to consent requirements include: mandated reporting (child abuse, elder abuse, vulnerable adult abuse, sometimes specific threats — varies by jurisdiction). Imminent danger to self or others (you can break confidentiality to protect from harm). Court orders and subpoenas (consult institutional protocol; not all subpoenas require disclosure). Treatment, payment, healthcare operations (the standard HIPAA exception that allows internal information flow within healthcare systems).

Practical implementation: Locked offices, secure electronic systems, password-protected devices, encrypted communications, careful conversation locations. Privacy is physical, electronic, and conversational. The discussion in the hospital cafeteria about a specific patient is a HIPAA violation; the chart left open on the screen with the patient's room number visible is a HIPAA violation.

Patients asking about other patients: you cannot confirm or deny that a specific person is your patient without their consent. "I can't confirm or deny that I see this person as a patient. If they're a patient, they would need to contact us themselves."

Family caller without release: you can receive information from them (they don't need a release to give you information), but you can't share information back without the patient's authorization.

HIPAA violations have institutional and personal consequences. Know your institutional policy. Know your state's variations. When uncertain, consult before disclosing.

Minimum necessary disclosure even when authorized — share what serves the purpose; no more. Margin notes on the discipline.

The anchor

Patient privacy is the default. Disclosure requires consent or specific legal exception. Minimum necessary information. Know mandated reporting.

Mandated reporting and other exceptions — child abuse, elder abuse, imminent danger, court orders. Margin clusters on each.

Prove it

A patient's adult daughter calls and says she's worried about her father — she wants to know how he's doing. He hasn't signed a release for her. What do you say?

This connects to

E11.5

Working with Families

The clinical parallel.

E12.5

Mandated Reporting

A specific exception.

Locked concepts unlock as you reach them on the path.