ambossIconambossIcon
Start free trialLog in

Ethics of communicating medical information

Last updated: January 21, 2025

Summarytoggle arrow icon

The communication of medical information is subject to laws and ethical principles that aim to protect patient autonomy and privacy while also safeguarding public health. To make autonomous decisions, patients are entitled to full disclosure of their medical information, including their health status, medical records, and involvement in research protocols. Health care providers are obligated to make patients aware of any medical errors arising in their care. They are also legally and ethically obligated to keep patients' medical information confidential, with specific laws governing the sharing of health information, in particular, electronic health records. Exceptions to confidentiality are limited to scenarios in which public health or the health and safety of other individuals are at risk. Public health laws also mandate the notification and sharing of personal health information on specific reportable conditions, e.g., for population-level surveillance of communicable diseases or to identify the need for, or monitor, the effects of public health interventions such as vaccination, food and water safety measures, and containment of hazardous and toxic substances. Specific reporting requirements vary by jurisdiction and clinicians should be aware of local laws and best practices.

See also “Principles of medical law and ethics.”

Icon of a lock

Register or log in , in order to read the full article.

Disclosuretoggle arrow icon

Full disclosure [1]

  • Patients have the right to full medical disclosure.
  • Family members generally do not have the right to ask a clinician to withhold information from a patient with decision-making capacity and competence. [2]
  • Exceptions
    • The patient requests that the clinician withhold information from them.
    • Therapeutic privilege: The clinician determines that full disclosure would cause severe psychological harm to the patient (e.g., it may be reasonable to postpone disclosure of full diagnosis to a patient who is diagnosed with multiple sclerosis during a concurrent major depressive episode with suicidal ideation).

Disclosure of medical errors

  • Health care providers must inform patients about medical errors that occur under their management.
  • It is unethical to blame other providers for medical errors or to downplay errors to patients.
  • Medical errors by another provider [3][4][5]
    • If the individual suspecting the error is not involved in the patient's treatment, they must seek the patient's permission to look into the matter (e.g., look at medical records, discuss details with the treating clinician).
    • Once an error has been confirmed, its cause has been determined, and the person(s) responsible (if any) have been identified, the clinician currently responsible for the patient's care should inform the patient about the error. The implications of the error and further course of action should be discussed with the patient in a separate meeting including all persons involved in the patient's care at the time of the error.
    • The individual who suspects the error should try to establish whether and why an error has occurred by privately speaking to the person they believe is responsible in a nonjudgmental manner.
    • Consider the circumstances and whether the root cause may be a systems error or patient factor (e.g., failure to follow dosage instructions or keep appointments) rather than an individual error.
    • Follow the chain of events that led to the adverse event (e.g., incomplete medical records being responsible for providing the wrong treatment). [6]
    • Communication in a supportive setting helps both providers to learn and prevent similar incidents from recurring.
  • If a medical treatment complication occurs, the same principles apply. [7]
    • Disclosure should take place in a quiet, comfortable, and private environment.
    • The responsible clinician should inform the patient about the complication and provide an explanation.
    • If the responsible clinician is unavailable, the covering clinician should disclose and briefly explain the complication and inform the patient that a definitive explanation will be provided by the responsible clinician.
  • For more information, see “Medical error” in "Quality and safety.”
Icon of a lock

Register or log in , in order to read the full article.

Confidentialitytoggle arrow icon

Overview

  • The clinician is ethically and legally obligated to keep the patient's medical information (including information disclosed by the patient to the clinician) confidential.
  • Confidentiality upholds patient autonomy and privacy.
  • The patient may waive the right to confidentiality (e.g., if an insurance company requests patient information or the patient allows the clinician to disclose information to a family member).
    • Verbal or written consent is needed before releasing medical information.
    • Individual hospitals or physician practices may have additional policies to verify the identity of the receiver (e.g., via phone call) before sharing information.
  • If the patient loses capacity, health information should be disclosed according to the patient's best interest (e.g., the clinician will disclose relevant health information to friends, family, or the health care proxy to help guide medical decisions).
  • Health care providers should make their best efforts to ensure the safety of patient information (e.g., patient information should not be discussed in public areas, even within the hospital setting).

Special exceptions to confidentiality [8]

  • The patient has suffered penetrating wounds from an assault (e.g., a stab or gunshot wound).
  • The patient may endanger the public (e.g., driving while impaired or with epilepsy).
  • The patient has a transmissible infectious disease (see “Notification of diseases” below).
    • The clinician may be legally obliged to notify a public health official.
    • The patient should be encouraged to inform any third parties that may have been infected (e.g., sexual partners).
    • In most states, the clinician does not have the right to inform third parties without the patient's consent.
  • The patient intends to cause harm to others or commit violence (e.g., planned homicide or assault).
    • Tarasoff decision: California Supreme Court ruling that established that health care providers have a duty to protect the intended victim of a violent crime.
    • Duty to protect laws require the health care provider to evaluate aspects such as the identity of the victim, imminence and certainty of the harm, and type of harm (e.g., physical harm, death) before breaching patient confidentiality.
    • Law enforcement authorities should be notified and/or the person at risk should be warned.
  • The patient poses a threat to themselves (e.g., suicidal intent).
  • Older adult abuse
  • Child maltreatment
  • The patient is a minor and care does not involve sexual or addiction treatment (see “Parental consent for minors” above).

Health Insurance Portability and Accountability Act (HIPAA) [9]

  • The HIPAA was passed by the U.S. Congress to protect the privacy of electronic health information.
  • The HIPAA establishes rules for the protection of individually identifiable health information, including information about the individual's physical and mental condition at any point in time, provision of health care, and related payments.
  • HIPAA rules apply to all instances of the use of patient information for medical education.

Minimum necessary standard [10][11]

  • The HIPAA Privacy Rule establishes the standard policy for the disclosure of health information.
  • Accessibility and disclosure of protected health information to outside parties must be limited to the minimum necessary to accomplish a particular task.

Patient privacy and permitted information disclosures

  • The information can be fully disclosed to the patient themselves.
  • It is not necessary to gain the patient's consent for disclosure to the following parties:
    • Health care workers and service providers that are immediately involved in the patient's care (e.g., as required for a referral to another health care provider or requesting a consultation)
      • Any other requests by health care workers to share information should be denied.
    • Parties that process health care payments
    • Health care operations providers (e.g., audits, legal services, administrative activities)
  • The patient should give informal permission for the disclosure of their health information for the following unless the patient is incapacitated, in an emergency situation, or unavailable:
    • Information about the patient's health status and location in the health care facility for anyone who asks for them by name
    • If a patient doesn't want their family/friends to know their health status or that they are in the hospital, the clinician should not disclose any information or attempt to contact them.
    • Notification of authorities in case of disaster if doing so would aid relief efforts
  • Health information may be shared without the patient's consent if it is in the public interest (see examples in “Special exceptions to confidentiality” above).

WAIT a SEC: Wounds, Automobile-driving impairment, Infections, Tarasoff decision, Suicidal intention, Elder abuse, Child abuse (cases that override confidentiality).

Access to patient health records [12]

  • According to the HIPAA, health care providers must provide individuals with a copy of their protected health information upon request, with the following exceptions:
    • Information gathered in expectation of a probable civil, criminal, or administrative claim or process
    • Notes documented by a mental health care provider during psychotherapeutic counseling
  • Once requested, the medical record must be received within 30 days.
  • Outstanding medical bills do not affect an individual's right to access their medical records.

Under the HIPAA, patients have a legal right to obtain copies of their medical records within 30 days of submitting the request.

Correction principle [13][14]

Electronic information safety

  • All health care personnel authorized to use electronic medical records should receive proper training on data safety.
  • Health information on electronic devices must be secured by technical safety measures such as firewalls, passwords, and antivirus protection. [15]
Icon of a lock

Register or log in , in order to read the full article.

Reportingtoggle arrow icon

Notification of diseases

  • General [16]
    • Many infectious diseases must be reported to public health officials (e.g., CDC) when diagnosed.
    • The patient must be informed that their disease is reportable, and they should be encouraged to inform any recent contacts at risk of infection.
    • Public health officials are typically responsible for notifying third parties if the patient refuses to inform them.
  • Reportable diseases
    • HIV/AIDS [17][18]
      • All HIV cases must be reported to the local health department and the CDC.
      • Many states have partner notification laws (i.e., if the patient tests positive, either they or the clinician are legally obligated to inform their partner).
      • Specific laws vary state-by-state.
      • If the patient refuses to disclose their HIV status to their partner, the clinician should employ confidential partner notification procedures. [19]
      • The clinician's right to disclose a patient's HIV status is dependent on the state in which they practice.
    • HIV in the pediatric population [20][21]
      • Most commonly acquired perinatally
      • Parents have an ethical obligation to disclose a positive HIV status to their children.
      • The WHO and AMA recommend full disclosure of a child's HIV status before the age of 12 years. [20][22]
      • Health care providers should offer to help parents develop a plan for disclosing a positive HIV status to a child.
      • Disclosure increases understanding of the condition, which, in turn, improves drug adherence, coping with the condition, and awareness of risk management with regard to oneself and others.
      • Full disclosure after the age of 12 is associated with increased rates of anxiety, depression, and social exclusion.

Overview of common reportable diseases

Overview of common reportable diseases
Pathogen/disease
Sexually transmitted infections
Diseases affecting unvaccinated patients
Zoonotic diseases
Water/foodborne diseases
Tick-borne diseases
Mosquito-borne diseases
Potential biological weapons
Viral hemorrhagic fevers
Other infectious diseases
Other conditions

Older adult abuse [24]

  • Definition: any form of physical, sexual, psychological, financial mistreatment or neglect of an older person (> 60 years of age) at the hands of a caregiver or someone the individual trusts
  • General

Child abuse [25]

  • Definition: any act (or failure to act) that produces an imminent risk of serious harm to an individual < 18 years old
  • General
    • The precise legal definition of child abuse varies state-by-state.
    • Clinicians are legally and ethically obliged to report suspected child abuse.
    • In most US states, child care providers, social service providers, and educators are also required to report suspected child maltreatment.
    • Which authority (e.g., child protective services, local police department) the report should be made to varies between jurisdictions.
    • See also “Child maltreatment” for risk factors and clinical manifestations.

Child protective services (CPS)

  • A government agency responsible for protecting children who have experienced abuse and/or neglect. In the United States, child protective services are organized at state level.
  • Once a report has been filed, CPS reviews the claims and determines whether a formal investigation is warranted. This involves speaking to anyone potentially involved in the case, including the child, family, and caregivers.
  • Measures taken by CPS if an investigation concludes that intervention is necessary:
    • Once the safety and risk assessment is done, CPS develops plans, provides services (e.g., parenting education), sets goals, and identifies possible resources (e.g., mental health services, income support services, child care support)
    • Family preservation is paramount if the child can remain safely at home, to which end CPS may provide family preservation and support services (typically for about 1 year; for a maximum of 18 months).
    • A foster placement is arranged if CPS determines that a child cannot remain at home.
      • Family reunification and preservation should be the ultimate goal for children placed in foster care. Up to 18 months of family preservation and support services may be provided to families in which CPS determines that reunification is a realistic prospect.
      • Children who cannot be returned to a safe home must be placed in foster care that provides a familial structure.

Foster care

  • A temporary service provided by the state that organizes the placement of children who cannot live with their families in the care of relatives, foster families, residential care facilities, designated group facilities, emergency shelters, or supervised independent living until a permanent living arrangement can be found.
  • The first choice for temporary and, subsequently, permanent placement is usually kinship care.
  • The next preferred arrangement is adoption by foster parents or by someone close to the child.
  • Permanent and, in some cases, temporary caregivers become legal guardians with the corresponding rights and responsibilities (e.g., providing consent for minors; see “Parental consent for minors” in “Informed consent,” above for details).

Domestic violence [26]

  • Definition
    • Any form of actual or threatened physical or emotional harm committed by one member of a household against another, frequently used as an extension power by the perpetrator against the person experiencing the violence
    • Intimate partner violence (IPV): any form of physical, emotional, or sexual violence that is carried out by a cohabitating or noncohabitating intimate partner against the other [27]
  • General
    • Clinicians may not report domestic violence without patient consent.
    • When a clinician suspects domestic violence, they should speak privately with the patient, inquire further, and offer assistance.
    • If the patient refuses assistance, the clinician should reiterate that they support the patient and are available to provide aid at any time.
    • See “Intimate partner violence” for more details.

Driving restriction [28]

  • General
    • The clinician may be required to report patients who are considered unsafe to drive to the licensing authority (e.g., Department of Motor Vehicles). [29]
    • Before reporting, the clinician should share their concerns with the patient and encourage further treatment (e.g., occupational therapy, substance rehabilitation).
    • The clinician should always suggest another means of transportation.
  • Common conditions that may impair driving [30]
Icon of a lock

Register or log in , in order to read the full article.

Start your trial, and get 5 days of unlimited access to over 1,100 medical articles and 5,000 USMLE and NBME exam-style questions.
Start free trial
disclaimer Evidence-based content, created and peer-reviewed by physicians. Read the disclaimer