About This Page
This is a clinician-written, evidence-based summary aligned to the USMLE Step 2 CK Content Outline. It is intended for medical students preparing for USMLE Step 2 CK. Management reflects current ACC/AHA, USPSTF, and APA guidelines. Always cross-reference with UpToDate, institutional protocols, and clinical judgment.
The Bottom Line
- Protected health information includes identifiable health information in any form: oral, paper, or electronic
- HIPAA permits disclosure for treatment, payment, and health care operations, and for specific public interest exceptions
- Minimum necessary standard applies to many disclosures, but not usually to disclosures for treatment
- Do not disclose information to family unless the patient agrees, lacks capacity and disclosure is in their best interest, or another exception applies
- Mandatory reporting, serious imminent threats, public health reporting, and court orders may override confidentiality
Overview
Confidentiality is the ethical duty to protect information obtained in the physician-patient relationship. HIPAA is the federal legal framework that regulates protected health information held by covered entities and business associates. Step 2 CK commonly tests whether a physician should disclose information to parents, spouses, employers, police, public health authorities, or potential victims. The safest default is to protect confidentiality unless the patient authorizes disclosure or a clear legal or ethical exception applies.
HIPAA Framework
HIPAA permits PHI use or disclosure for treatment, payment, and health care operations without separate patient authorization. It also permits or requires certain disclosures for public health activities, abuse or neglect reporting, health oversight, judicial or administrative proceedings, law enforcement under defined conditions, organ donation, workers compensation, and serious threats to health or safety. Patients generally have rights to access records, request amendments, receive an accounting of disclosures, and request restrictions.
When This Issue Arises
Symptoms
Spouse asks for HIV, pregnancy, STI, substance use, or psychiatric information without patient permission
Parent asks about adolescent contraception, pregnancy testing, STI care, or substance treatment
Employer, insurer, school, or police officer requests medical details
Patient threatens an identifiable person with serious imminent harm
Clinician discusses a recognizable patient in an elevator, cafeteria, social media post, or public area
Signs
PHI includes identifiers plus health status, care provided, or payment information
Patient authorizes release in writing for non-routine disclosures
Only the minimum necessary information is shared for non-treatment disclosures
Disclosure is required by state law for abuse, neglect, or certain infectious diseases
Request comes from a family member but patient has not agreed to share information
Assessment Steps
First-line
Identify the informationDetermine whether the information is identifiable health information and therefore PHI
Identify the requesterClarify whether the requester is the patient, treating clinician, family member, public health authority, law enforcement, court, employer, or insurer
Check authorizationAsk whether the patient has consented or authorized disclosure, and whether disclosure is for treatment, payment, or operations
Second-line
Apply exceptionsConsider mandatory reporting, public health, serious imminent threat, abuse or neglect, court order, or emergency best-interest disclosures
Apply minimum necessaryDisclose only what is needed for the permitted purpose, except when sharing PHI for treatment or with the patient
Document unusual disclosuresRecord the basis for disclosure, recipient, information shared, and legal or safety rationale
Specialist
Privacy officer or legal counselUse for subpoenas, police requests, reproductive health uncertainty, media requests, or institutional breach response
Risk managementUse for possible HIPAA breaches, misdirected records, unauthorized access, or social media disclosure
Decision-Making Algorithm
HHS HIPAA Privacy Rule & AMA Code of Medical Ethics Confidentiality Guidance1
Default rule
- Do not disclose identifiable patient information without permission unless an exception applies
- Speak privately and avoid public areas, unsecured messaging, and unnecessary identifiers
- Use secure channels and follow institutional policy for records release
2
Permitted without separate authorization
- Treatment coordination with clinicians directly involved in care
- Payment and health care operations under HIPAA rules
- Public health reporting required or permitted by law
- Reporting suspected abuse, neglect, domestic violence, or certain injuries when law permits or requires
- Disclosures to prevent or lessen a serious and imminent threat to an identifiable person or the public
3
Family and friends
- If patient has capacity, ask permission before sharing information
- If patient is present and does not object, limited disclosure may be appropriate
- If patient lacks capacity, disclose only information in the patient best interest and relevant to involvement in care
- Do not disclose sensitive information merely because the requester is a spouse, parent of an adult, or relative
4
Law enforcement and subpoenas
- Do not release broad medical information to police on request alone unless a specific HIPAA permission or legal requirement applies
- Court orders generally require compliance within the scope of the order
- Subpoenas may require procedural safeguards; involve legal or privacy office before disclosure
Common Pitfalls
- Spouse is not automatic access: An adult patient controls disclosure to a spouse unless an exception applies.
- Police request is not always enough: HIPAA has defined law-enforcement pathways; involve privacy/legal resources for non-emergency requests.
- Minimum necessary: Share the least PHI needed for the purpose, especially for administrative or reporting disclosures.
- Adolescent confidentiality: State minor-consent laws often protect STI, contraception, pregnancy, substance use, and mental health care.
- Public spaces: Hallway and elevator conversations can violate confidentiality even without formal records release.
USMLE Step 2 CK Exam Tips
- 1Spouse asks for HIV result: do not disclose without patient permission; counsel patient to inform partner and discuss public health duties if applicable
- 2Teen requests contraception or STI care: generally keep confidential and encourage parental involvement, unless abuse or danger triggers reporting
- 3Identifiable threat to a specific person: protect potential victim and notify appropriate authorities under duty-to-protect principles
- 4Discussing a patient in an elevator is a confidentiality breach even if names are omitted but details identify the patient
- 5Disclosure for treatment is allowed; posting a patient story on social media is not
- 6Employer asks for diagnosis: provide only authorized work-status documentation unless patient permits more
- 7HIPAA allows child abuse reporting and public health reporting without patient authorization
- 8Court order beats confidentiality, but disclose only what the order requires
practicetest your knowledge on confidentiality & hipaaApply what you've learnt with USMLE Step 2 CK-style questions from the iatroX Q-Bank — ethics & law and beyond.
open q-bank