Confidentiality & HIPAA
Overview
HIPAA's Privacy Rule protects all individually identifiable health information (PHI) — name, diagnosis, room number, admission status, even a whiteboard photo. The core nursing duty is minimum necessary disclosure: share only the PHI needed, only with those who need it for treatment, payment, or healthcare operations. Verbal disclosures count as much as electronic ones — discussing a client in a hallway or elevator violates HIPAA even if no one appears to overhear.
Interpretation
The test is need-to-know, not who-might-hear. If the person asking does not need the information to care for, bill for, or operate the facility for this client right now, the answer is no. Accessing a chart out of curiosity — even your own — is a violation regardless of login credentials or role.
Disclosure Rules
Some disclosures are permitted WITHOUT client authorization; others require explicit consent. Family relationship alone never grants access — the client must authorize it. Provider-to-provider treatment communication (bedside report, consulting physician) is permitted but still bound by minimum necessary.
Authorization required vs. permitted without authorization
Requires client authorization
- Family / friend update
- Yes
- Provider treatment communication
- No
- Law enforcement (badge only)
- Yes — court order/warrant
- Abuse / communicable disease
- No
- Imminent threat to safety
- No
Permitted without authorization
- Family / friend update
- No — decline until client authorizes
- Provider treatment communication
- Yes — minimum necessary
- Law enforcement (badge only)
- No
- Abuse / communicable disease
- Yes — legally mandated
- Imminent threat to safety
- Yes — serious + imminent
Patient Teaching
Clinical Pearl
Minimum necessary, only the care team — but mandated reporting and court orders are lawful exceptions, not HIPAA violations.