Step 1 topicsPublic Health Sciences → Confidentiality and HIPAA

Confidentiality and HIPAA

USMLE Step 1 trap: Overapplies Tarasoff duty to warn to non-specific or non-identifiable threats. The Tarasoff duty to warn is triggered only when there is a credible threat against an identifiable third party; vague or generalized threats do not obligate disclosure.

Confidentiality and HIPAA sit at the intersection of ethics and law on USMLE Step 1 — and the exam loves to test the exceptions, not the rule itself. Everyone knows 'keep patient info private.' What trips students up is knowing exactly when you must break that confidentiality, when you're permitted to, and when you absolutely cannot (even for family). The tested concepts aren't abstract: they're scenario-based, usually framed as a vignette where a physician receives a subpoena, a parent demands their adult child's records, or a patient threatens a specific person.

The USMLE Step 1 tests this from multiple angles: pure recall (what does HIPAA actually allow without written authorization?), management-style questions (a patient with TB refuses treatment — do you report them?), and passage interpretation where you have to identify whether a described disclosure was appropriate. The Tarasoff duty to warn is a perennial favorite because students either overapply it to any violent thought or completely miss it when a specific identifiable victim is named. The family disclosure rules are similarly misunderstood — the emotional pull of 'but it's their mother' doesn't change the legal framework.

The core mental model you need: confidentiality is the default, but there are two categories of exceptions — legally mandated breaches (you have no choice) and HIPAA-permitted disclosures (you're allowed but not required). Mixing these up leads to wrong answers. USMLE Step 1 will put you in scenarios where you need to distinguish 'I must disclose' from 'I may disclose' from 'I cannot disclose without consent.'

From real student decks
41%have cards covering this topic
27%have mature cards

Common misconceptions

Common mistake
Wrong: The Tarasoff duty to warn applies whenever a patient expresses any violent ideation.
Right: The Tarasoff duty to warn is triggered only when there is a credible threat against an identifiable third party; vague or generalized threats do not obligate disclosure.
Tarasoff duty to warn is not triggered by any expression of anger or violent fantasy — it requires a credible threat directed at a specific, identifiable person. The legal rationale is about protecting a definable victim who can actually be warned; without an identifiable target, there is no one to warn and no duty attaches. On the exam, look carefully at whether the patient names or clearly implies a specific person versus expressing generalized hostility.
Common mistake
Wrong: Family members are automatically entitled to a patient's medical information because they are relatives.
Right: Information may be shared with family only if the patient has capacity and consents, or if the patient lacks capacity and sharing is in their best interest; family relationship alone does not grant access.
Family members have no inherent legal right to a patient's medical information — the right belongs to the patient. The correct framework: if the patient has decision-making capacity, you need their explicit consent before sharing anything with family. If the patient lacks capacity, you can share information with the appropriate surrogate, but only to the extent needed to act in the patient's best interest. 'She's his wife' or 'they're paying the bills' is irrelevant without proper consent or incapacity.
Common mistake
Gap: Incomplete knowledge of which situations legally mandate breach of confidentiality
Mandatory reporting requirements that override confidentiality include gunshot wounds, suspected child or elder abuse, certain communicable diseases, and impaired drivers — the specific list varies by jurisdiction but these categories are consistently tested.
Mandatory reporting is the category students most often leave incomplete. The high-yield list tested on Step 1 includes: suspected child abuse or neglect, elder abuse, gunshot wounds and certain other injuries from violence, specific communicable diseases (TB, STIs, foodborne illness outbreaks), and in many states, patients who are unfit to drive (e.g., seizure disorder, dementia). These override patient confidentiality and patient objection — you report regardless. Knowing this list cold prevents both under-reporting (missing a real obligation) and over-reporting (breaching confidentiality unnecessarily).
Common mistake
Wrong: HIPAA prohibits all disclosure of patient information without explicit written authorization.
Right: HIPAA permits disclosure without authorization for treatment, payment, and healthcare operations (TPO), as well as for public health reporting, law enforcement, and other specified purposes.
HIPAA is not an absolute bar on disclosure — it defines a framework of permitted uses. The big three permitted without authorization are Treatment, Payment, and Operations (TPO): a consultant can receive records, a biller can access diagnoses, a quality review team can audit charts. Beyond TPO, HIPAA also allows disclosure for public health surveillance, law enforcement under specific conditions, and abuse reporting. The practical exam implication: a physician sharing records with another treating physician does NOT need separate written authorization — that is a common wrong answer trap.
Free Deck audit

See if your Anki deck covers this topic.

Upload your deck →
Guided session

Stuck on this? An AI tutor that probes your understanding.

Start a session →

What the exam tests

  1. Identify which disclosures HIPAA permits without patient authorization — including treatment, payment, healthcare operations (TPO), public health reporting, and law enforcement — versus those that require explicit written consent.
  2. Recognize the specific situations that legally mandate breach of confidentiality: gunshot wounds, suspected child or elder abuse, certain communicable diseases (e.g., TB, STIs, HIV in some states), and impaired drivers — regardless of patient objection.
  3. Apply the Tarasoff duty to warn correctly: a physician is obligated to warn or protect an identifiable third party when a patient makes a credible, specific threat — not when expressing general anger or vague violent ideation.
  4. Determine when patient information can or cannot be shared with family members: capacity + consent = share; no capacity + best interest = may share; family relationship alone = never sufficient.

Can you avoid these mistakes?

A physician treats a patient with active tuberculosis who refuses to notify contacts or take medication. The patient demands confidentiality. What is the physician's legal obligation, and what overrides it?
A patient in therapy tells his psychiatrist, 'I'm so angry at my coworkers — I could kill someone someday.' No specific person is named. Does the Tarasoff duty to warn apply? What if he then says, 'I'm going to hurt my neighbor John Smith when I see him Friday'?
An adult patient is hospitalized after a suicide attempt. His parents call demanding a full update on his condition and treatment plan. The patient has capacity and has not signed a release. What do you tell the parents, and what is the legal basis?
A hospital shares a patient's records with a specialist for a second opinion consultation, without obtaining a separate written authorization. A billing department accesses the same records to process insurance claims. Are either of these HIPAA violations? Why or why not?

Related topics

Four Core Principles (Autonomy, Beneficence, Non-Maleficence, Justice) Observational Study Designs Case-Control Studies Cohort Studies Randomized Controlled Trials

See how your Anki deck covers this topic.

Upload your deck for a free audit →