Doctor-patient confidentiality can be broken in a surprisingly wide range of situations. Federal privacy law recognizes 12 categories where health information may be shared without your permission, and several of those are mandatory, meaning your doctor has no choice. The most common reasons involve threats to safety, public health reporting, legal proceedings, and law enforcement.
Threats to Safety
The most widely recognized exception to confidentiality involves a direct threat to another person. This principle traces back to a landmark 1976 California court case, Tarasoff v. Regents, which established that a mental health professional’s duty to protect the public overrides patient privacy. The court’s reasoning was blunt: “The protective privilege ends where the public peril begins.”
In most states, the duty to warn applies when three conditions are met: the patient has voiced a clear threat of killing or seriously injuring someone, the potential victim is identifiable, and the danger is imminent. When those criteria are satisfied, a clinician is expected to take action, whether that means notifying the intended victim, calling the police, or hospitalizing the patient. The duty has expanded over time to cover scenarios like warning patients that a medical condition makes driving unsafe, or addressing situations where a patient could transmit a dangerous infectious disease.
Beyond threats to others, providers can share your information with anyone when necessary to prevent or lessen a serious and imminent threat to your own health and safety. If you arrive at an emergency room unconscious, for example, providers can share your medical history with other hospitals, relief workers, or specialists involved in your care. They can also contact family members or guardians to notify them of your location and general condition, using their professional judgment about what’s in your best interest when you can’t speak for yourself.
Mandatory Disease Reporting
Your doctor is legally required to report certain diagnoses to public health authorities, regardless of your wishes. The list of nationally reportable conditions is long, covering more than 70 diseases and conditions. It includes sexually transmitted infections like chlamydia, gonorrhea, syphilis, and HIV/AIDS. It covers vaccine-preventable diseases such as measles, mumps, and pertussis. Tuberculosis, hepatitis A through C, COVID-19, and foodborne illnesses like salmonella are all reportable. So are conditions you might not expect, like elevated blood lead levels, carbon monoxide poisoning, pesticide-related injuries, silicosis, and cancer.
State reporting requirements can add to this federal list. The purpose is disease surveillance and outbreak response, not law enforcement. But the information does leave your doctor’s office without your consent, and you have no right to opt out.
Child Abuse and Domestic Violence
Healthcare providers are mandatory reporters of suspected child abuse and neglect in every state. They do not need a parent’s agreement to file a report with law enforcement or child protective services. This obligation is triggered by reasonable suspicion, not proof.
For adult victims of abuse, neglect, or domestic violence, the rules differ. Providers can generally report to authorities when the victim agrees. In limited circumstances, they may report even without agreement if the victim is unable to consent, such as when incapacitated by injuries.
Law Enforcement Requests
Police and other law enforcement officials can access your health information in several specific scenarios without your authorization. Doctors are required by law in most states to report gunshot wounds and stab wounds. Beyond that, providers may disclose information to law enforcement in these situations:
- Crime on premises: If a provider believes in good faith that a crime occurred at their facility, they can report it.
- Suspicious deaths: When there’s reason to suspect a death resulted from criminal conduct.
- Off-site emergencies: When responding to a medical emergency outside the facility, providers can alert police to criminal activity.
- Identifying suspects or missing persons: Law enforcement can request basic demographic and health information to locate a suspect, fugitive, witness, or missing person. However, the information shared must be limited to basics like name, address, date of birth, and distinguishing physical characteristics.
What law enforcement cannot do is simply call a hospital and demand your full medical record. Broad fishing expeditions require a court order or a formal administrative request that meets specific criteria, including a written statement explaining why the information is relevant and why de-identified data won’t suffice.
Court Orders and Subpoenas
A court order signed by a judge can compel your provider to hand over medical records, but only the specific information described in the order. This is the most straightforward legal pathway to your records.
A subpoena is weaker. When issued by someone other than a judge, such as a court clerk or an attorney, it doesn’t automatically entitle them to your records. Before your provider can respond to a subpoena, there must be evidence that reasonable efforts were made either to notify you so you have a chance to object, or to seek a protective order from the court limiting how the information can be used. This distinction matters: a subpoena alone, without these safeguards, is not enough to override your privacy.
Workers’ Compensation Claims
If your medical visit is related to a workplace injury or illness, confidentiality rules shift significantly. Providers are permitted to disclose your health information as necessary to comply with workers’ compensation laws, and you cannot request that they restrict these disclosures. The federal privacy rule explicitly states it is “not intended to impede the flow of health information” to those processing or adjudicating workers’ comp claims. In practical terms, this means your employer’s insurance carrier, claims adjusters, and related parties can access the medical records tied to your claim.
Substance Use Disorder Records
Records from substance use disorder treatment programs receive extra protection under a separate federal regulation. These records are locked down more tightly than standard medical records. They cannot be used or disclosed in any civil, criminal, administrative, or legislative proceeding, even if someone has a subpoena or claims to already have the information.
There are only narrow exceptions. Records can be shared with medical personnel during a genuine emergency when the patient can’t provide written consent. A court order can authorize disclosure, but only to protect against an existing threat to life or serious bodily injury, including suspected child abuse. If investigators want to use these records to prosecute the patient, the crime must be “extremely serious,” specifically one that causes or directly threatens loss of life or serious bodily injury, such as homicide, rape, kidnapping, or armed robbery.
Minors and Parental Access
Parents generally have the right to access their minor child’s medical records, acting as the child’s “personal representative” under federal law. This applies even when the child received emergency care without parental consent.
However, federal privacy law defers to state laws on this point, and many states carve out exceptions. Depending on where you live, minors may be able to receive certain types of care confidentially, typically involving reproductive health, mental health, or substance use treatment. Once a minor reaches adulthood, they gain full control over all their health records, including information from when they were a child. The specific age thresholds and categories of protected care vary by state, so the details depend on local law.
Health Oversight and Government Functions
Federal law also permits disclosure for health oversight activities, which include audits, investigations, inspections, and licensing actions conducted by government agencies. If a state medical board is investigating your provider, for instance, your records could be part of that review. Similarly, certain essential government functions, such as military and veterans’ activities, national security matters, and correctional institution healthcare, allow information sharing that wouldn’t be permitted in ordinary civilian care. Organ and tissue donation organizations can also receive necessary information from providers to facilitate donations after a patient’s death.