25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

What is the Confidentiality Definition in Healthcare?

Posted By on Jul 19, 2024

The confidentiality definition in healthcare is an ethical obligation to preserve authorized restrictions on access to – and disclosures of – sensitive personal information gathered in association with the care of a patient. In this respect, the ethical confidentiality definition in healthcare is broader than the legal confidentiality definition in HIPAA.

The ethical confidentiality definition in healthcare is derived from the definition of confidentiality used in Title 44, Chapter 35 of the US Code relating to Information Security. The definition states “confidentiality […] means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.”

The reason it is a derived definition rather than an actual definition is because few healthcare regulations define “confidentiality”. Even the “Confidentiality of SUD Patient Records” (42 Part 2) does not define confidentiality – despite giving HHS the authority to impose penalties on healthcare providers that fail to maintain the confidentiality of SUD patient records.

Even HIPAA, with its focus on the privacy of Protected Health Information, limits its definition of confidentiality to the Security Rule. The definition – which only applies to the Security Rule – states, “Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes”. (45 CFR §164.304).

Why the Ethical Definition is Broader than HIPAA

The ethical confidentiality definition in healthcare is broader than HIPAA because it relates to all sensitive personal information – not just Protected Health Information or protected identifiers maintained in a designated record set. For example, if an image of a tattoo is maintained in a designated record set, the confidentiality of the image is protected by HIPAA.

However, if the personal reason for getting the tattoo or the personal significance of the tattoo is shared with a healthcare provider, the healthcare provider has an ethical obligation to keep the information confidential unless the reason/significance is of medical importance – in which case it would be added to the patient’s medical notes and protected by HIPAA.

It is also the case HIPAA only applies to healthcare providers that qualify as covered entities or business associates. If a physician does not qualify as either, they have an ethical obligation to maintain the confidentiality of sensitive personal information rather than a HIPAA obligation to ensure “information is not made available or disclosed to unauthorized persons or processes”.

The Importance of the Confidentiality Definition in Healthcare

The importance of the confidentiality definition in healthcare is that patients need to be able to trust that healthcare providers will protect information shared in confidence without limitation. For example, the personal significance of a tattoo should be confidential because it is shared in confidence – not because a regulation stipulates it is protected under certain conditions.

When patients trust their confidential information will remain confidential, they tend to disclose more to healthcare providers about their symptoms or complications. This enables healthcare providers to make more accurate diagnoses and develop more effective treatment plans, which contribute to improved patient outcomes, high staff morale, and reduced staff retention costs.

Despite HIPAA not having as broad a definition of confidentiality in healthcare, one of the best ways to develop patient trust is to apply the principles of HIPAA compliance. For example:

  • Restrict uses and disclosures of Protected Health Information to those required or permitted by the Privacy Rule.
  • Restrict disclosures of Protected Health Information to the minimum necessary to achieve the purpose of the disclosure.
  • Obtain consent whenever a disclosure of Protected Health Information is not required or permitted by the Privacy Rule.
  • Ensure patients understand their HIPAA rights about restricting or authorizing disclosures of Protected Health Information.
  • Ensure patients have an easy route for requesting copies of the Protected Health Information and requesting corrections when necessary.
  • Ensure that, if sensitive information is disclosed impermissibly, patients are notified promptly of the breach in confidentiality.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist