Keeping Secrets: The Healthcare Worker’s Duty of Confidentiality


Published: 23 April 2024

Learning Objectives

After reading this article on privacy and confidentiality, the healthcare worker will be able to:

  • Understand the difference between privacy and confidentiality
  • Recognise how confidentiality can be breached
  • Identify circumstances when disclosure of information is lawful
  • Understand what impact a breach of confidentiality could have on both the healthcare worker and the client.

Confidentiality and Privacy

What do we mean by confidentiality and privacy - are they the same thing? Why are these concepts important?

Preserving privacy and confidentiality is crucial because the relationship you develop with your clients (and with other staff) is based on trust and mutual respect. Any violation of these concepts risks compromising the therapeutic relationship, which could lead to the client losing trust in the system, and in turn, affect their future care.

Privacy and confidentiality are important and often misunderstood concepts in healthcare. Perhaps a simple way of viewing the difference between these concepts is to think that by keeping the client’s information confidential, you are also protecting their privacy.

Privacy relates to the client’s presumption that they control information about themselves, and their expectation that the health service will ensure this information is protected through appropriate and secure collection and storage practices. This is critical, as clients must feel as though they can provide a full and frank disclosure of information regarding their health. This will give healthcare workers a clear understanding of their concerns in order to develop appropriate care plans.

Confidentiality refers to the healthcare worker’s obligation to maintain the client’s confidence by ensuring that any information collected in relation to the client, their health and their treatment is not shared with anyone who is not authorised to access it.

All health practitioners have both a legal and ethical duty to protect the confidentiality and privacy of their clients. This is entrenched in various organisational policies, codes of ethics and conduct, federal and state/territory legislation and standards.

What is a Breach of Confidentiality?

A breach of confidentiality occurs when information that is confidential has been disclosed to an unauthorised third party in a situation where there was an expectation that the information would be kept confidential (McDonald & Then 2019).

How Might Confidentiality be Breached?

privacy and confidentiality breach public place
Talking about clients in a public space is a breach of confidentiality.

A client’s confidentiality may be breached in a number of different ways, including:

  • Leaving a client’s clinical notes open in a public space
  • Talking about clients in a public space, such as a cafeteria or on public transport
  • Discussing a client with another healthcare worker who has no professional connection to that client
  • Releasing information to a client’s family without their permission.

When Can Information be Disclosed?

There are a number of situations where the release of personal information about a client can occur without it being considered a breach of confidentiality. These include:

  • Where a client threatens self-harm or harm to another
  • Where a client consents to the information being shared
  • Where information is shared to other members of the healthcare team who need the information for the provision of continuity of care
  • When it is necessary to disclose to a substitute decision-maker due to a client’s permanent or temporary incapacity
  • When disclosure is required by law, such as the obligation to make reports to relevant parties under mandatory reporting laws for abuse, and contact tracing in cases of infectious diseases.

What Are the Consequences of Breaching a Client’s Confidentiality?

Where a healthcare worker makes an intentional and unauthorised disclosure of personal information regarding a client, there are several possible consequences, including a civil action in tort (negligence) or contract law in addition to disciplinary action by the employer and/or a regulatory body.

Additionally, a breach of confidentiality can erode the client’s trust and confidence in the system and impact their willingness to share information with healthcare workers in the future. This poses a risk to their future wellbeing.

Privacy and Confidentiality Under the Strengthened Aged Care Quality Standards

Standard 2: The Organisation - Outcome 2.7: Information management (Action 2.7.2) under the strengthened Aged Care Quality Standards requires providers to gain informed consent from older people before collecting, using, storing and disclosing their information. This information must be managed in accordance with relevant privacy legislation and kept confidential. Furthermore, older people should be informed of their right to access or correct their information or withdraw consent to share it (ACQSC 2024).

Now that you’ve gained an understanding of privacy and confidentiality, test your knowledge with the following scenarios:

Scenario 1

Judy is an enrolled nurse who works at a residential aged care facility. While she is helping John - a 78-year-old man on respite in the facility - to dress, she is taken aback by his questions about another resident. It seems that John has taken a liking to Mavis. He asks if she is married and if she is going home to her family after respite like he is. Judy chuckles and tells John that Mavis is a widow and that she has no home address as she won’t be going home.

Is this a breach of confidentiality? Why?

Yes. Judy has a duty of confidentiality toward both John and Mavis. She has disclosed Mavis’ marital status, which is private and confidential. She has also given insight into Mavis’ condition by revealing that she will not be going home and that she is a permanent resident - inadvertently giving John Mavis’ address. A better response would be for Judy to advise John that these are questions he should ask Mavis himself.

Scenario 2

Peter is on clinical placement at a residential aged care facility. He tells Anita, a care worker, that he has a clinical review to perform, with a case study to write up as an assignment. He asks if there are any residents who had a past mental illness before they were admitted. Anita discloses that there are several interesting residents and proceeds to tell Peter about a few of them: Mary, who had a previous diagnosis of schizophrenia and has a criminal record as she committed a serious crime while experiencing an episode of psychosis; Daryl, who has bipolar disorder; and Gary, who has alcohol-related dementia. Anita collects notes for Peter so that he can browse through their records and retrieve any information that might be useful to him.

privacy and confidentiality anita showing peter notes

Is this a breach of confidentiality? Why?

Yes. Anita has a duty to maintain the confidence of the people residing in the facility, and although Peter is on clinical placement, he does not have the right to access residents’ notes. Anita has therefore breached the residents’ privacy and confidentiality by revealing their past health history (as well as Mary’s criminal history) and giving Peter their notes.

Each organisation would ordinarily have a policy in place to guide staff on how to handle requests for information by students doing their assignments in a workplace. Anita must follow these. Education providers also have policies regarding students accessing information from a clinical environment - usually focused on consent to access and use information obtained during work experience for education purposes. Both Anita and Peter should follow these policies.

Scenario 3

Derek (RN) and Jane (CW) work at the local residential aged care facility. They have organised to meet their friends Anne (RN) and Rebecca (EN) - who work at the local hospital - for a meal at a hotel. During their catch-up, the conversation turns to work. After several minutes of chit-chat about how hopeless they believe their respective managements are, they start talking about patients.

Anne looked after Jill - a 90-year-old resident at Derek and Jane’s aged care facility - when she was admitted to the hospital following a fall. Anne asks Derek, Jane and Rebecca how Jill is doing now and if she is able to walk yet. Derek and Jane each take turns filling Anne in on Jill’s progress since her discharge, commenting on the success of the care plan devised by the hospital. Rebecca interjects and informs the group that Jill is lucky to be alive after the overdose she received from a rookie medical student during admission.

What are the issues here?

Firstly, the hotel is a public space, so the friends are no longer at work and should not be discussing work-related issues at all. They have engaged in a conversation concerning their respective managements, suggesting that they are failing to do their jobs. This could harm not only their personal reputations but also that of their respective organisations. It could also be seen as defamation if their claims are their views and not substantiated by evidence.

Although all of these individuals have had a professional role in the care of Jill, they have no right to discuss her situation at all while they are off-duty. In fact, Anne and Rebecca’s right to communicate information about Jill’s admission ended when Jill was discharged. There is a breach of confidentiality owed to Jill and the hospital here. Rebecca’s comment about the overdose is also a breach of the hospital’s confidentiality, as adverse events in the organisation must not be disclosed outside - unless directions from policy authorise this to occur.

Derek and Jane have breached Jill’s confidentiality by discussing her details with their friends. The fact that Anne and Rebecca once had a role in her care does not mean they can continue to advise them of her progress.

Scenario 4

Jenny is an experienced care worker who has been working in a residential aged care facility for some time. It is a busy day as several medical officers are planning to visit in order to review care plans for their residents. This same day, there is a big morning tea being held to celebrate the facility’s 10th birthday, so there are many visitors around.

Jenny has been asked to obtain the case files for 4 residents and place them in the visitors’ room for one of the medical officers to review when he arrives. She does so and then goes to attend to other matters, leaving the door open. Malcolm, one of the residents from the dementia unit, wanders in and picks up two of the files.

Just as Jenny notices Malcolm with the files, the phone rings and the caller identifies themself as the son of James, who had a fall and has been transferred to the local hospital. The caller asks if he can speak to James. Jenny says not now, as James has been taken to hospital with a possible hip fracture, and advises the caller to ring the hospital for more information. By the time Jenny has found Malcolm, he no longer has the files, however, two visitors in the resident’s lounge room are flipping through them.

privacy and confidentiality jenny on phone to james son

What breaches can you identify here?

Firstly, Jenny should not have left the files unattended in an unsecured place. This is a breach of privacy and should the files be accessed by someone unauthorised to do so, could also be a breach of confidentiality.

Answering the phone in the manner Jenny did is also a breach of confidentiality. She does not know who is on the other end of the call and has made no attempt to verify their identity. Information should not be given over the phone in this way. Jenny has also disclosed information that we do not know if James (or his lawful next of kin) would want to be disclosed – so this is a potential breach also.

Visitors accessing the private files of a resident is also a breach of confidentiality.

Scenario 5

Jack is an enrolled nurse working for an agency that has sent him to a local residential aged care facility. Coincidentally, this is also where Jack’s grandfather, Paul, is living. As Jack’s family has been concerned about the slow deterioration of Paul’s health, Jack tells his mother that he will be able to access Paul’s notes and ‘see what is going on with him’. As it happens, Jack is rostered to another area of the facility, but he takes the time to go over to Paul’s unit and read his notes during a quiet moment on his shift.

Is this permissible?

No. This is a breach of confidentiality, as Jack has no right to access his grandfather’s notes. He is not rostered in that unit and has not been delegated the care of Paul. As a family member, Jack should have advised his supervisor that Paul is his grandfather so that they could reduce the risk of any professional boundary breaches by not having Jack responsible for Paul’s care. Therefore, Jack should have no authorised reason to access Paul’s notes.


Test Your Knowledge

Question 1 of 3

A patient is admitted to a hospital for treatment after a serious accident. The healthcare team assigned to the patient’s care includes doctors, nurses and a physiotherapist. During a team meeting in a private conference room, the team discusses the client’s medical history, current condition and a treatment plan to ensure continuity of care. Is this a breach of confidentiality?


educator profile image
Linda Starr View profile
Dr Linda Starr (PhD) is an associate professor in the College of Nursing and Health Sciences at Flinders University. She has extensive experience as a registered nurse and in nursing and midwifery regulation through her previous role as Chair of the State Nursing and Midwifery of Australia Board and the SA practitioner member on the National Nursing and Midwifery Board of Australia. Linda is passionate about the intersection between healthcare and the law, with a particular focus on the mandatory reporting of elder abuse.