Confidentiality, Its Exceptions, and the Duty to Warn
Confidentiality is the default of every patient relationship. It bends for one reason only: a serious, imminent harm that disclosure can still prevent. Almost every hard question hides the same fork, so learn it first: is the harm in the FUTURE, where a victim can still be reached, or in the PAST, where there is no one left to protect? Start with the case that catches the most trainees at 3 a.m.
Medically reviewed by Fatima Ali, DO and Kaitlyn Cocuzzo, MD
Before you scroll
A man recovering in the coronary care unit asks the on-call intern to promise that what he says stays between them, then admits that two years ago he deliberately struck and killed a man with his car because that man had threatened his daughter. The death was ruled an unsolved hit-and-run, no one else knows he was the driver, and he threatens no one now. The intern is unsure what to do. What is the most appropriate next step?
What is the single fact that decides this?
Whether anyone is still at risk in the future. The harm here is finished and the victim is already dead, so there is no future victim to protect.
So is there a duty to warn or report?
No. The duty to warn exists only for a future, identifiable, foreseeable victim. A past completed crime has no general mandatory report, and the disclosure is protected by confidentiality.
Then what does an unsure intern actually do?
Do not call the police on your own, do not promise the impossible, and do not lecture the patient about a duty that does not apply. Escalate to the chief resident for guidance while protecting the identity of the patient.
Swipe or tap Next to learn the rule behind that call ↓
Section 1 · The Baseline
Confidentiality Is the Default
Before you learn the exceptions, hold the rule: what a patient tells you, and what you learn caring for them, stays private. The exceptions are narrow, and the burden is on the breach, never on the silence.
Why the seal exists, and what it covers
Confidentiality protects the one thing medicine cannot work without: a patient who tells you the truth. People disclose addiction, abuse, infection, and intent only when they trust the room. Break that trust casually and the next patient stops talking, which is its own kind of harm.
It covers the diagnosis, the record, and the disclosure itself. Records belong to the patient first: a transfer needs the signed consent of the patient, you disclose the minimum necessary, and you do not hand information to family, employers, or police on request. You comply with a valid subpoena or court order, but a request alone is not a key.
From the Attending
Start every confidentiality question from the same place: the seal holds. Make the person who wants to break it prove all of it, that the harm is serious, that it is imminent, that there is no safer way, and that talking will actually prevent it. If even one of those is missing, you keep quiet. Do not overthink it.
🔒The default is silence. A breach must clear a high bar: serious harm, imminent harm, no safer alternative, and a disclosure that can actually prevent it. Everything in this deep-dive is just learning exactly when that bar is cleared.
Section 2 · The Breakable List
The Six That Break the Seal
There is a short, memorizable list of situations where confidentiality yields. Tap each card to flip it: learn when it applies, why, and who you notify. Notice that five of the six are about a FUTURE harm or a public-health mandate.
Duty to warn (Tarasoff)
A named, future victim.
When a patient makes a serious, credible threat against an identifiable person who can still be reached, you have a duty to protect them: warn the victim AND notify law enforcement. First try to enlist the patient. The trigger is the future danger to a specific person, not the diagnosis.
Reportable diseases
A public-health mandate.
Active tuberculosis, syphilis, gonorrhea, HIV/AIDS, measles, and other notifiable conditions are reported to public health, with contact or partner notification, regardless of patient consent. You protect people the patient may infect.
Suspected abuse
Children, elders, dependents.
Suspected child abuse goes to Child Protective Services; suspected elder or dependent-adult abuse goes to Adult Protective Services. You report a reasonable suspicion in good faith and are protected even if abuse is not later confirmed.
Gunshot and stab wounds
Violent-injury reporting.
Gunshot and stab wounds are reported to law enforcement for public-safety reasons, even over the objection of the patient. You treat the patient first; reporting never delays or gates care.
The unsafe driver
A danger behind the wheel.
A condition such as uncontrolled seizures, syncope, or advancing dementia that makes driving dangerous may be reported to the licensing agency in many states after counseling. You report to the DMV; you cannot suspend a license or arrest, and police are not the route.
Imminent self-harm
A specific suicide plan.
An active, credible plan to harm oneself ends confidentiality: you act to keep the patient safe, which may mean holding, hospitalizing, and informing those who can help. Refusing care is not the same as a suicide plan; the trigger is imminent danger.
Five of the six exceptions are about a future harm or a public-health duty, not a private past.
The breach triad All three to breach for a threat: serious harm, imminent harm, and no safer alternative that protects the person. Miss one, keep quiet.Who you notify Named victim plus police for a threat; public health for disease; CPS/APS for abuse; law enforcement for gunshot or stab; the DMV for an unsafe driver.Minimum necessary Even when you must disclose, reveal only what the receiver needs to prevent the harm. A breach is a scalpel, not a megaphone.
Section 3 · The Discriminator
Past Harm versus Future Harm
This is the fork the exam tests most. Flip the timeline below. The duty to warn lives entirely on the future side of NOW, where a victim can still be reached. A finished harm leaves no one to protect.
Past, completed
No future victim remains to protect.
No duty to warn is triggered.
Generally protected by confidentiality.
If unsure: escalate to a supervisor.
Future, threatened
An identifiable victim can still be reached.
The duty to warn and protect applies.
Confidentiality yields to prevent the harm.
Action: warn the victim and notify police.
Now sit in the seat the rule was named after. Make the call, then watch what your silence or your warning does.
Case File · October 1969
Intake · Session 01Confidential
He sat across from you. Calm. Organized.
He told you he is going to kill a woman who turned him down.
He said her name.
Then he asked you to keep it between the between the two of you.
The Choice
The threat is serious, the victim is named, the harm is imminent, and there is no safe alternative. One move is yours to make.
The Consequence
The Rule, Locked
The duty to protect
TriggerSerious and imminent harm to an identifiable FUTURE victim, with no safer alternative.
ActionWarn the victim AND notify law enforcement.
TrapHis capacity makes a named, dated threat MORE dangerous, never an excuse.
The chart knew what was coming. She never did.
The case behind the rule
The file knew what was coming. She never did.
In 1969 a graduate student told his university therapist exactly what he meant to do: kill a young woman named Tatiana Tarasoff, who had turned him down. The therapist believed him and alerted the campus police, who questioned the man, judged him rational, and let him walk. No one warned Tatiana. No one warned her family. Two months later he came to her door and stabbed her to death.
Her parents sued, and the court that decided the case set the rule you carry now: when a patient names a victim who can still be reached, silence is not a choice you are allowed to make. The future is the only place a warning can still land.
The court that turned one preventable death into a standing duty to protect a reachable victim.
From the Attending
Put your finger on NOW and ask which side the harm is on. Future and a name: you warn, every time. Past and finished: there is no one to save, so the seal holds and you do not turn into an investigator. Capacity does not flip this. A clear-headed person with a dated plan is the most dangerous version, not the exempt one. Know your clues.
Section 4 · Sort the Scenarios
Keep It, or Break It?
Drag each scenario into the right bucket, or tap a chip and then a bucket. The seal holds for a past or private matter; it breaks for a future, reportable, or mandated harm. Each correct drop tells you the rule.
Scenarios
Break confidentiality
Keep confidential
Drag a chip into a bucket, or tap a chip and then a bucket.
Most disclosures stay in the room. The exceptions are narrow and you can name every one.
Section 5 · Walk the Decision
Should You Break Confidentiality?
Answer the questions in order. The tree routes every case to the same two endpoints: break the seal to prevent a harm, or keep it and, if you are unsure, escalate. Notice that the past branch always lands on keep.
Step 1 of up to 4
Does keeping this secret leave someone at risk of harm, or is a mandatory-report category in play (gunshot or stab wound, suspected abuse, reportable disease, unsafe driver)?
Step 2 of up to 4
Is the harm still preventable in the FUTURE, or has it already happened and is over?
Step 3 of up to 4
Is the future harm serious, and is there an identifiable victim or a mandatory category (gunshot or stab wound, abuse, reportable disease, unsafe driver, imminent self-harm)?
Step 4 of up to 4
Is breaking confidentiality the only realistic way to prevent the harm, after trying to enlist the patient?
Keep it. Escalate if unsure.
A past, completed harm has no future victim to protect, so there is no duty to warn and no general report. Hold confidentiality. Because the situation is hard, take it to a supervisor for guidance without identifying the patient. This is the coronary care unit case: do not call the police on your own.
Break it. Warn or report.
Disclose the minimum necessary to the people who can stop the harm: warn the named victim and notify police, file the mandatory report, or notify public health. Treat the patient first; reporting never delays care.
Keep it. The seal holds.
No serious, imminent, preventable harm and no mandatory category means the default wins. Document, support the patient, and escalate to a supervisor if you are unsure rather than breaching on your own.
From the Attending
When you are the most junior person in the room and you are not sure, the move is never to improvise. Do not promise a confidentiality you cannot guarantee. Do not break it alone. Do not invent a legal duty to scare the patient. You walk it up the chain, you protect the identity of the patient while you ask, and you let supervision share the call. That distinction drives everything.
Section 6 · Make It Automatic
Hooks and the Traps
Tap a chip to reveal the hook. Then read the four traps that turn a correct instinct into a wrong answer.
Past vs future Find NOW and ask which side the harm is on. Future and named: warn. Past and finished: keep, and escalate if unsure.Break triad To break for a threat, all three: serious, imminent, no safer alternative. Miss one and you stay silent.Mandatory four Reported regardless of consent: gunshot or stab wounds, suspected abuse, reportable disease, and many states the unsafe driver.Junior move Unsure trainee: do not promise absolute secrecy, do not breach alone, do not lecture. Escalate without naming the patient.
Four traps the exam sets
Panic-reporting a past crime. A confession to a finished offense has no future victim and no general mandatory report. Calling the police on your own is the classic over-thought wrong answer.
Promising absolute confidentiality. The seal has real exceptions you cannot waive in advance. Promising the impossible is itself the trap.
Lecturing the patient about a duty that does not apply. Telling a patient you must report a past crime is both untrue and a threat to breach. It destroys trust for nothing.
Reporting a competent adult who declines. A capable adult victim of intimate-partner violence generally controls reporting. Do not override a competent refusal absent a separate mandate.
⚖One sentence to carry: confidentiality is the default, it breaks only to stop a serious and imminent FUTURE harm or to meet a specific mandate, and an unsure trainee escalates rather than breaches.
Test Yourself
Quick Calls, Five Per Round
Five scenarios pulled from a larger pool, reshuffled every round. Know the rule, and know exactly which side of NOW you are on. Cross out (right-click or long-press) and highlight (double-click) as you read.
The unit where the opening case happens. The confession is private; the trainee escalates.
Clinical Practice
Walk the Cases
Seven full vignettes, one at a time, in a shuffled order that never repeats until the pool is exhausted. Pick your answer, then walk every option one beat at a time. The deciding clues in the stem glow once you commit. Cross out (right-click or long-press) and highlight (double-click) as you go.
From the Attending
These are written the way the real exam writes them. Cover the choices, find NOW, and ask which side the harm is on. Then ask whether a mandate applies. Most confidentiality traps are one criterion you skipped or a duty you invented. Read every explanation, not just the one you missed.
Tip: kill the wrong choices first, then read the explanation chain for every option.
VIGNETTE 1 OF 7
Every call comes back to one bedside question: is anyone still reachable in the future?
American Medical Association. Code of Medical Ethics. Confidentiality, breaching confidentiality, and the patient-physician relationship.
Tarasoff v Regents of the University of California (1976). The duty to protect an identifiable victim.
United States Department of Health and Human Services. HIPAA Privacy Rule. Permitted uses and disclosures, minimum necessary.
Centers for Disease Control and Prevention and state health departments. Nationally Notifiable Conditions. Reportable diseases and partner notification.
State medicolegal statutes on gunshot and stab wound reporting, mandatory abuse reporting, and physician reporting of unsafe drivers.
Reviewed by Fatima Ali, DO and Kaitlyn Cocuzzo, MD. Vignettes are original clinical teaching cases; demographics, values, and answer order are written for practice. Reporting duties for past crimes, intimate-partner violence, and unsafe drivers vary by jurisdiction; confirm against your local law at the point of care.
Bone Wizardry is an independent educational resource for visual learning in the medical sciences. It is not affiliated with, endorsed by, or sponsored by any licensing or examination board, contains no real or recalled examination questions, and does not guarantee any educational or examination outcome.
