Confidentiality is the promise that makes the rest of the work possible. People
do not hand a stranger their worst fears, their addictions, or their abuse history
unless they trust that what they say stays in the room. That trust is not a
courtesy you extend to clients. It is an ethical duty, and it covers everything you
learn in the course of the professional relationship, not only what is said in
session.
The core principles:
Information is disclosed only with the client's written, informed
consent, or under one of the specific exceptions covered later in this
lesson.
The duty covers all forms of communication: spoken, written,
and electronic.
It holds even in interdisciplinary team settings, where you
share only what each member needs to know.
Privileged communication is the related legal concept that
protects a client's disclosures from being compelled in court, and it varies by
jurisdiction.
Confidentiality
Ethical obligation
Source
NASW Code of Ethics
Belongs to
Social worker's professional duty
Scope
All information from professional relationship
Privileged communication
Legal right
Source
State law (varies by jurisdiction)
Belongs to
The client (not the social worker)
Scope
Protection from compelled court disclosure
Concept Check
During the third session of a domestic violence support group, the social worker should remind members that confidentiality:
(Cognitive Level: Reasoning) The worker should remind members that confidentiality cannot be guaranteed in a group setting because it depends on every member's cooperation. The worker is bound by the same confidentiality standards as in individual treatment, but cannot legally bind other group members. Saying confidentiality 'applies fully' overstates the protection. Group rules typically include a confidentiality pledge, but no legal penalty enforces it among peers. Informing members of this limit is part of informed consent for group treatment.
Concept Check
Privileged communication in social work is a legal right that exists to protect:
(Cognitive Level: Recall) Privileged communication is a legal right that belongs to the client and protects disclosure of treatment information from being compelled without the client's consent in legal proceedings. The privilege belongs to the client, not the worker or the agency, and only the client can waive it. Not all jurisdictions recognize social worker-client privilege; coverage and exceptions vary by state. Confidentiality is the worker's broader ethical duty; privilege operationalizes it in court.
Exceptions to Confidentiality
Confidentiality is the rule, but it is not absolute. A handful of situations,
recognized in both law and ethics, require or permit you to disclose without the
client's consent. The exam lives in the line between them, so the split below
sorts what overrides confidentiality from what does not.
Must break confidentiality
Legal obligation — no choice
Mandatory reporting — suspected child, elder, or vulnerable adult abuse
Duty to warn — serious, credible, imminent threat to identifiable person (Tarasoff)
Imminent self-harm — client with plan, means, and intent
Court order — a valid court order compelling disclosure
Client consent NOT required
Maintain confidentiality
Default position — protect the client
Family requests — even concerned family need client consent
Other providers — require written release for info sharing
Vague threats — general anger without specificity does not trigger duty to warn
Subpoena alone — without court order, does not compel disclosure
Written consent required
Exam trap: A subpoena is NOT the same as a court order. A subpoena alone does not override confidentiality — the social worker should consult with an attorney and seek a court order or client consent before releasing records.
The Tarasoff rule: When a client makes a credible threat against
an identifiable person, you have a duty to protect that potential victim, and the
duty can override confidentiality. The key word is credible. The threat has to be
serious and aimed at a specific, identifiable person. A vague outburst like "I'm
so angry I could hurt someone" generally does not trigger the duty to warn.
Concept Check
When may a social worker disclose client information without the client's consent?
(Cognitive Level: Recall) The worker may disclose client information without consent when a court order compels disclosure. Sharing with family members, insurance companies, or other professionals without consent violates confidentiality, even when the disclosure might be helpful. Even insurance companies require the client's authorization before sharing clinical information. The minimum necessary standard applies to all authorized disclosures. Court orders carry stronger compulsory weight than subpoenas; both still warrant consultation with legal counsel.
Concept Check
A social worker receives a subpoena requesting a client's treatment records. The MOST appropriate next action is to:
(Cognitive Level: Recall) The MOST appropriate next action is to consult legal counsel and the client before responding. A subpoena is a legal request but, unlike a court order, can often be challenged or limited by filing a motion to quash. Providing records without consultation may violate confidentiality unnecessarily. Refusing categorically risks contempt. Submitting after a brief notification skips the analysis needed to determine what (if anything) must be released. Court orders carry stronger compulsory weight; both still warrant counsel.
Concept Check
Voicing passive suicidal thoughts without a specific plan or means, a client tells the social worker about ongoing distress. The MOST appropriate response is to:
(Cognitive Level: Reasoning) The MOST appropriate response is to conduct a thorough suicide risk assessment before deciding on action. Passive ideation without a specific plan, means, or intent is clinically significant but does not by itself meet the threshold for breaking confidentiality through hospitalization or third-party notification. The risk assessment determines whether protective action is required and at what level. Initiating involuntary procedures or notifying contacts before assessment over-uses the exception and may damage the alliance.
Concept Check
A client tells the social worker about plans to physically harm a specific coworker. The social worker should FIRST:
(Cognitive Level: Application) The social worker should FIRST assess the seriousness, credibility, and immediacy of the threat. The duty to warn under the Tarasoff line of cases is triggered by credible, imminent threats to identifiable victims; not all angry statements meet that bar. Calling law enforcement or warning the victim before assessment may breach confidentiality unnecessarily. Documenting and continuing without assessment when a credible threat is possible is negligent. The assessment determines what protective action is required.
Concept Check
Expressing anger about a recent layoff, a client tells the social worker, 'I could hurt someone over this.' The MOST appropriate next action is to:
(Cognitive Level: Reasoning) The MOST appropriate next action is to explore who the client is referring to and the seriousness of the intent. The Tarasoff duty to warn is triggered by a credible threat to an identifiable victim, not by every angry expression. Initiating a Tarasoff notification before identifying any target is premature and may breach confidentiality without grounds. Reassuring about the feelings dismisses what may be a clinical signal. Documenting without exploration fails to gather the data needed to assess risk.
HIPAA and Electronic Records
Confidentiality is the ethic. HIPAA is the federal law that puts teeth behind it
for health information. You do not need to recite the statute, but a few of its
rules turn up on the exam again and again:
PHI (Protected Health Information) is any individually
identifiable health information.
The minimum necessary standard means disclosing only the
smallest amount of information the purpose actually requires.
Psychotherapy notes get extra protection and need their own
separate authorization to release, apart from the rest of the record.
Electronic communication, including texts, email, and
telehealth, has to run over secure, encrypted platforms.
Electronic Information Security
Most of practice now leaves an electronic trail, and every one of those traces
is a place confidentiality can leak. Protecting client information in digital form
is part of the duty, not an IT afterthought:
Encrypted communication. Email, texts, and telehealth must run
on secure, encrypted platforms. Standard text messaging and personal email do not
count as secure.
Electronic health records. They need access controls, audit
trails, automatic logoff, and regular backups.
Social media. Do not search for clients, accept friend or
follow requests, or post anything that could identify a client.
Telehealth. The same confidentiality standards apply to
virtual sessions as to in-person ones, and you also confirm the client is in a
private space.
Technology standards. NASW, ASWB, CSWE, and CSWA jointly
published the Standards for Technology and Social Work Practice (2017), which set
the guidelines for ethical technology use.
Concept Check
An insurance company requests detailed psychotherapy notes for a client's claim review. Applying the HIPAA minimum necessary standard, the social worker should:
(Cognitive Level: Application) The worker should provide only what is needed for the claim review, NOT the psychotherapy notes. Psychotherapy notes receive special HIPAA protection and require separate authorization above and beyond the general treatment record authorization. The minimum necessary standard limits disclosures to what is needed for the stated purpose, even when authorization exists. Refusing all information would obstruct legitimate claim adjudication. De-identification does not satisfy authorization requirements.
Concept Check
A social worker wants to verify information a client shared by checking the client's public social media page. The MOST ethical action is to:
(Cognitive Level: Application) The MOST ethical action is to refrain from searching for the client on social media platforms, even on public profiles. Searching crosses a professional boundary and may reveal information the client did not choose to share in the therapeutic context. If verification is needed, the worker uses appropriate clinical methods such as direct conversation or collateral contacts with the client's consent. Reviewing without disclosure creates a hidden power dynamic; asking permission frames online surveillance as routine.
Mandatory Reporting: Beyond the Basics
Almost everyone knows child abuse must be reported. The exam earns its harder
points on the reporting duties people forget, and on the fact that these duties
override both confidentiality and the client's wishes:
Elder and vulnerable-adult abuse. Most states require you to
report suspected abuse, neglect, or exploitation of older adults and adults with
disabilities.
Impaired professionals. If a colleague's substance use, mental
health, or other impairment puts clients at risk, reporting may be required after
informal attempts to resolve it fail.
Reporting procedures. Reports go to the designated agency:
child protective services, adult protective services, or law enforcement. You
report suspicion; certainty is not required.
Good-faith protection. A report made in good faith is
typically shielded from liability even if the investigation does not substantiate
it.
Failure to report. Not reporting when legally mandated can
bring criminal charges, civil liability, and loss of licensure.
Mandatory reporting laws override confidentiality AND client wishes. If a client discloses child abuse and asks the social worker not to report it, the social worker must report regardless. The correct exam answer always prioritizes child safety over the therapeutic relationship.
Concept Check
Disclosing physical abuse of a 7-year-old child, a client tells the social worker, 'Please don't report this; it'll make things worse at home.' The social worker should:
(Cognitive Level: Application) The social worker should report the suspected abuse to child protective services as required by law. Mandatory reporting overrides confidentiality and the client's wishes; child safety is the priority. Honoring the request to not report is itself a violation of the legal duty. Delaying risks ongoing harm and may constitute a failure-to-report violation. Convening a family meeting that includes the alleged abuser before reporting could endanger the child and is not the worker's role here.
Concept Check
A home health aide reports suspicions that an 82-year-old client is being financially exploited by an adult grandchild. The social worker has not observed exploitation directly. The MOST appropriate next action is to:
(Cognitive Level: Application) The MOST appropriate next action is to file a report with adult protective services based on the reasonable suspicion. Mandatory reporting standards require REASONABLE SUSPICION, not certainty; the worker does not have to confirm exploitation before reporting. Confronting the grandchild directly is not the worker's role and may compromise an investigation. Waiting for firsthand observation may delay protection and may itself constitute a failure-to-report violation. Good-faith reporting carries legal protection in most jurisdictions.
Client access to records: Clients generally have the right to see
their own records. A worker may limit access only when there is compelling evidence
that seeing the record would cause serious harm to the client. That exception is
narrow: you document the reason for withholding and still provide as much of the
record as you safely can. With minors, parental access rights vary by jurisdiction
and have to be weighed against the minor's best interests.
Concept Check
Six months after a client's death, the client's adult child requests the client's complete treatment record. The social worker should:
(Cognitive Level: Reasoning) The worker should determine who legally controls the deceased client's privilege under the applicable jurisdiction's law. Confidentiality and privilege generally continue after a client's death, with the deceased's personal representative (often an executor) holding control rather than family members by default. Releasing to family without verification risks an improper disclosure. Refusing categorically ignores that legitimate pathways may exist. A partial summary still constitutes a disclosure requiring authorization.
Practice: Sort the Confidentiality Scenarios
You know the rule and its exceptions. Now sort them under a little pressure. Tap
a scenario, then tap the bucket where it belongs, and see if you can place all
eight correctly.