1.3 Confidentiality: Limits & Electronic/Social Media Communication
Key Takeaways
- Confidentiality's core exceptions are duty to warn/protect (Tarasoff), mandatory reporting of child/elder abuse, imminent danger to self, court order/subpoena, and client-signed release.
- Duty to warn requires a specific, credible threat against an identifiable third party; mandatory reporting applies on reasonable suspicion of abuse alone, regardless of an identifiable victim or client consent.
- Counselors must disclose that electronic records/transmissions carry inherent, non-eliminable security risk and explain retention periods and security measures used.
- Counselors do not accept social media friend/follow requests from current clients and keep personal versus professional social media presence clearly separated.
- A documented, proactive social-media and technology policy during informed consent prevents confusion and rupture later in the counseling relationship.
Why Confidentiality Limits Are the Highest-Stakes Ethics Content
Confidentiality questions -- especially the exceptions to it -- are the most consequential ethics content on the NCE because getting them wrong in real practice can mean a client or a third party is seriously harmed. This section maps to three NCE job tasks: discussing the limits of confidentiality (F), explaining the uses and limits of social media (J), and discussing confidentiality as it applies to electronic communication (M).
The General Rule and Its Recognized Exceptions
The default rule (ACA Standard B.1.c) is that counselors do not share client information without consent, except for compelling professional reasons. But the exam is built around the exceptions, because that is where clinical judgment is actually tested. Master this table cold:
| Exception | Trigger | Counselor's Obligation |
|---|---|---|
| Duty to warn/protect (Tarasoff) | Client makes a specific, credible threat to an identifiable third party | Take reasonable steps to protect the intended victim (warn them, notify police, and/or pursue hospitalization) |
| Mandatory reporting -- child abuse/neglect | Reasonable suspicion of abuse or neglect of a minor | Report to child protective services regardless of client consent |
| Mandatory reporting -- elder/dependent adult abuse | Reasonable suspicion of abuse/neglect/exploitation | Report to adult protective services regardless of client consent |
| Imminent danger to self | Client presents active, specific suicide risk with plan/means | Take reasonable action to protect the client (safety planning, hospitalization, involving supports) |
| Court order/subpoena | A judge orders release of records | Comply with the legal order, generally after consulting legal counsel, disclosing only what is legally required |
| Client-initiated waiver | Client signs a release of information | Share only the specific information the release authorizes |
Note the distinction between duty to warn (protecting a specific identifiable victim from a specific threat) and mandatory reporting (child/elder abuse, which must be reported regardless of whether there is a specific identifiable "victim" the counselor could otherwise warn, and regardless of client consent). The exam frequently tests whether candidates confuse the two: mandatory reporting is triggered by suspicion of abuse alone, while duty to warn requires an identifiable target and a credible threat.
Confidentiality and Electronic Communication (Task M)
Text messages, email, and telehealth platforms create confidentiality risks that paper records historically did not. ACA Standard B.3.e (and Section H, Distance Counseling, Technology, and Social Media) require counselors to:
- Explain to clients that electronic records/transmissions carry inherent risk (unauthorized access, interception, employer/IT staff visibility) that cannot be perfectly eliminated.
- Use encrypted, HIPAA-compliant platforms for telehealth and electronic records rather than standard consumer video-chat or email tools whenever feasible.
- Disclose how long electronic records are retained and what security measures (encryption, password protection) apply.
- Discuss with clients the practical differences between face-to-face and electronic communication (loss of nonverbal cues, delayed response times, and how these differences may affect the therapeutic process).
A common exam trap: assuming "the platform is popular" or "the client initiated texting" makes an unsecured channel acceptable. Popularity and client preference do not override the counselor's obligation to disclose real security limitations and use reasonably secure technology.
Social Media Boundaries (Task J)
Social media raises a parallel but distinct set of concerns from electronic clinical communication. Key standards:
- Counselors do not accept friend/follow requests from current clients on personal social media accounts, to avoid dual relationships and confidentiality breaches.
- Any professional or business social media presence should be clearly separated from personal accounts, with confidentiality safeguards (no identifying client information, testimonials handled per state/professional rules).
- Counselors must not search for a client's social media presence without a clear clinical rationale disclosed to the client (e.g., a documented safety concern), because doing so covertly undermines trust and the therapeutic frame.
- Informed consent should proactively address the counselor's social media policy so clients are not confused or hurt by a declined friend request later in treatment.
Where Duty to Warn Comes From
The duty-to-warn/protect standard traces to Tarasoff v. Regents of the University of California (California Supreme Court, 1976), in which a therapist learned of a client's specific threat to kill an identifiable woman and did not warn her; she was later killed, and the court held that the therapist's duty to protect the public can override confidentiality once a client poses a serious danger to an identifiable victim. Since then, most states have codified some version of this duty in statute, though the exact scope differs -- some states impose a mandatory duty to warn once the threshold is met, while others make warning a permissive (protected but not required) action. The exam typically tests the underlying clinical principle rather than a specific state's statute: once a specific, credible threat to an identifiable person exists, confidentiality yields to safety.
Privileged Communication vs. Confidentiality
The exam distinguishes confidentiality (an ethical and professional obligation not to disclose client information) from privileged communication (a narrower legal concept that protects certain communications from being compelled as evidence in court). Privilege belongs to the client, not the counselor, meaning only the client (or their legal representative) can waive it. Privilege is not absolute -- courts can override it in specific circumstances, such as when a client places their own mental state at issue in litigation, or in the exceptions already covered (imminent danger, mandated reporting). A counselor served with a subpoena should not assume privilege has been automatically waived; consulting legal counsel before releasing anything is the appropriate step.
Exam Scenario Walkthrough
A client sends the counselor a late-night text stating, "I don't think I can do this anymore, I might just end it." This triggers the imminent-danger-to-self exception -- the counselor must assess risk directly (calling the client, involving emergency services if needed) rather than waiting until the next scheduled session, and this action does not require the client's consent because safety overrides routine confidentiality.
A separate scenario: a client requests to add the counselor on a personal social networking site. The correct response is to decline per the counselor's stated social media policy (ideally already covered during informed consent) and to explore the request's meaning in session, rather than silently ignoring it or accepting to avoid conflict.
A third scenario: a client in a custody dispute is subpoenaed to testify, and opposing counsel subpoenas the counselor's records to challenge the client's fitness as a parent. Because privilege belongs to the client, the counselor should not release records solely because a subpoena was issued -- the counselor should consult legal counsel, determine whether the client has waived privilege or a court has ordered disclosure, and release only what is legally required.
A client discloses that they are being physically abused by a caregiver but asks the counselor to keep this confidential. What is the counselor's ethical and legal obligation?
What is the key difference between duty to warn/protect and mandatory reporting?
According to ACA guidance on electronic communication, what must counselors disclose to clients about telehealth and digital records?