3.2 Confidentiality, Privacy, and Third-Party Requests

Confidentiality, privacy, and privilege

Three related terms are tested as distinct ideas. Confidentiality is the counselor's ethical duty to protect client information; privacy is the client's right to control that information; and privileged communication is the client's legal right (with statutory exceptions) to keep counseling content out of legal proceedings. Privilege belongs to the client, not the counselor, so only the client (or the client's legal representative) can waive it. Standard B.1.b affirms respect for client privacy.

The working default is non-disclosure: information leaves the file only with valid client authorization, a legal mandate, or an applicable ethical exception. When disclosure is appropriate, the counselor reveals only essential information (standard B.2.e, minimal disclosure) and, to the extent possible, informs the client beforehand and involves the client in the decision. The NCMHCE rewards a counselor who pauses to ask three questions before releasing anything: Do I have authority? How much should I share? Did I document why? Confidentiality is therefore active case management, not a passive promise.

Releases of information and HIPAA's framework

A valid release of information (ROI), or HIPAA authorization, is specific. It identifies the information to be disclosed, the recipient, the purpose, an expiration date or event, and the client's right to revoke. A vague "release everything" form is ethically and legally weak, and a client can revoke a release at any time for future disclosures.

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule sets the federal floor; where state law is more protective, state law controls. The table contrasts what HIPAA permits without separate authorization against what needs one.

HIPAA's minimum necessary standard limits how much is shared, though it does not apply to disclosures for treatment, so a counselor may share what another treating provider needs. Psychotherapy notes (the clinician's separate process notes) are kept apart from the chart and receive heightened protection: clients generally have no right of access to them, and disclosure almost always needs the client's specific authorization. This separation is the single most-tested HIPAA distinction for counselors.

Third-party requests, subpoenas, and shared settings

Third parties routinely ask for information: family members, payers, schools, attorneys, and courts. None of these by itself authorizes release. A subpoena signed by an attorney is a request, not automatic permission; the counselor verifies validity, asserts confidentiality and privilege on the client's behalf, and seeks the client's consent or a protective order before releasing anything.

Standard B.2.d (court-ordered disclosure) directs counselors who are ordered to release privileged information to obtain the client's written consent or take steps to limit the disclosure as narrowly as possible because of potential harm to the client and the counseling relationship.

Group and family work create additional traps. In group counseling, the counselor cannot guarantee that other members will keep information private, so this limit is disclosed up front (standard B.4.a). With couples and families, the counselor clarifies who the client is and the policy on secrets before treatment, so a private disclosure from one partner does not blindside the counselor later. Social media adds another front: counselors maintain professional and personal presences separately and do not view a client's private online content without consent.

Decision checklist for any disclosure request

1. Verify the requester's identity and legal authority.
2. Check for a valid, current release or an applicable legal exception.
3. Consult a supervisor or attorney when authority is unclear (B.2.a).
4. Disclose only the minimum necessary information (B.2.e).
5. Document what was shared, with whom, and why.

Deceased clients, minors, and special situations

Confidentiality does not end at termination, and it generally survives the client's death: counselors protect a deceased client's information consistent with legal requirements and any documented prior wishes (standard B.3.f). Requests from grieving relatives for a deceased client's records are evaluated against law and the client's known preferences, not granted automatically.

With minors, the counselor distinguishes the legal holder of confidentiality (often the parent or guardian) from the clinical reality that adolescents disclose only when they trust the space. Best practice is to negotiate, at intake, what will and will not be shared with parents, so the adolescent understands the boundaries and the parents understand the rationale. Exceptions for safety (self-harm, abuse, threats) are always disclosed.

When the client lacks capacity to consent (standard B.5), the counselor protects confidentiality, seeks permission from the parent or legal guardian to disclose, and still works to safeguard the client's confidence to the extent appropriate. Across all of these special situations, the throughline is consistent: identify who legally controls the information, honor the client's expectations where possible, disclose only what is permitted or required, and write down the reasoning. The exam rewards counselors who slow the request down rather than reflexively releasing or reflexively refusing.

Confidentiality quick recap

• The default is confidentiality; disclose only with a valid release, when law requires it, or to prevent serious and foreseeable harm (ACA B.2.a).
• A subpoena is not automatic permission — assert privilege on the client's behalf and disclose only under a court order or client authorization.
• Minimum necessary governs every release: share only what the specific purpose requires, not the entire record.