Understanding Client Confidentiality: Importance, Limitations, and Legal Compliance

Trust is at the core of every relationship. For therapists and coaches, confidentiality is the foundation from which to build that trust. But life doesn’t come in neat little packages. There are always blurred lines. So, understanding client confidentiality is paramount for both professionals and clients.

At face value, client confidentiality is an agreement between people, institutions and professionals such that information given will never be shared with a third-party. The blurred lines come into play with therapy and coaching because this rule can be broken in exceptional circumstances.

The question is, what are those exceptions? Moreover, how do you make the right decision for everyone involved?

Naturally, the law steps in to try to answer those decisions. Nevertheless, in this article we’ll review both the ethical and legal implications of understanding client confidentiality. We’ll also highlight the interplay with the critical laws, such as the Health Insurance Portability and Accountability Act (HIPAA), and the General Data Protection Regulation (GDPR).

What is Client Confidentiality?

Imagine sharing your inner, most vulnerable, thoughts and feelings to someone and then discovering that they were shared with another person. That knot of nausea that starts bubbling up is common to all of us. We need to trust fully and completely if we hope to understand our less than ideal self in order to change.

This applies to all people-focused professions including medical, legal, advisory and of course, coaching and therapy. So, what is client confidentiality for these professionals?

In short, understanding client confidentiality means appreciating that people are seeing a professional on the basis that nothing will be shared with others. Without this confidence, clients wouldn’t approach the practitioner, or if they did, they wouldn’t disclose everything. As a result, the professional won’t be able to provide the proper service or treatment[1].

For medical doctors, many people might refer to the Hippocratic Oath[2] but this actually only gives guidance to doctors to provide the best treatment according to their knowledge, without causing harm. It doesn’t specifically support understanding client confidentiality.

To better grasp the complexities of confidentiality, it’s worth noting the delicate balance that professionals find themselves in. As this paper on Trends in Confidentiality and Disclosure[3] discusses, on the one hand, professionals are obliged to respect confidences. On the other hand, they also have a duty to protect others and the general public.

The paper further refers to the famous 1976 Tarasoff v. Regents California case that changed the law to implement a statement that therapists have a duty to warn others. In this case, death threats were kept confidential and the people in question were killed by someone suffering from paranoid schizophrenia.

To better understand such exceptions, we’ll review a model later in the article to assist professionals with decision-making. 

Elements of Client Confidentiality

As psychologist Mary Alice Fisher explains in her paper on Protecting Confidentiality Rights[4], therapists have kept ethics at the forefront of their mind since the beginning. Nevertheless, ethics complaints and malpractice suits still exist.

As such, it is critical that professionals embrace all aspects of client confidentiality elements. These are, first, the concept of informed consent and secondly, the protection of information. However, this doesn’t just apply to topics of discussion during sessions. It also applies to records, documentation, notes and anything else that might hold information.

Where some professionals have fallen down is by sharing medical records and even psychological assessments to other colleagues. While they might have had the best intentions, if the client did not consent to such sharing, those professionals are in legal breach.

Consequently, it’s important for professionals to have policies and processes in place to gather consent to release information when appropriate. Although, consent shouldn’t be a one-time request that happens at the start of an engagement and is then promptly forgotten about. On the contrary, every session should start with a mini-contracting that only needs to take 5 minutes.

When contracting, therapists or coaches re-emphasize confidentiality and its limitations within the context of the client’s situation. This is then also an opportunity to check in with regards any required consent.

A Model to Ensure Informed Confidentiality

Whilst each session doesn’t need a form, it’s good practice to onboard clients with forms. These should contain a note about client confidentiality while also requesting consent. Then, it’s up to the practitioner to use these forms as a tool to encourage client collaboration and curiosity, rather than simply follow a tick-in-the-box process. To this end, Fisher defined a 6 step ethical practice model to guide professionals[4]

These are listed below:

You can use the model to guide you when creating, amending and uploading the forms you need with Quenza’s software platform, as in the example below.  

The Importance of Confidentiality in Therapy

Understanding client confidentiality starts with appreciating that it doesn’t just build trust. It’s also the foundation for the therapist(or coach)client relationship. While there are a multitude of theories that give us various reasons for why life goes wrong for people, they all agree that the interpersonal relationship is the most important. Essentially, the best theory in the world can’t make up for lack of trust[5].

As researcher Patrick Corrigan explains in his paper on how stigma affects mental health care[6], a lack of client confidentiality can further dissuade people from seeking the support they need. They might fear their information will be shared with others. In some situations, this could be their work colleagues or boss if therapy or coaching is organized through work.

With confidentiality comes client confidence. As such, clients are more likely to open up and collaborate more deeply with their therapist or coach. For example, an exercise from Quenza’s activities library that you can amend and adapt, such as the one shown below, can only work if a client fully trusts that they can confide in their therapist. 

A Letter from Your Best Day to Your Bad Days

This Quenza exercise invites clients to record their best moments on paper. It then guides them to create statements based on their positive qualities. For many, this can feel unnatural if they don’t trust their coach or therapist. 

It starts with informed consent. As we mentioned in our previous article on informed consent, this involves having an open dialogue. That way, clients can fully understand confidentiality and its limitations. Through their approval, they then become empowered whilst feeling respected and valued. 

Interestingly, confidentiality can work both ways in some cases. Clients are also responsible for protecting their own information and a therapist should also explain how this works. If clients freely discuss the details of their sessions with friends and family, there’s a good chance they’ll receive advice. 

Whilst that might come from good intentions, opinions can be confusing and limiting for clients. Moreover, some people might unknowingly support the client’s resistance. Of course, that’s not to say that clients can’t talk about these things with those they trust. It simply means that they need to understand how they impact confidentiality[7].

Exceptions to Confidentiality in Therapy

One of the questions we’ve alluded throughout is, “Can therapists break confidentiality?” The short answer is yes. Nevertheless, in this world of blurred lines, therapists and coaches need to tread with caution.

As already mentioned, the law states that therapists and coaches also have a duty of care towards the public. So, any death threats or suicide attempts that put clients or others at risk need to be divulged to the right people. Although, this should form part of the consent request process. In fact, most people are reassured knowing that someone is there to look out for them if a situation gets worse[7].

If we remember that the answer to the question “why is confidentiality important in therapy” is to build trust, we can further understand how gaining consent early on to cover all potential scenarios also promotes professionalism. So, when breaking confidentiality, the question of ethics comes first. 

When the answer isn’t immediately obvious or laid out by the law, it can be useful to refer to how therapists working with minors might approach the ethical dilemma. This paper on Minors’ Rights to Confidentiality[8] lays out a useful 8-step decision-making model that encourages the therapist to weigh up all possible options and solutions. They should also do this by checking with their local or state laws.

What You Care To Do Right

Where the law doesn’t provide guidance, coaches can also revert to Quenza’s pre-made and customizable exercises for their own benefit. 

For example, this exercise guides you through some self-reflection points about your intentions. From there, you can determine what is right for you and your clients. At the end of the day, practitioners also have to honor what it means to them to be part of this craft. 

At times, court orders and subpoenas can request for client or patient information. However, a subpoena is not the same thing as a court order. A court order leaves no choice but to comply with the request. Nevertheless, a subpoena has privacy rules, including client confidentiality, attached to it that need to be followed. This is where we enter the realms of the US Health Insurance Portability and Accountability Act of 1996.

Understanding HIPAA Compliance 

HIPAA compliance is a critical part of any healthcare professional’s life in the US. Other countries have similar regulations but the details are different. As an example, the UK will refer to their Data Protection Act. 

Due to the sensitivity of client information within healthcare, this is a highly regulated area for all medical professionals, including therapists. Although coaches are not obligated to follow HIPAA compliance, it is good practice for those operating in the US.

As an overview, HIPAA covers client confidentiality elements in the sense that it sets the standard for how practitioners manage client information. It also establishes rules for how to maintain records. This includes consent forms, as well as how and when to disclose specific information. Moreover, it instructs practitioners on how to share their policies on data protection. This should also refer to those circumstances where they might need to disclose such data as required by law[9].

Our previous article on Informed Consent Forms and their Role in Therapy also details what date these forms gather to support HIPAA compliance. Quenza’s custom form tools also allow you to amend, save and store those forms correctly.

In terms of client confidentiality, this means that clients can be confident that the law sets the structure to protect their privacy and safeguard their data. Nevertheless, as mentioned, there is also an ethical aspect that all practitioners must keep in mind with regards those areas not covered by the law.

GDPR Compliance and Client Confidentiality

Thanks to online therapy and coaching, practitioners could be operating anywhere in the world.  As such, another major piece of legislation to know is the General Data Protection Regulation (GDPR) which operates in Europe.

Although, in GDPR’s own words, “it’s the toughest privacy and security law in the world”. So, even though it covers Europe, it impacts any individual or company targeting or collecting data from anyone related to Europe, no matter where they are located[10].

Originally, GDPR compliance started with the 1950 European Convention on Human Rights. That’s where it states that everyone has the right to privacy which entails respect for their family and home life. The GDPR then came into effect as a result of increased data management, mainly due to the internet.

In summary, GDPR compliance is similar to that for HIPAA in the sense that client confidentiality needs to be honored. It then goes further than HIPAA by detailing that all appropriate measures need to be put in place to minimize the risk of a data breach.

To make things easier for you, make sure to use a software platform that is both HIPAA and GDPR compliant, like Quenza’s platform. With Quenza, those forms are easy to complete and you’ll have an ongoing dialogue with your clients. Moreover, you can access them anywhere including on mobiles as shown below: 

Case Studies of HIPAA and GDPR in Action 

Understanding client confidentiality works best by exploring real-life scenarios. The US Department of Health and Human Services (HHS) details several such cases[11] with lessons learnt implemented as a result of breaches (HSS).

For example, one healthcare provider left a too detailed message on the wrong phone number. So, the patient’s daughter received it despite the patient specifically stating not to use that number. Another hospital denied a patient access to their medical records because their therapist thought it would cause them distress, despite the privacy rule stating that such denials should undergo review. As a result, the patient was granted access.

Another therapy center gave a client access to their records without the psychotherapy notes, which are exempt according to the HIPAA rules. Nevertheless, they did not provide copies as required. They therefore updated their processes and staff training manuals.

The Irish Association for Counseling and Psychotherapy lists two GDPR cases where one concerns a consultant psychiatrist’s patient disagreeing with information in their medical report.

The law states that everyone has the right to have information amended or removed. In this case though, both parties believed they were right. With the IACP’s support, the patient provided several possible annotations, along with their reasoning. As a result, the psychiatrist agreed to insert into the medical report.

It’s worth noting that that report was going to the patient’s boss as their organization had requested the report to ascertain if they were fit for work. In this case, it was important to protect both the patient, the practitioner and the organization.


So, what is client confidentiality? It’s the foundation of trust between a relationship, but it’s also a way to safeguard all those potentially impacted. This is what makes the lines so blurred and allows us to answer yes to the question, “Can therapists break confidentiality?” Although, there will always be a caveat according to context and situation.  

Exceptions to client confidentiality aren’t easy to deal with. So, it’s important for practitioners to know the legal requirements and to know how to deal with ethical dilemmas. We referenced Fisher’s 6 step ethical decision-making model as a starting point.

Most importantly, practitioners need to adhere to the standards themselves, as set out by the HIPAA and, where relevant, GDPR. Although, even if those laws aren’t in your jurisdiction, it’s good practice to follow them.

To this end, let a platform like Quenza take the headache away of trying to work out what your client intake forms should look like. We’ve referenced several such forms throughout the article. But why not see what other forms are available to you by signing up for a free full-access one-month trial for only $1.  

After all, as a practitioner, do you want to focus on forms and documents or on helping people maneuver through life? Let Quenza take the stress off your hands so you can focus on the important things. Moreover, you’ll get access to Quena’s complete library of exercises and activities to give your clients the ultimate coaching or therapy journey. 


  1. ^ Bertram, E. d J. & Wheeler, J.D. (2015) Client confidentiality and privileged communications. In The counselor and the law (7th ed.). American Counseling Association.
  2. ^ Encyclopædia Britannica, inc. (2023, April 29). Hippocratic oath. Encyclopædia Britannica. https://www.britannica.com/topic/Hippocratic-oath.
  3. ^ Appel, J. M. (7 November 2019) Trends in Confidentiality and Disclosure. Focus (Am Psychiatr Publ). Fall 2019; 17(4): 360–364.
  4. ^ Fisher, M. A. (2008) “Protecting Confidentiality Rights: The Need for an Ethical Practice Model” American Psychologist, January 2008 ,Vol. 63, No. 1, pp. 1–13.
  5. ^ Sommers-Flanagan, J., & Sommers-Flanagan, R. (2018). Counseling and psychotherapy theories in context and practice: Skills, strategies, and techniques (3rd ed.). Wiley.
  6. ^ Corrigan, P. (2004). How stigma interferes with mental health care. American psychologist59(7), 614.
  7. ^ Hough, M. (2021) Counselling Skills and Theory (5th ed.). Hodder Education, Hatchette UK Company.
  8. ^ Brooks, B., Fiedler, K, Waddington, J, & Zink, K. (2011) Minors’ Rights to Confidentiality, When Parents Want to Know: An Ethical Scenario. ACA Masters Ethics Competition. Annual VISTASA Project sponsored by American Counseling Association.
  9. ^ (OCR), O. for C. R. (2022, October 19). Summary of the HIPAA privacy rule. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html.
  10. ^ What is GDPR, the EU’s new Data Protection Law? GDPR.eu. (2022, May 26). https://gdpr.eu/what-is-gdpr/.
  11. ^ (OCR), O. for C. R. (2021, June 28). All case examples. HHS.gov. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/all-cases/index.html.

About the author

Anne is a coach-counselor with a background in neuroscience, mindfulness, Gestalt therapy, and adult developmental theory.

Leave a reply

Your email address will not be published.