Modern medicine is built on a simple promise: the patient is in charge of their own body and their own information. Two legal and ethical frameworks make that promise enforceable — informed consent and HIPAA.

Informed consent means a patient must understand and voluntarily agree to a medical procedure before it happens. To give valid consent, the patient must have decision-making capacity (the cognitive ability to understand the choice), receive a full disclosure of the diagnosis, treatment options, risks, and benefits, and decide free from coercion. This protects patient autonomy — the right to govern your own body. Doctors are guided by four core principles: autonomy, beneficence (doing good), non-maleficence (avoiding harm), and justice (fair treatment).

If a patient lacks capacity — say, an unconscious trauma victim or a young child — a surrogate decision-maker steps in. In a true life-threatening emergency where no surrogate is reachable, doctors may treat under implied consent: the law assumes a reasonable person would want life-saving care.

The second pillar is privacy. The Health Insurance Portability and Accountability Act (HIPAA), passed in 1996, sets the federal floor for protecting health information. The Privacy Rule governs who can see and share PHI (Protected Health Information) — anything that links a person's identity to their health, like a name plus a diagnosis, an address plus a lab result, or even a photo. The Security Rule covers electronic PHI: passwords, encryption, and access logs. The Privacy Rule also includes the Minimum Necessary standard — staff should only access the smallest amount of PHI needed to do their job.

When PHI is exposed without authorization, that's a breach. If a breach affects 500+ patients, the hospital must notify the Department of Health and Human Services, the affected individuals, and sometimes the media. Penalties range from $100 to $50,000 per violation, capped at $1.5 million per year per category. Confidentiality isn't just polite — it's federal law.

Directions: You are an on-call ethics consultant at a busy urban hospital. Six scenarios will appear one at a time. For each, choose the response that follows HIPAA and informed-consent law. Read each scenario carefully — some look fine but contain a subtle violation. 1 point per correct decision (6 total).

Background you'll need: The Privacy Rule allows sharing PHI for treatment, payment, and operations (TPO). Sharing with family or friends requires the patient's permission unless the patient is incapacitated. The Minimum Necessary standard applies to nearly everything except direct treatment. Informed consent requires capacity, disclosure, and voluntary agreement.

Patient: Maria Garcia, 67, Spanish-speaking, admitted to Mercy General with severe abdominal pain and possible bowel obstruction.

Day 1, 9:14 AM — Dr. Reyes recommends emergency surgery. He explains the procedure to Maria's adult son, who happens to be in the room. Maria is alert and oriented but speaks limited English. The hospital's certified Spanish interpreter is busy on another floor; Dr. Reyes uses Maria's son to translate the consent form. Maria signs.

Day 1, 11:02 AM — Surgery proceeds. Mid-procedure, the surgical team finds a small ovarian mass that wasn't on imaging. The lead surgeon decides to remove it during the same operation since the patient is already open, reasoning it would spare her a second surgery.

Day 2, 8:30 AM — A nurse, Jamie, recognizes Maria as her neighbor. Jamie isn't on Maria's care team but pulls up Maria's chart "to see how she's doing." She mentions to her own family at dinner that "Mrs. Garcia from down the street had emergency surgery."

Day 3, 2:15 PM — A reporter calls the front desk asking about Maria, who is locally well-known. The front desk receptionist confirms Maria is a patient and shares her room number "so flowers can be sent."