Confidentiality is the foundation of effective therapy. Clients disclose what they disclose precisely because they trust the information won't leave the room.

But confidentiality has limits — legal, ethical, and situational — and how you communicate those limits to clients is both a clinical skill and a professional obligation. This article covers what the limits of confidentiality are, when they apply, and how to handle them in a way that preserves the therapeutic relationship and protects your license.

What Does Confidentiality in Therapy Actually Cover?

Confidentiality in mental health practice refers to the clinician's professional and legal obligation not to disclose information a client shares in the course of treatment without that client's explicit permission. It covers session content, treatment records, and any information that could identify a client as receiving mental health services.

The Two Levels: Ethics and Law

This obligation operates on two levels. Ethically, it flows from the APA, ACA, and NASW ethics codes, all of which identify confidentiality as a foundational duty tied to client autonomy and the integrity of the therapeutic relationship. Legally, it is enforced through state licensing laws, the HIPAA Privacy Rule, and — where applicable — the federal substance use confidentiality regulations under 42 CFR Part 2.

Confidentiality vs. Privilege: A Distinction That Matters

It's worth distinguishing confidentiality from privilege, because clinicians often confuse the two. Confidentiality is the clinician's duty not to disclose. Privilege is a legal right belonging to the client that protects therapeutic communications from being disclosed in legal proceedings. The client holds the privilege and can waive it — the clinician cannot. Understanding this distinction matters when you receive a subpoena or are called to testify.

With that foundation in place, here are the four primary situations where confidentiality has limits.

The 4 Main Limits of Confidentiality Therapists Must Know

1. Duty to Warn and Protect (Imminent Danger to Others)

The duty to warn originated with the landmark 1976 California Supreme Court case Tarasoff v. Regents of the University of California, in which the court held that a therapist has a duty to protect an identifiable third party when a client makes a credible, serious threat of violence against them.

Today, most states have codified some form of duty to warn or protect — though the specifics vary significantly. Some states impose a mandatory duty to warn the identified victim and notify law enforcement. Others give clinicians discretionary authority to breach confidentiality when they judge the threat serious and imminent. A small number of states have neither a mandatory duty nor a permissive exception.

Knowing your state's specific statute is non-negotiable. The standard clinical response when a duty to warn is triggered involves conducting a thorough risk assessment, consulting with a supervisor or colleague, documenting your clinical reasoning in detail, and taking the least restrictive action necessary — which may include warning the potential victim, notifying law enforcement, or both.

2. Duty to Report Suspected Child Abuse or Neglect

All 50 states mandate that mental health professionals report reasonable suspicion of child abuse, neglect, or sexual abuse to the appropriate child protective services agency or law enforcement. This is a mandatory duty — it is not discretionary, and it is not contingent on certainty.

The threshold is reasonable suspicion, not proof. If a client discloses information that leads you to reasonably suspect a child is being abused or neglected — whether the client is the child, the parent, or a third party with knowledge — you are legally required to report. Failing to do so can result in criminal liability, licensing board complaints, and civil exposure.

A few important nuances: the reporting obligation applies to abuse of children the client has access to, not only the client's own children. It may also apply retroactively in some states — meaning historical abuse of a child who is still a minor may require reporting depending on current risk. When in doubt, consult with your licensing board or a legal advisor before deciding not to report.

3. Duty to Report Elder Abuse and Abuse of Dependent Adults

Similar to child abuse reporting, most states require mental health professionals to report suspected abuse, neglect, financial exploitation, or abandonment of elderly adults or adults with disabilities who are unable to protect themselves. The threshold again is reasonable suspicion, not certainty.

These reports typically go to Adult Protective Services and, in some circumstances, law enforcement. Clinicians working with older adults, adults with cognitive impairments, or anyone in a dependent care relationship should be familiar with their state's specific definitions of a reportable vulnerable adult and the applicable reporting timelines.

4. Suicide Risk and Safety Planning

The limits of confidentiality when a client is at imminent risk of suicide are less codified than the other exceptions — there is no universal "duty to report" in the context of suicidality — but most ethics codes and state laws permit clinicians to take necessary protective action when a client poses an imminent danger to themselves.

In practice, if you determine a client poses an imminent risk of suicide and is unable or unwilling to participate in a safety plan, you may contact emergency services, notify a designated emergency contact (if the client has signed an appropriate release), or initiate a psychiatric hold depending on your jurisdiction.

Importantly, the goal in these situations is not automatic breach of confidentiality but a clinical judgment about the least restrictive response that addresses the risk. Many clients at elevated suicide risk can be managed through intensive outpatient support, safety planning, and increased session frequency — without a confidentiality breach.

Other Situations That Limit Confidentiality

Beyond the four primary exceptions, several other situations may limit or override standard confidentiality protections. Understanding these helps clinicians anticipate complexity before it arrives.

Court Orders and Legal Proceedings

A valid court order can compel disclosure of treatment records or testimony. Even here, clinicians should request that the client's attorney seek to quash or limit the order before disclosing, and should disclose only the minimum necessary information. A subpoena alone — without a court order — does not require immediate disclosure.

Supervision and Consultation

Sharing client information in clinical supervision or peer consultation is ethically permissible and professionally expected — but clients should be informed of this at intake. Supervisees are responsible for ensuring that supervisors and consultants they share information with are also bound by confidentiality obligations.

Insurance and Billing

Submitting claims to insurance requires disclosure of diagnosis codes, treatment dates, and sometimes clinical summaries to payers. Clients should understand this at the start of treatment as part of the informed consent process — this is one limit of confidentiality that consistently catches clients off guard when they don't know about it in advance.

Minor Clients

Confidentiality in therapy with minors is significantly more complex. In most states, parents or legal guardians have the right to access their minor child's treatment records, which limits the degree of confidentiality a minor client can expect. Many clinicians negotiate a confidentiality agreement with both the minor and the parent at the outset — specifying what will and won't be shared — to preserve enough privacy to make the therapy viable while meeting parental rights obligations.

Group and Couples Therapy

In group settings, the clinician cannot guarantee that other group members will maintain confidentiality. Clients should be informed of this limitation explicitly, and group confidentiality norms should be established and revisited regularly. In couples or family therapy, the question of which "client" holds confidentiality — and what happens if one partner discloses something privately — requires a clear policy established before treatment begins.

How to Communicate the Limits of Confidentiality to Clients

Knowing the exceptions is only half the job. Communicating them clearly — in a way clients actually understand and remember — is where many clinicians have room to grow.

Making Informed Consent a Conversation, Not a Ritual

The informed consent process is where limits of confidentiality are first communicated — but for many clinicians, that communication becomes a ritual rather than a genuine exchange. Reading through a consent form and asking the client to sign rarely produces real understanding.

More effective approaches: explain the exceptions conversationally, in plain language, before presenting the written form. Something like: "There are a few situations where I'm legally required to share information — I want to explain those upfront so they're not a surprise if they ever come up." Then check for understanding. "Does that make sense?" invites genuine engagement rather than passive sign-off.

Returning to Confidentiality Limits When It Matters

The informed consent conversation at intake is the beginning, not the end. When a client discloses something that approaches a reportable threshold, it is often appropriate to pause and remind them of the relevant limits before they continue — so they can make an informed choice about what to share. This is both ethically sound and clinically protective.

What to Document

Document the informed consent conversation in your initial session note, not just the signed form. Noting that confidentiality limits were explained and the client demonstrated understanding creates a stronger record than a signature alone.

When You Break Confidentiality: Clinical and Documentation Best Practices

When confidentiality must be breached, the clinical and legal standard is to disclose the minimum necessary information to accomplish the protective purpose.

Documenting a Confidentiality Breach

Document everything: the nature of the disclosure, the clinical reasoning that led to it, who you consulted with beforehand, what action you took, and what the outcome was. This record is your primary professional protection if the decision is ever questioned.

Repairing the Therapeutic Relationship

After a confidentiality breach, the therapeutic relationship requires attention. Many clients — particularly those with histories of trauma or institutional betrayal — will have a significant reaction. Naming what happened directly, explaining the clinical and legal reasoning behind your decision, and inviting the client's response is both ethically appropriate and clinically necessary if the relationship is to continue.

For clinicians managing complex clinical documentation — including thorough records of clinical reasoning in difficult situations — Berries AI generates structured, complete session notes automatically and is built specifically for mental health professionals.

Frequently Asked Questions About Limits of Confidentiality

Do I have to tell a client before I break confidentiality?

In most cases, yes — if doing so won't increase the risk of harm. Ethics codes generally require informing clients when confidentiality will be breached unless notification would place someone in greater danger. When a duty to warn is triggered and telling the client would increase risk to a third party, you may notify without informing the client first.

What happens if I receive a subpoena for a client's records?

A subpoena is a legal request, not a court order. You are not automatically required to comply. Contact your malpractice insurance carrier immediately, notify the client, and ask the client's attorney to seek a protective order or to quash the subpoena. Disclose only after a valid court order is received or the client provides written authorization.

Can I share client information with their psychiatrist without consent?

Generally no, not without a signed release of information, unless the disclosure is for treatment coordination and falls under HIPAA's treatment exception. Even within a treatment team, best practice is to obtain written authorization and inform clients about information sharing between providers.

How do I handle confidentiality in telehealth sessions?

The same confidentiality rules apply to telehealth as to in-person sessions. Additionally, use HIPAA-compliant platforms, document that the client was informed of the privacy limitations of electronic communication, and address the possibility of third parties being present on the client's end. The APA has issued telehealth-specific ethical guidance worth reviewing.

What if a client discloses something that might require a report, but I'm not sure?

When in doubt, consult with a supervisor, colleague, your licensing board's ethics line, or a mental health attorney. Consultation doesn't require breaching confidentiality: you can describe the situation in general terms without identifying the client. Document that you consulted and what guidance you received. Consultation before acting protects both you and your clients.

This article is for educational purposes and professional development only. It does not constitute clinical supervision or replace professional judgment in therapeutic practice.