If someone requests access to information about another patient, what is the correct action?

Protecting patient confidentiality means you never share information about a patient without first confirming who is requesting it and that they are authorized to receive it. The right action is to verify the caller’s identity and their authorization before releasing any details. This involves checking their name, organization, role, and contact information, then confirming with the patient’s records or privacy policies that the requester has a legitimate need-to-know and proper consent or authorization. Only after this verification should any information be disclosed, and even then, only the minimum necessary details should be shared. If the caller isn’t verified or isn’t authorized, you withhold the information and follow the organization’s privacy procedures, such as directing them to the patient or to a legally authorized representative. Sharing information with anyone who asks or providing it immediately without verification compromises privacy and violates established protections.