This section of the SART Toolkit provides a framework for understanding and maintaining confidentiality in the context of multidisciplinary collaboration.
Confidentiality — the duty to protect victim privacy — is a principle codified in federal  and state law,  is a stipulation under several sources of federal funding,  and is an ethical obligation under professional licensure and certification requirements for some disciplines.  While confidentiality has long been understood to be a core tenet (in addition to a legal and ethical duty) of sexual assault advocacy, almost every SART member has one or more confidentiality obligations that govern the way they communicate with other team members and victims.
Whether your SART is newly formed or has been working together for years, confidentiality is one of the more complex issues a team will have to navigate. Some SART members may view confidentiality as an obstacle to effective multidisciplinary collaboration. Confidentiality is just one factor impacting the way multidisciplinary partners work together to ensure a victim-centered, trauma-informed response to sexual assault across systems. With a proper framework in place, SART members will —
- be prepared to explain their limits to confidentiality to victims,
- know the laws, rules, and regulations governing the way case information is shared,
- have a plan for handling situations in which case information may be discussed, and
- pause to ensure that confidentiality and victim privacy are not violated when discussing case information.
Why is Confidentiality So Important to SARTs?
Confidentiality is an underlying value of a trauma-informed, victim-centered response to sexual assault. SARTs committed to building such a response must understand both the policy considerations behind confidentiality and the ways in which confidentiality benefits the work of the team and empowers victims.
Maintaining confidentiality supports a victim-centered response. Doing so —
- increases victim autonomy as they choose when, how, and with whom information is shared. When a victim experiences a sexual assault, they are, both in that moment and often throughout the criminal justice process, stripped of all control over their physical, mental, and emotional selves.
- increases victim’s psychological and physical safety as disclosure and reporting may result in threats of harm by the perpetrator or community at large.
- decreases potential personal and society consequences, or collateral impact, such as discrimination at work or in housing, alienation from family or community, and negative impacts to a victim’s educational career. 
- increases victims’ willingness to disclose to advocacy and medical providers, opening the door to law enforcement. Depending on a victim’s specific circumstances, such as their culture, gender, or sexual orientation, or lack of knowledge of American laws, confidentiality can impact their willingness to come forward.
Benefits to the SART
- Confidentiality protects communications between a victim and privileged professionals from scrutiny by the perpetrator, the court, the defense, and the general public.
- Confidentiality builds trust between the victim, service providers, and systems, possibly increasing a victim’s willingness to participate in the criminal justice process. Regaining control over how and when their story is shared with others can be essential to a victim’s recovery.
- Maintaining confidentiality builds in legal and ethical “checks and balances” that ensure a victim-centered response. Protecting a victim’s right to control how and when their information is shared and discussed is a value codified in state and federal laws, and most members of a SART are bound by at least one legal or ethical confidentiality obligation. However, team members not bound by those same rules may express frustration that their counterparts are unable to discuss case information to the extent they believe is necessary. When SARTs are faced with these situations, maintaining a focus on shared goals and the commitment to a victim-centered process can help uphold the value of confidentiality.
Ethical Decisions Related to Case Review
Matters discussed within a SART are not generally protected from subpoena or other court order, even when the team has adopted a confidentiality agreement. Furthermore, a team confidentiality agreement does not release team members from their confidentiality or mandatory reporting obligations under any governing laws, rules, and regulations.
For example, advocacy programs funded through the Violence Against Women Act (VAWA) or the Victims of Crime Act (VOCA), require confidentiality regardless of any cooperative or confidentiality agreements that may be in place within a multidisciplinary collaboration.  Similarly, HIPAA limits when, how, and with whom a medical professional can share private health information. 
All state (and state-funded) agencies, including law enforcement and prosecution, must comply with state data practices statutes, which may limit when and with whom information about a sexual assault investigation or case can be shared. SARTs that engage in case review practices should review with an attorney who specializes in confidentiality the legality of those agreements and policies around information sharing.
Understanding Privacy, Confidentiality, and Privilege
SART members should know the differences between privacy, confidentiality, and privilege. Clarity and common language around these terms and definitions will provide a foundation for understanding and respecting the roles and obligations of their team members. For more information on each member’s specific responsibilities, see the SART Membership section of the SART Toolkit.
The following chart  provides a general overview of these concepts:
What is it? A right; a personal choice whether to disclose information.
Who holds it? The victim
“I decide who knows my information.”
What is it? The responsibility to protect someone else’s privacy, typically rooted in law or ethics rules.
Who holds it? The professional
“I have a legal or ethical duty to protect your information.”
What is it? A legal rule of evidence prohibiting the disclosure of private information against someone’s will.
Who holds it? The victim
“No one can make you share my information without my permission.”
Confidentiality as Conflict for SARTs
Confidentiality is a concern for SARTs when case information is discussed, often during discussions of active cases or case review. Conflict arises when a member’s responsibilities are not understood by all members, there is a perception that team members are withholding information, or a perception that team members are unnecessarily sharing too much information. For the purposes of this discussion, “case information” is defined broadly as any information that is considered private or confidential under federal law, state law, certain funding sources, and/or professional licensure and certification requirements.
Case information can include —
- details about an ongoing investigation, including information about both the subject of an investigation and the victim,
- identifying information about a victim,
- privileged communications between a victim and certain professionals (such as medical service providers or advocates),
- identities of mandated reporters,
- medical records and other private personal information, and
- information that one professional has received with the victim’s permission.
The purpose and function of a SART can impact the way in which team members share and discuss case information, as well as navigate issues of confidentiality. To ensure compliance with the rules and regulations governing confidentiality, SART members should understand in advance when and how the work of the team will involve discussion of case information. Appropriate steps should be taken to empower victims to choose what is being shared, with whom, and with an informed understanding of the potential outcomes.
In general, there are three primary ways in which SARTs engage in discussion of case information, or conduct “case conversations.” 
Active Case Management
In active case management, SARTs (typically a subset of the full team) engage in a conversation around open cases to ensure coordination leading to the timely and effective victim-centered response and investigation. Conversations may also explore whether all investigatory steps are exhausted, and potential charging options, and generate case-specific ideas and actions to improve the overall response to each case.
Cases that are high-risk — including those where there is a high lethality potential (homicide or homicide-suicide), where the perpetrator is engaged in retaliation, where the perpetrator is moving or otherwise restricting a victim’s access to services, or where minors or children might be at risk — may fall into the category of active case management.
The increased risk of or actual occurrence of physical harm to the victim may create a challenging interpersonal situation between individuals or teams. Increased tension may arise among team members, both those seeking information and those who cannot fully disclose client information. Instances such as this highlight the need for —
- a clear understanding of each SART member’s legal and agency responsibilities around confidentiality,
- common language,
- common training,
- clarity on where to bring concerns,
- relationships with technical assistance providers, and
- clear agency support systems.
SARTs working on active cases should discuss these concerns, specifically, with an attorney specializing in confidentiality obligations.
SARTs engaging in active case management should also be extremely well versed in danger or lethality assessments to increase their ability to monitor dynamic situations. This includes knowledge of strangulation as a health concern and risk factor. Many tools are developed for this purpose, although most research supports that victims are good assessors of their own danger.  For more information see the Lethality Assessment section of the SART Toolkit.
Example of Active Case Management:
An investigator was working on a difficult sexual assault case and decided to bring it to the subset of the team that handled active case management. The investigator wanted insight from others on how to proceed when he encountered several challenges and dead ends.
The investigator presented the case facts to the group and identified the difficulties they faced. The prosecutor offered a new strategy and suggested obtaining search warrants for specific pieces of evidence based on what had worked in previous cases. The advocate offered suggestions for ways to support victims during lengthy investigative processes, and the medical professional explained the medical terminology from the sexual assault exam report to the group so that they could better understand its significance.
The advocate and the medical professional who were present had not worked directly with the victim so there was no risk of confidential information being shared. The victim had signed a release of information for the investigator to obtain the exam report as part of the case investigation.
Even in this scenario, identifying information about the victim and suspect was not shared because it was not pertinent to advancing the case. The investigator was able to use the suggestions to continue the investigation and ultimately deliver a stronger case to prosecutors. Additionally, the investigator knew the potential impact of the prolonged case on the victim and could better explain the challenges to the victim while minimizing the risk that the victim would disengage from the process. The strategies learned during this process may have been relevant in future cases.
During case review, SARTs examine closed cases to identify gaps and successes of the systems response, as well as measure the effectiveness of interagency protocols. When done effectively, case review helps a team to identify patterns and gaps that may not have been obvious at the time of the case, and can result in changes in policy, training, procedure, etc. See the case review section of the SART Toolkit for additional information on planning and executing a case review.
Example of Case Review:
Note: In this example, the team decided to obtain signed releases from both the victim and the offender in order to discuss the case among all the service providers present. Getting a release from the offender allowed treatment records to be shared with the team. Including the treatment provider in the discussion enhanced other SART members’ understanding of evaluating offender risk, increasing their ability to recognize risk and discuss safety with victims.
A team decided to review a specific case of intimate partner sexual assault, and sought to include the offender treatment provider in the discussion. The treatment provider conducted training for the SART, and came to meetings on occasion, but was not a formal member of the team.
The case involved a woman and a man who had separated. After the separation, the man broke into the woman's home and sexually assaulted her. The case was charged and proceeded through the system resulting in a conviction. After sentencing, the case was reviewed by the team as a way to compare the protocol with service delivery to see how the protocol worked. During that review, the team learned that some information known to several responders was not communicated with all team members or with the defendant's treatment provider.
In reality, the victim had made previous reports and had obtained protective orders citing sexual assault in the past, prior to the charged incident. The team had discussions about where the information was lost and discussed ways to prevent this from happening in the future. It was somewhat surprising to the team to learn there were missed opportunities for intervention, as the team initially viewed this particular case as a success because the case was prosecuted, and the perpetrator was convicted and enrolled in a treatment program.
In addition, the full information about the offender’s frequency of perpetration was not accurately relayed to the treatment provider, who was under the assumption that the assault was an isolated incident, and had made treatment recommendations for the offender based on that information.
This process changed the team's perspective and illuminated many areas where the system could do more to support victims, hold offenders accountable, and protect communities. The team identified several instances, some small, where they could adjust to enhance service provision and successful outcomes. During this case review, the SART recognized if the system had responded more effectively in the beginning, subsequent acts of violence may have been avoided.
Systems Consultation: Problem Solving
In systems consultation, SARTs are reacting to an emerging systems issue that is impacting the process. Often this is identified when something goes wrong or a protocol is not being followed. Case information may be discussed to identify success, gaps, and strategies to improve the overall response. Often these discussions do not need to include specific case information as the concerns relate to the services provided, not the victim.
For more information, see the Evaluation and Systems Change sections of the SART Toolkit.
Example of Systems Consultation:
Hospital staff report to the director of the local sexual assault advocacy program that there are advocates who routinely fail to respond to the hospital in a timely manner when called to meet with a victim. Although this appears to be a concern specific to a few advocates, the hospital staff and advocacy program work together to understand why the advocates are not arriving in a timely manner. Together, the hospital staff and advocacy program explore questions such as these:
- What is a timely manner?
- Why do we think so?
- Do we agree to this timeframe?
- Do the advocates know about the timeframe?
- Were they trained on the timeframe?
- Is the timeframe in our protocol?
- Based on where the advocates live, is the timeframe realistic?
- Are advocacy centers hiring advocates within a certain distance of the medical center?
- Does the protocol change if an advocate lives beyond the identified response time area?
- What do we do if that timeframe is not being honored? and
- Is there a capacity concern for the crisis center?
These questions lead teams to identify system-wide concerns and solutions. In this case, the “timely manner” was not clarified in protocol and hospital staff believed it to be a different time than required. The hospital staff worked with the advocacy organization to decide on a timeframe — 30 minutes — that worked for everyone. The advocacy organization and hospital discussed potential challenges to the 30-minute timeframe and, for these rare cases, created a system for the advocate to call and speak with the victim.
A Note About Side Conversations
Sexual assault is a complex issue requiring the coordination of many systems and professionals, while its human dimension can touch everyone involved in deep ways. In most communities, the members of a SART have ongoing professional and personal contact with one another. Team members may discuss case information outside the SART’s actual scope and purpose. These side conversations may happen because a team member finds it convenient to confer on a case with another member outside of SART meetings.
Discussing case information can help SART members form a bond, develop trust, clarify roles and expectations, and process stress and secondary trauma. However, these benefits should never come at the expense of confidentiality.
Side conversations resulting in a breach of confidentiality put the integrity of the case at risk and can create a chilling effect on victims’ willingness to interact with the system at all.
SARTs should proactively discuss breaches of confidentiality to prevent them as well as to develop a process for handling breaches to confidentiality in a legal and ethical manner.
Examples of Side Conversations:
- During a systems consultation regarding general law enforcement response to adolescent victims of sexual assault who present at a hospital, an investigator referenced a recent case in which he was called to the hospital to speak with a 15-year-old victim. The advocate (who did not have a written release from the victim or victim’s parents) interrupts the investigator to state the victim was 16. By doing so, the advocate disclosed to the rest of the team that the victim was a client.
- At a convening of multidisciplinary partners discussing protocol development around sex trafficking, an investigator uses a lull in conversation to ask the advocate sitting next to him how the victim he dropped off at her program last week was adjusting to life away from her pimp. Although the investigator had direct prior involvement with the victim, the advocate had not obtained a release from the victim and therefore “could neither confirm nor deny the victim’s participation in the program.” This frustrated the investigator, who was inquiring because he cared about the victim and wanted to know how she was doing.
Practice Tip: These examples illustrate ways your SART can improve confidentiality practices without compromising the benefit of team discussions about system response.
- Identify opportunities to educate your members about different confidentiality obligations (e.g. during the introductions part of every meeting, everyone mentions their confidentiality and mandated reporting requirements). In the second example, the officer may have known not to ask the advocate about the victim or the law enforcement officer might have asked the advocate, “I am really interested in knowing how the victim from last week is doing. If you have any follow-up information in the future, can you please keep me posted or ask for a release to share?”
- Training around the impact of trauma may help your members understand why many victims refuse to sign a release of information, especially when they first enter a shelter, feel endangered, or are in a crisis situation. Common trauma responses include a victim “shutting down,” needing to sleep, or not wanting to think about the situation or talk with service providers.
- With a victim-centered approach, SART members who have regular contact with victims may consider making it a practice to ask victims if there is any information they would like to share with other team members, offering the option to sign a limited release,  to relay communication or feedback with other team members. Advocates or other professionals should not seek to sign releases, even time limited ones, without a specific intention or purpose, driven by the victim. Note: For a release to be valid, victims must be able to understand the ramifications of signing it (informed consent) and should never be compelled to sign one. In the second example, the advocate could have asked the victim to sign a limited release, permitting her to provide this specific investigator with confirmation of the victim’s participation in the program or feedback on the officer’s response. The release must also specify a time period, which in this example could be limited to the day of the meeting.
- All SART members should discuss their confidentiality requirements with other members of the organizations they represent, and ask for input into effective ways to communicate with other members within those confidentiality limits. In the first example, if the advocate had regularly addressed the challenge of upholding victim confidentiality at SART meetings, the unintended disclosure may not have happened.
Confidentiality: A Framework for SARTs
Whether the work of your SART includes active case management, case review, or systems consultation, any time case information is discussed, your members should be alert for potential confidentiality implications.
The framework below can help your SART institutionalize the practice of confidentiality in a way that facilitates multidisciplinary collaboration without breaching confidentiality or violating victim privacy.
SART Confidentiality Framework: KNOW
A basic, but critical, starting point to handling confidentiality issues to ensure that all team members understand all legal requirements that apply to any discussion of case information.
The following list  is not meant to cover all laws related to confidentiality but to provide examples of those that commonly apply to team members. Your SART may have additional regulations and requirements that are not included in the list below. The Victim Rights Law Center’s CCR Toolkit: A Privacy Toolkit for Coordinated Community Response Teams provides a consolidated overview. 
Federal Laws on Confidentiality
- VAWA, VOCA,  Family Violence Prevention and Services Act (FVPSA): Victim confidentiality is codified in two sections of VAWA, as well as FVPSA.  Under VAWA Section 3 and FVPSA, grantee programs are prohibited from sharing PII about victims without “informed, written, reasonably time-limited consent”  unless there is a statutory or court mandate for release of the information. No program can share PII to comply with federal, tribal, or state reporting, evaluation, or data collection requirements.  Additionally, “VOCA fund recipients may not use or reveal personally identifiable research or statistical information for purposes other than those in accordance with VOCA;”  such information is “immune from legal process and shall not, without the consent of the person furnishing such information, be admitted as evidence or used for any purpose in any action, suit, or other judicial, legislative, or administrative proceeding.” 
- Prison Rape Elimination Act (PREA): Different professionals who work with incarcerated victims should check their state statutes regarding confidentiality, privilege, and mandated reporting. Resources exist to help agencies achieve compliance with the National Standards to Prevent, Detect, and Respond to Prison Rape. 
- Title IX Education Amendments of 1972 and Jeanne Clery Disclosure of Campus Security and Campus Crime Statistics Act (Clery Act): These federal laws address how public and private institutions of post-secondary education participating in federal student aid programs must respond to or report crimes that occur on and around campus.
- HIPAA:  HIPAA gives individuals rights over their health information and sets rules and limits about access to this information, whether electronic, written, or oral. Most medical providers, including SAFEs, are considered to be “covered entities”  under HIPAA. Under the HIPAA Privacy Rule, covered entities should obtain patient consent for uses and disclosures of protected health information for “treatment,” “payment,” and “health care operations.”  Disclosures of protected health information for purposes other than treatment, payment, and health care operations, such as in the context of SART work, are not allowed without the patient’s or victim’s written authorization.  For expanded information on HIPAA and what it means for SARTs, visit the HIPAA section of the SART Toolkit.
Practice Tip: Engage your members in a discussion of the practical implications of complying with the governing laws, rules, and regulations regarding confidentiality. For example, in addition to protecting victim privacy and complying with HIPAA, keeping a victim’s medical information confidential also protects the neutrality of individual SAFEs and SAFE programs. This ensures that the evidence collection expertise will be accepted in court with a minimal level of bias toward the victim or prosecution process.
- Title X (42 C.F.R. § 59.11), Affordable Care Act (ACA), Medicaid: Juvenile victims who access various forms of medical care under Title X , the Affordable Care Act (ACA),  or Medicaid can also expect that their private patient data be kept confidential under Title X , the ACA, and regulations governing Medicaid. The federal Medicaid confidential data standard is established by §1902(a)(7) of the Social Security Act (42 USC §1396a(a)(7)). The law requires that a “State plan for medical assistance must: (7) provide safeguards which restrict the use or disclosure of information concerning applicants and recipients to purposes directly connected with the administration of the plan.” Medical service providers should also be aware of their state laws around mandated reporting of child abuse, which may impact their ability to keep certain information confidential.
- Crime Victims’ Rights Act (18 U.S.C. § 3771): This Act includes a victim’s “right to be treated with fairness and with respect for the victim's dignity and privacy .” [emphasis added]. This law, like Brady v. Maryland, applies to victims’ rights in criminal proceedings.
- Brady v. Maryland , 373 U.S. 83 (1963): Under Brady v. Maryland , a prosecutor must disclose certain exculpatory evidence to the defense. The U.S. Supreme Court held that withholding evidence "where the evidence is material either to guilt or punishment" violates due process. The Brady rule applies to evidence that is favorable or material to the defendant. Exculpatory evidence opposes the guilt of the defendant, undermines the credibility of a prosecution witness, or supports testimony of a defense witness. Material evidence is relevant, meaning it is evidence that has "any tendency to prove or disprove any disputed fact that is of consequence to the determination of the action" and there is a reasonable probability that disclosing the evidence could affect the outcome of the proceeding. Withholding this evidence may violate due process. See the Prosecutors section of the SART Toolkit for additional information.
How HIPAA Affects SARTs
HIPAA affects SARTs if SARTs share patient information. A common conflict related to HIPAA and caring for sexual assault patients arose from health care facilities concerned that requesting advocacy services from rape crisis centers prior to getting consent from a patient would violate HIPAA. These concerns, focused on victims’ interests, led to valuable conversations that resulted in increased collaboration between advocates and health care providers.
National protocols and existing best practices support calling the local rape crisis center to send an advocate to the hospital without sharing identifying patient information. Once the advocate is at the hospital, the medical provider asks the patient if they would like to meet with the advocate. The patient then has the ability to accept or deny advocacy services. Local protocols have outlined this process in detail to ensure turnover in staff will not affect practice.
In addition to protocols, health care facilities and advocacy agencies can develop and sign Business Associate Agreements outlining what information can be shared by health care providers to rape crisis centers when they call for an advocate.  The information that is shared by medical care providers varies by community. SART members can discuss what information may be helpful to share and why that is or is not possible to ensure the best care for the patient.
Your SART should discuss, clarify, and develop processes around any points of service provision related to HIPAA before a complication develops. See how one state addressed issues of HIPAA: The Sexual Assault Task Force in Oregon documented its HIPAA guidelines in its SART Handbook  and included a copy of the Authorization to Use and Disclose Protected Health Information.
On an ongoing basis, your SART can discuss HIPAA rules, including misinterpretations. This could include inviting technical assistance providers to present HIPAA-related training for your members or with a health care institution’s legal department.
Your SART can proactively discuss and incorporate HIPAA guidelines into your protocols and trainings to ensure all team members are aware of what information can be shared under what circumstances, what permissions are necessary, and the obligations of medical providers under HIPAA. Unnecessary conflicts can be avoided by ensuring all your members understand how HIPAA affects their work together.
Your SART can plan for HIPAA compliance by discussing and building into your protocols —
- health care policies around what information, if any, is disclosed when advocates are called to meet with victims. Best practice is not to release any identifying information prior to obtaining consent from the patient.
- routine training for health care intake staff on calling advocates to ensure consistent communication to advocacy programs.
- obtaining consent from the patient to meet the advocate and learn about services before the advocate enters the room. This consent should also include information about when and if communication between an advocate and the patient is covered by state confidential communication laws. Some SARTs have consent forms for victims to sign before a victim advocate is introduced to the victim.
- obtaining consent from the patient for the advocate to remain in the room throughout the medical forensic examination.
- coordinating services and outreach to victims' friends and families within the legal confines of HIPAA.
- the process for law enforcement to get information from hospitals and other health care providers during their investigations.
- the process for medical forensic examiners to access victims' medical reports from emergency departments.
- the process for prosecutors to get medical information to aid in the prosecution of cases. Some SARTs develop hospital-specific forms for prosecution to use to request medical information.
- the process needed to legally share medical information at SART meetings and for case review with core SART members.
Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards for the protection of individually identifiable health information created or held by health care providers, health insurance companies, and health clearinghouses. HIPAA was created due to concerns that electronic medical records could be easily disclosed to numerous sources without a patient’s knowledge or consent. Because of this legislation, protection was expanded to all types of health information including electronic, written, or oral. 
The U.S. Department of Health and Human Services published the first HIPAA Privacy Rule in 2000 to ensure individuals' health information is properly protected while allowing the flow of health information as needed to provide high-quality health care. 
- gives patients access to their medical records and more control over their own health information;
- sets guidelines for the use and release of health records;
- establishes safeguards that most health care providers must institute to protect a patient's health information;
- allows civil and criminal penalties to be imposed for violations of the rule;
- allows for limited disclosure of health information without a court order for law enforcement purposes;
- assumes consent when the release of information is related to treatment, payment, or routine medical operations;
- limits the release of protected health information to the minimum number of people necessary for the purposes of the disclosure;
- helps patients make informed choices and know how and when their protected health information is used and to whom it goes;
- requires a medical forensic provider to get written authorization from the patient prior to releasing medical records to non-health care providers, including law enforcement, crime labs, toxicology labs, prosecutors, and sexual assault advocates and programs.  This does not apply when mandatory reporting is required; and
- allows for release of information when mandated by federal or state law for the protection of health and public safety, including mandatory reporting laws related to injury, infectious disease, and child, elder, or vulnerable adult abuse.
State, Tribal, Territorial, and District of Columbia Laws
SART members should know and understand the laws that govern confidentiality in the state, tribe or territory where they operate.
- Victims’ rights laws: These laws detail privacy and notice-related rights for victims.
- Mandated reporting requirements: These legal requirements mandate when certain professionals must report abuse, injuries, or possible future harm. While VAWA, VOCA, and FVPSA permit limited sharing when mandated by law or a valid court order, a program funded under these organizations must nevertheless take steps to protect the victim’s information as much as possible. This mandated reporting exception does not include people that are allowed, but not mandated, to report under state or other law.
- Privilege and confidentiality : For certain professionals, communications with clients are protected from disclosure by law. In many jurisdictions, advocate confidentiality requires that conversations between an advocate and a victim be kept private, and in some jurisdictions, advocate privilege may even prohibit disclosure of confidential information in legal proceedings. In some states, community-based advocates have legally protected confidentiality and privilege while systems-based (e.g.: victim witness advocates working with a prosecutor) do not. There are limits on privilege, however. For example, while all attorneys have attorney-client privilege, prosecutors do not represent victims (they represent the community prosecuting the defendant) and therefore have a duty to disclose exculpatory evidence to the defense under Brady v. Maryland.
- Laws specific to case conversations: In some states, there are laws that describe what type of information can be shared for the purpose of domestic violence fatality reviews. These laws, or others specific to sexual assault cases may impact how case conversations happen on sexual assault teams.
- Open records laws: Nearly every state has its own version of the Freedom of Information Act, which may be referred to as open records, open meetings, open government, or sunshine laws. The laws may contain exemptions to disclosure that a victim may want to protect (e.g. exemptions for certain classes of victims, such as victims of sexual assault or minors). 
- Data privacy laws:  These laws govern the way state (and state-funded) agencies collect, store, and share data.
Federal, state, or agency money that comes through certain federal funding sources (including the VAWA, VOCA, and FVPSA) restricts the sharing of victims’ private information. For example, recipients of VAWA money must protect victim confidentiality by not releasing Personally identifying information (PII) unless they are required to do so by statute or court order, or a victim allows release of the information in writing.
Most local domestic violence and sexual assault programs receive VAWA and FVPSA funding through OVW grants and the Department of Health and Human Services. Advocacy programs can ask their state’s domestic violence or sexual assault coalition to help determine if they receive VAWA or FVPSA funding.
PII is information that might allow someone to know who a specific victim is, such as name, address, contact information, Social Security number, etc. Your community’s attributes, such as size and particular demographics, can also impact the ability of someone to identify a victim. Particularly in smaller areas, team members should be mindful that seemingly insignificant pieces of information or particular details could disclose a victim’s identity.
Examples of PII:
- Revealing that a victim is Ethiopian may be identifying information if there is a limited number of Ethiopians within the community, or if this is the only case involving an Ethiopian victim.
- Revealing that the victim was the perpetrator's niece may identify the victim in some circumstances.
- Revealing the date and location where an assault took place such as a sexual assault that occurred at a specific dorm on a university campus following that year’s Homecoming game may lead to the victim being identified.
Written Releases of Information
VAWA, VOCA, and FVPSA require that a victim’s release of information be informed, written, and for a limited duration of time (i.e., the release is valid for a specified number of days after the date signed and a new release is required when the time limit has been exceeded).
Informed consent ensures that the victim fully understands, and that the release indicates —
- the specific person or agency to whom the release will be given,
- the scope of information that will be released,
- why this release is being requested, what the person receiving the information might do with it, and how information will be shared (phone, mail, email). Keep in mind that often e-mail is not a secure means of transmitting information and consider other options.
Consent must be freely given, and services may not be contingent on the victim’s willingness to sign a release. In addition, the victim may change their mind and may revoke the release at any time , verbally or in writing.
Government agencies may also have data privacy rules that dictate certain elements that must be present in a release or how often releases must be obtained.
Practice Tip : It is a best practice for your SART to obtain written releases of information when you anticipate a discussion of case information. Use the “W.I.T.S. Release” as a guide: 
- Survivor-centered (meaning the victim determines the use of the information, and that use should serve the victim’s needs)
Some agency or insurance policies and protocols may also include confidentiality policies. A hospital may have a policy not to discuss cases or release records without a release to be sure that the hospital is in compliance with HIPAA, while other agency or insurance policies may be negotiable. All members of your team should have a clear understanding of the purpose behind each individual agency’s restrictions on discussing cases.
Licensure and Certification Requirements
Team members who are licensed or certified professionals should discuss any information-sharing obligations that may accompany their professional status.
Serving All Victims
Unique confidentiality issues may arise when serving victims who may hold particular identities such as minors, elders, those who identify as LGBTQ, those in educational settings, military victims, incarcerated victims, Native American or indigenous victims, and possibly all who live in rural communities. More information on these populations can be found in the SART Toolkit.
Victim Advocate Resources
Collaboration with Victim Advocates (PDF, 2 pages)
The International Association of Forensic Nurses’ position statement outlines IAFN’s support of victim advocates at hospitals as an essential member of the multidisciplinary team, with respect to HIPAA. This position statement can be useful to SARTs working with advocates in hospital settings.
Consent & Privacy Resources
Authorization for Disclosure of Health Information (Microsoft Word, 2 pages)
This sample form from OVC can be used to authorize a disclosure of health information so the victim can have a sexual assault advocate present during the medical exam.
Authorization for Release of Drug-Facilitated Sexual Assault Screening (Microsoft Word, 2 pages)
This sample release by the State of New York allows the victim to give consent for a screening of drug-facilitated sexual assault.
End Violence Against Women International offers an FAQ that provides guidance and links to additional resources.
This resource by the Victim Rights Law Center provides state-by-state information on mandatory reporting for medical providers and other applicable professionals.
The Health Care Provider’s Guide to the HIPAA Privacy Rule by the U.S. Department of Health and Human Services explains when health care providers can share patients’ health information with the patient’s family members, friends, or others.
HHS.gov describes HIPAA's background, national standards, compliance, and enforcement and provides HIPAA-related links.
This guide by the Department of Health and Human Services Centers for Medicare and Medicaid Services introduces HIPAA and HIPAA-related resources.
This website by the National District Attorneys Association describes HIPAA exceptions for law enforcement and social service agencies.
HIPAA: Health Insurance Portability & Accountability Act (PPT, 32 slides)
This presentation from the Pennsylvania Coalition Against Domestic Violence and Pennsylvania Coalition Against Rape briefly outlines HIPAA.
HIPAA Privacy Guidelines and Sexual Assault Crisis Centers (PDF, 7 pages)
The HIPAA Privacy Guidelines and Sexual Assault Crisis Centers covers the impact of HIPAA privacy guidelines on sexual assault programs, including the use of advocates in emergency departments.
The National Protocol for Sexual Assault Medical Forensic Examination provides guidance on HIPAA and describes offering community-based advocacy as best practice.
This glossary lists terms associated with the HIPAA Privacy Rule.
Recordkeeping is a complex issue. Nonprofit organizations and government agencies are required to keep certain records by state law, licensure regulation, funding agency, or auditors. Other records are kept for use in grant funding requests, statistical analysis, and evaluating a program’s success.
Often SART members will have a system to collect their own agency data; however, recordkeeping for the SART may be important for reasons such as tracking victims’ experiences and identifying gaps in systems’ responses. Your SART should carefully balance the benefits of recording information against the possible harm that the information could cause the victim or the criminal case if the information were released.
Your SART should consider developing written policies on recordkeeping based on guiding principles. In other words, you should always know why information is being kept (e.g., for funders, for the victim's benefit, for reference).
These are suggested guidelines for recordkeeping:
- Everyone associated with your SART (members, volunteers, student interns, etc.) should maintain the confidentiality of information associated with the program according to legislation, their discipline, and agency policies.
- Every member should sign an appropriate and binding legal agreement around recordkeeping. If your SART develops confidentiality agreements, attorneys that specialize in confidentiality for victims should review them. For more information, read the Confidentiality section of the SART Toolkit.
- Those who access the SART records should only have access to the data necessary to perform their job.
- Determine what records your SART needs to keep for compliance with state and federal grant reporting requirements.
- Consider why records are being kept and what information is needed on them. Keep only what is necessary.
There are benefits and burdens to recordkeeping. Making decisions about what to record and what not to record is easier if you have underlying principles to guide the process.  The more data you collect, the more you will have to protect. Safety risks will be less if you do not collect data you do not need.
You'll need to decide —
- who will have access to SART files.
- who will be the designated custodian of SART records.
- what records will be kept following case reviews.
- what processes will be used to maintain and destroy files.
Nonprofit organizations and government agencies may embrace technology without thoroughly understanding its vulnerability to hacking. As data systems become increasingly interconnected, it is vital that SART organizations anticipate and minimize the potential for harm to victims. Essentially, you need to secure the confidentiality of all communications and minimize any data about victims that are collected, stored, and shared. In addition, because some victims will request assistance or advocacy online, it is critical to think proactively through all safety, confidentiality, and monitoring possibilities relating to electronic communications.
Best practice tip: Many teams shred all copies of documents and notes prior to leaving a case review, keeping only a summary of concerns or action items identified during the discussion.
Your SART should develop policies for electronically stored records, such as the following: 
- Choose passwords that are difficult or impossible to guess. Make the password at least eight characters long and use uppercase and lowercase characters, numbers, and punctuation.
- Regularly back up critical data.
- Use virus protection software.
- Use a firewall as a gatekeeper between SART computers and the internet.
- Log off of the internet after you're finished using it.
- Use screensavers with password protection.
- Physically secure computers (e.g., laptops should be locked up, desktop PCs should not be publicly accessible).
- Position screens to prevent inadvertent viewing.
- Place servers in closed, properly ventilated rooms.
- Encrypt data.
- Do not e-mail victim-related information to anyone.
Police Data Initiatives and Open Data
Recently, there has been increased public interest in accessing police data to improve accountability and transparency. Many law enforcement agencies across the United States release police data online in an effort to meet requests for public records and as part of open government initiatives.
For the domestic violence and sexual assault community, police data could help inform the public about how law enforcement responds to and handles these crimes. However, data sets can also be problematic for victims of violence. For example, most of the open data sets publish information about specific crimes that includes, at the very least, the date, time, location (actual location or block address), incident number, and type of crime (domestic violence, assault, rape, etc.) This level of information can be identifying, even if a person’s name is not mentioned, particularly in smaller communities.
Data Security Resources
The Data Security Checklist by National Network to End Domestic Violence (NNEDV) provides guidance for programs or service providers that are developing data collection initiatives.
NNEDV provides answers to common questions regarding record retention and deletion.
How Law Enforcement Agencies Releasing Open Data Can Protect Victim Privacy and Safety (PDF, 5 pages)
“How Law Enforcement Agencies Releasing Open Data Can Protect Victim Privacy and Safety” by the Police Foundation and NNEDV describes the need for victim privacy to be a central consideration in efforts to share data with the public and includes specific recommendations.
Open Police Data Initiatives: What Domestic Violence and Sexual Assault Programs Need to Know (PDF, 5 pages)
The “Open Police Data Initiatives” by NNEDV emphasizes the importance of advocates’ involvement in decisions to release police data online, and includes basic information to support advocates in joining those conversations.
SART Confidentiality Framework: PLAN
Establishing your SART’s policies and practice is a first step in developing a confidentiality plan.
Once your members know the laws, rules, and regulations that govern confidentiality, as well as the context in which discussion of case information falls within the mission and purpose of your SART, it is important to have a plan in place for navigating situations in which confidentiality may be at issue.
Team policies and practices should be determined in advance of conducting any type of case conversation to proactively protect victim privacy, eliminate confusion around how and when case information will be discussed, and avoid conflict among team members if some members cannot legally or ethically provide information.
Policies and practices may include —
- incorporating confidentiality provisions in your SART’s MOU or interagency agreement;
- using supplemental confidentiality agreements to cover specific types of case conversations;
- keeping records;
- obtaining written, time-limited releases with informed consent from victims, whether the case is open or closed;
- offering regular confidentiality training for team members;
- bringing sensitive case issues to the SART coordinator prior to discussion at a SART meeting;
- notifying agency representatives before the full team discusses case or system issues involving the review of the practice of a member agency;
- designating a team member to monitor case conversations and, where necessary, intervene when the team ventures into territory that will violate either rules and regulations or team policies around confidentiality; and
- identifying opportunities to incorporate confidentiality reminders into regular SART work.
SART Confidentiality Framework: PAUSE
A good strategy for your SART to implement is to anticipate potential “pause button” moments that may arise during the course of the team’s work. Pause button moments are those times where team members should pause to ensure that they are not inadvertently breaching confidentiality before continuing the conversation, whether it is taking place in the context of active case management, case review, systems consultation, or as part of a “side conversation.”
Practice Tip: One way to incorporate confidentiality reminders into the work of your SART is to brainstorm potential scenarios that may constitute a pause moment. By identifying the ways in which confidentiality issues may play out, SART members will be more likely to recognize when they are venturing into compromising territory.
Pause button moments can also include unintentional waivers of confidentiality, such as —
- presence of a (non-privileged) third party;
- media reports or public presentations;
- lack of victim’s informed consent; and
- inadvertent sharing of information that could reveal a victim’s identity.
Discussing Case Information: A Flowchart for SARTs
The purpose of this part of the SART Confidentiality Framework is not to prevent or hinder your SART from engaging in case conversations. Rather, it is to provide you with a strategy for effectively collaborating without inadvertently jeopardizing the work of the team through a breach of confidentiality. It requires that team members recognize the need to pause in their discussion of case information to ensure that victim privacy, and other confidential information, is being protected.
1) Does this conversation put victim privacy at risk?
Victim privacy should be a top priority for SARTs who have committed to being victim-centered and trauma-informed. Whenever case information is being discussed, the first question a SART must ask is whether victim privacy is at risk. If the answer to this question is yes, the conversation must be discontinued.
For example, when the work of the team is active case management, team members are coordinating around a specific case to ensure timely and effective processing of that case. The role of community-based advocates on an active case management team is to provide general guidance and advice that will help the team remain victim-centered through the course of the case.
The advocate may not share privileged communications with the rest of the team, even if the advocate believes this will help the victim. However, with the victim’s permission in the form of a written, informed, time-limited release of information, the advocate may share only the specific information permitted by the release with other SART members.
Example of the Risk to Victim Privacy:
SART members are giving agency updates during a monthly meeting, and the prosecutor celebrates a victory in a recent case, crediting earlier improvements made to the interagency protocols. In her enthusiasm, one of the community-based advocates who worked with the victim in that case begins to recap a private conversation she had with the victim during trial, in which the victim shared with the community-based advocate some details that caused her to question whether the prosecutor would win the case.
The community-based advocate simply wants to congratulate the prosecutor on winning a very difficult case. In this example, it was important for the team to celebrate a victory that came about partly because of the work they had done to improve interagency protocols.
However, even though the case was resolved or “closed,” the communications between the victim and the community-based advocate was still privileged. In addition, the details of her conversation with the victim were not relevant to the actual work of the team.
2) Is other confidential information being discussed?
Private information about a victim or communication that a SART member with privilege has had with a victim is not the only information that is governed by laws, rules, and regulations around confidentiality. Even if the case information being discussed does not impact victim privacy, SART members discussing case information should also ensure that other violations of confidentiality are not occurring as a result of the conversation.
Example of Protecting Other Confidential Information:
A SART is engaging in a case file review process to identify areas for improvement when investigators are conducting victim interviews. Team members used the previous month’s meeting to review all applicable laws, rules, and regulations governing confidentiality, and are using a case file review process that adheres to best practice. In addition, the law enforcement agency whose case files are going to be reviewed has taken steps to redact identifying victim information, as well as other confidential information.
3) Does discussion of case information comply with the governing laws, rules, and regulations, as well as team policies, regarding confidentiality?
There are times when the discussion of specific case information does not violate victim privacy, is relevant to the work of the SART, and does comply with confidentiality. When done correctly, these conversations can lead to system-level improvements to the response to sexual assault.
Example of a Case Conversation Done Correctly:
A local SART is engaging in a case review process for the purposes of decreasing the number of “declined to prosecute” cases. While discussing one such case involving the sexual assault of a male victim by his brother-in-law, a prosecution-based victim-witness advocate exclaims, “I remember that case! I spoke to a family member who walked in on the assault, but did not report it to law enforcement because she had just married into the family and was not sure if the sexual contact was consensual. She did not feel comfortable asking her new husband about it, and only briefly brought it up to me when dropping the victim off for a meeting at our offices.”
The prosecutor responded that, had they known this information, they would have likely proceeded with the case. In this example, the information shared was relevant to the work of the SART, which was looking for ways to increase prosecution of sexual assault cases. Furthermore, the victim-witness advocate is a systems-based advocate not bound by the same confidentiality obligations as a community-based advocate, and thus obligated to share information with the prosecutor related to the case and was sharing information she received from a victim’s family member, not the victim himself. This conversation highlighted the need for additional training within the prosecutor’s office for the victim-witness advocate.
4) Can the team achieve its goals without discussing case information?
Your SART may be surprised to find that not all information is necessary to achieving its goals.
For example, when the work of the team involves systems consultation or case review, the team is examining the overall response to sexual assault. Therefore, details such as the name of the investigator can be redacted. Team members may still discuss the actions of the investigator for the purposes of identifying patterns, gaps, and areas in need of improvement within the system’s response, and can avoid turning the conversation into a personnel issue.
Example of Alternative Ways to Achieve Team Goals:
A prosecutor who has received push-back from other SART members for her decision to decline a particular case involving a juvenile victim wants the SART to review that specific case in order to help team members understand how charging decisions are made. Rather than open an actual file, the prosecutor can make a presentation to SART members outlining the decision-making process her office uses to determine whether a case involving a juvenile victim should be charged.
This CCR Toolkit developed by the Victim Rights Law Center (VRCLC) discusses federal and state laws regarding privacy and information sharing for coordinated community response teams, a privacy checklist, resources, and other information.
A Comparison of Three Approaches to Case Conversations (PDF, 1 page)
This chart from What Can We Talk About? A Guidebook for How Sexual Assault Response Teams Discuss Sexual Assault Cases by the Sexual Violence Justice Institute at Minnesota Coalition Against Sexual Assault details the differences and similarities between systems consultation, case review, and active case management.
The Confidentiality Institute provides up-to-date, state-specific, sophisticated training, toolkits, and on-call technical assistance to help an agency handle its most significant confidentiality and privacy challenges.
This “Safeguarding Victim Privacy in a Digital World” webinar discusses ethical considerations using hypothetical examples.
The Technology & Confidentiality Toolkit was created by NNEDV to assist nonprofit victim service organizations and programs, co-located partnerships, coordinated community response teams, and innovative partnerships of victim service providers working to address domestic and dating violence, sexual assault, and stalking. This toolkit is meant to help providers and agencies understand and follow the confidentiality obligations mandated by the funding they receive through the VAWA, FVPSA, VOCA, and related state and federal privacy laws.
The Victim Rights Law Center provides free, comprehensive legal services for sexual assault victims with legal issues in Massachusetts and Oregon in the areas of privacy, safety, housing, education, employment, immigration, and financial stability. What they learn from representing individual victims is used to train thousands of advocates, attorneys, campus administrators, medical professionals, law enforcement, military personnel, and other professionals throughout the United States and U.S. territories to improve the response to sexual violence.