We investigated policies and procedures for the maintenance of confidentiality in primary care by means of a postal survey of 109 general practices in a large non-metropolitan urban health authority in England. The response rate was 61%. Practices believed a variety of staff should be informed if a patient was HIV-positive, ranging from 'patient's own GP' (100%) to 'clerical staff' (8%). In 88% of practices receptionists occasionally or normally asked patients why they wished to see a doctor, although in 76% such conversations were audible to other patients. Ninety-nine per cent claimed to have a policy on confidentiality, although it existed in writing in 62% and was publicized in only 27%. In 88% of practices non-clinical staff had access to written patient records. Ninety-three per cent provided staff training in confidentiality, but in 34% it was confined to induction. Almost all practices had taken some steps to safeguard confidentiality, but few had explicit, formal confidentiality policies. Information sharing and non-clinical staff access to medical records were extensive, and few practices communicated their arrangements to patients. Practices need to review their policies and procedures for the maintenance of confidentiality.