Can You Sign That Get-Well Card? Understanding Medical Privacy & Caring Friends

More than any time in recent memory, we are all hyper-aware of the health of our friends, neighbors, and colleagues. We want to support each other with messages of kindness- but can we?

Many people are afraid that sharing news of a person in duress, even for the most loving and supportive reasons, is wrong and possibly illegal.

In truth, there is no law against communities drawing closer around others in need.

The Source of People’s Concerns

Concerns about sharing news involving another person’s health spring from HIPAA– the Health Insurance Portability and Accountability Act. This was (and continues to be) a significant piece of Federal legislation that controls how patient information can be accessed within the health care and insurance systems, and more importantly, how that information can be released out into the public at large.

There was a long period between HIPAA’s passage in 1996 and the law’s effective date in 2003, mostly because of the political back-and-forth about the interpretation of the law that occurred during the Bill Clinton to George W. Bush transition after the election of 2000.

It was within the sound-bites during those years of political tension that left the public with the impression that they were also subject to this new, threatening, looming law.

Perfectly regular activity, such as the proverbial water-cooler conversation or the passing of an office Get-Well card, became suspect. Well-intentioned, caring people became uncomfortable extending concern for a colleague facing a health crisis within their family. People in pews started squirming during calls for prayers.

All of this was a misunderstanding then- and it continues today. Let me clarify what the law says.


In a nutshell, HIPAA says that people and organizations that inappropriately share someone’s personal health information gained through the course of care or business may face civil and even criminal liability.

This is true regardless of how that data is shared, whether it is an oral conversation, a written (paper) correspondence, or an electronic transaction. Since 1996 other waves of HIPAA (and related legislation) have focused more extensively on digital material and electronic records, but the basic rule stays the same.

Patient information should be shared as necessary to provide the highest quality and safest care to the patient. In addition, the law allows the exchange of patient data for efficient and accurate billing and payment for that care, and in some circumstances (such as allowing a risk management review of records) can be shared with specific protections to sustain the operations of a hospital or medical practice.

Equally important, HIPAA gave four new Federal rights to each of us, including:

  1. the right to get a copy of our records (state laws already gave us that right);
  2. the right to control who has access to our health information (although that right is not as expansive as commonly believed);
  3. the right to obtain an accounting of who has been provided with our information (again, with limitations);
  4. the right to amend your medical record at your physician’s office or at a hospital (but amending is limited to making additions or clarifications, and does not allow you to alter, delete or change your record).

That is a small snapshot of an enormous law- I hope this summary gives you some peace of mind, especially those of you who are privacy-conscious.

Who Must Worry About HIPAA?

You only need to worry about HIPAA if you are a “Covered Entity” under the law and know something about another person because of what you do (whether for your livelihood or as a volunteer).

The law also extends to “Business Associates”- which are Companies and people who work for covered entities and require access to patient data to do their jobs.

Covered Entities under HIPAA are health care providers, such as individual physicians or hospitals, as well as the health insurance industry. Employers who are privy to health information of their employees (such as self-insured employers) also fall under the law.

If you are a health care provider yourself or work in any of the settings just named, you can’t share any information you gained because of who you are or what you do. For example:

  • If you are the receptionist at the local clinic where your girlfriend’s daughter was seeking birth control you are completely silenced by the law;
  • If you are a hospital executive proud “That Big Star” just got admitted to your facility, keep it to yourself;
  • If you are a nurse posting your patient’s name on your social media prayer chain (without them requesting you do so) you better pray for yourself as well- you just broke the law;
  • If you are a physician and your patient is your friend, you can’t share anything you know as their doctor if you are at a cocktail party with a social group you have in common- you aren’t even supposed to acknowledge the person is your patient.

I promise you people who break HIPAA are almost always caring, compassionate people who are sharing knowledge out of genuine concern. However, it is still a violation to share information if what you know has anything to do with what you do- or who you are.

By the way- people spilling patient information for profit are criminals.

Getting Back to That Get-Well Card

If you don’t fall under the “Covered Entity” description (or work for one as a “Business Associate”), you don’t have HIPAA liability.

But please understand I am not encouraging salacious gossip or rudeness.

In 2008 I published a HIPAA guide through Texas Medical Association with the following dedication:

I dedicate my efforts to my parents: Dr. John Gordon Freymann for raising me with love and respect for the profession of medicine, and Mrs. Ruth Ellen King Freymann for raising me with a love of knowledge and, of course, good manners.

Good manners would be the right place to start any decision about how and if to share knowledge about anyone else.

This is my take-home message to you all. Trust the moral compass your parents gave to you. Is the conversation you are participating in gossip or caring? Does it serve the person you are discussing? Would you want the same information shared about you or your loved one?

If so- please sign the card, tell the neighbor who should know what is happening, let your colleague know you are holding them close. Caring is not illegal.

Want to Know More?

1. As indicated above, there are many misunderstandings about HIPAA, even within the medical community. To its credit, the Department of Health and Human Services [HHS] has been trying to clarify what is and is not intended by the law through a fascinating (if you are a geek like me) Frequently Asked Questions for patients and members of the public.

2. All states have laws regarding medical privacy (and did so well before HIPAA). If you want to understand your privacy rights, or what to do if you think your rights have been violated, it is important to consider your state law as well. The best resource for that information will be your State Department of Insurance/Consumer protections, your state Attorney Generals’ office, and your state medical or hospital associations (professional associations commonly have information for the public posted on their websites).