Understanding Medical Privacy: Can You Sign that Get-Well Card?

Events in my own life these past 3 weeks have illustrated to me how uncomfortable some people are to share information about a person in their midst who is undergoing a health crisis.

Many people are afraid that sharing news of a person in duress, even for the most loving and supportive reasons, is wrong and possibly illegal.

In truth, there is no law against communities drawing closer around others in need.

The Source of People’s Concerns

Concerns about sharing news involving another person’s health spring from HIPAA– the Health Insurance Portability and Accountability Act. This was (and continues to be) a major piece of Federal legislation that controls how patient information can be accessed within the health care and insurance systems, and more importantly, how that information can be released out into the public at large.

There was a long period between HIPAA being passed in 1996 and the law’s effective date in 2003, largely because of the political back-and-forth about interpretation of the law that occurred during the Bill Clinton to George W. Bush transition after the election of 2000. HIPAA was wrapped up in the political tensions of that time, and it was within those sound-bites that the public got the impression that they were also subject to this new large looming law.

Perfectly normal activity, such as the proverbial water-cooler conversation or the passing of an office Get-Well card became suspect. Well intentioned, caring people became uncomfortable extending concern for a colleague facing a health crisis within their family. People in pews started squirming during calls for prayers.

All of this was a misunderstanding then- and it continues today. Let me clarify what the law actually says.


In a nutshell, HIPAA says that people and/or organizations who inappropriately share someone’s personal health information gained through the course of care or business may face civil, and even criminal, liability.

This is true regardless of how that data is shared, whether it is an oral conversation, a written (paper) correspondence or an electronic transaction. Since 1996 other waves of HIPAA (and related legislation) have focused more extensively on digital material and electronic records, but the basic rule stays the same.

Patient information should be shared as necessary to provide the highest quality and safest care to the patient. In addition, information can be exchanged for efficient and accurate billing and payment for that care, and in some circumstances (such as allowing a risk management review of records) can be shared with specific protections to sustain the operations of a hospital or medical practice.

Equally important, HIPAA gave four new Federal rights to each of us, including:

1. the right to get a copy of our records (state laws already gave us that right);

2. the right to control who has access to our health information (although that right is not as expansive as commonly believed);

3. obtain an accounting of who has been provided with your information (again, with limitations);

4. the right to amend your medical record at your physician’s office or at a hospital (but amending is limited to making additions or clarifications, and does not allow you to alter, delete or change your record).

That is a very small snapshot of a very large component of health law, but I hope this summary gives you some peace of mind, especially those of you who are privacy-conscious.

Who Must Worry About HIPPA?

You only need to worry about HIPAA if you are you a “Covered Entity” under the law, and know something about another person because of what you do (whether for your livelihood or as a volunteer).

Covered Entities under HIPAA are health care providers, such as individual physicians or hospitals, as well as the health insurance industry. Employers who are privy to health information of their employees (such as self-insured employers) also fall under the law. If you are a health care provider yourself, or work in any of the settings just named, you can’t share any information you gained because of what you do. For example:

    • If you are the receptionist at the local clinic where your girlfriend’s daughter was seeking birth control you are absolutely silenced by the law;
  • If you are a hospital executive proud “That Big Star” just got admitted to your facility, keep it to yourself;
  • If you are a nurse posting your patient’s name on your social media prayer chain you better pray for yourself as well- you just broke the law;
  • If you are a physician and your patient is your friend, you can’t share anything you know as their doctor if you are at a cocktail party with a social group you have in common- you aren’t even supposed to acknowledge the person is your patient.

I promise you people who break HIPAA are almost always caring, compassionate people who are sharing knowledge out of true concern (the other ones spilling information are criminals). However, it is still a violation to share information if what you know has anything to do with what you do- or who you are.

Getting Back to That Get-Well Card

If you don’t fall under the “Covered Entity” description you can’t have HIPAA liability. But please understand I am not encouraging salacious gossip and/or rudeness.  

In 2008 I published a HIPAA guide through Texas Medical Association with the following dedication:

I dedicate my efforts to my parents: Dr. John Gordon Freymann for raising me with love and respect for the profession of medicine, and Mrs. Ruth Ellen King Freymann for raising me with a love of knowledge and, of course, good manners.

Good manners would be a good place to start any decision about how and if to share knowledge about anyone else. In fact, “Good Manners” is where I start any HIPAA education for anyone that does fall under the law.

This is my take-home message to you all. Trust that good moral compass your own parents gave to you. Is the conversation you are participating in gossip or caring? Does it serve the person you are discussing? Would you want the same information shared about you or your loved one?

If so- please sign the card, tell the neighbor who should know what is happening, let your colleague know you are holding them close. Caring is not illegal.

Want to Know More?

As indicated above, there are many misunderstandings about HIPAA, even within the medical community. To its credit, the Department of Health and Human Services [HHS] has been trying to clarify what is, and is not, intended by the law through a fascinating (if you are a geek like me) Frequently Asked Questions website.

All states have laws regarding medical privacy as well (in fact did so well before HIPAA). If you want to understand your privacy rights, or what to do if you think your rights have been violated, it is important to consider your state law as well. The best resource for that information will be your State Department of Insurance/Consumer protections, your state Attorney Generals’ office, and/or your state medical association (medical associations commonly have information for the public posted on their websites).