HIPAA & Prayer Release


January 20, 2017

Better safe than…What about HIPAA and our prayerline?

Most of us were pleased—if a little surprise—to discover that the government had done something to protect our individual privacy. We were happy to learn, over and over again, that the Health Insurance Portability and Accountability Act of 1996 (better know as “HIPAA”) provided criminal penalties for those who trafficked in our personal health information. We also discovered that there is an alert federal bureaucracy ready to prosecute any who violate this law.

But what about those of us who want to pray, specifically, for members of our church and their particular circumstances? Are we at risk if we tell others about their physical and spiritual needs?

Usually not. A church is not a “covered entity” within the meaning of the regulation (45 CFR 164.104) which implements HIPAA. Moreover, in this country we continue to enjoy both the freedom of religion and the freedom of speech.

The problem that exists concerns church members who are also employed in a part of the healthcare industry that is covered by HIPAA. If they are passing protected health information [PHI] (such as “Barbara Jones has cancer”), they may inadvertently be violating the law and be liable.

A simple fix every church can adopt is to obtain from each person who requests prayer a HIPPA release. This release was created in the regulation (45 CFR 164.508) to allow passage of PHI without penalty. Here’s an example of a Prayer Request and HIPAA Release card. Please note that the specific wording should not be changed.

Also note that you can execute a privacy release only for yourself, not for another adult (at least not unless you are that person’s guardian or have his or her power of attorney). If you are completing a card as a parent, guardian, or power of attorney, please write one of those words under the signature line.