Get-well cards and HIPAA

Does the practice of passing around a get-well card for an employee in the hospital, for co-workers to sign, violate HIPAA, since this is indirectly (pretty directly, actually) telling everyone the person is ill? I think this is a common practice, but I could be wrong.
Thanks to everyone who answered my previous question - I agree with you, but I've been outflanked. The card that concerns me reached me after half of the company, including the President, had already signed it.


  • 38 Comments sorted by Votes Date Added
  • I recently had the same situation and informed the person who was going to be doing the passing of the card not to do it. Passing around a card just creates more talk regarding what the potential problem is and can create problems for you, as the employer, regarding how the confidential medical information "leaked" in the first place. Best suggestion it to inform the person who is normally "in charge" of this type of thing to cease the practice. If they, personally, want to send a card that is one thing but don't do it as a "company" thing.

  • I agree with Lida here. Don't have it sent from the company. Let individuals send their own cards. Before hngry hungry HIPAA, we used to allow ees to bring cards to HR and we would fill out the addresses for them to keep the sick ees address private. Now we just pretend that we don't even know why they are out.
  • First of all HIPAA law is not a factor in this situation because HIPAA addresses confidential PHI (personal health information) used in conjunction with the health benefit plan. Other "personal information" (such as absences for medical reasons, FMLA, age, dependent status) that are considered "employment records" are exempt from HIPAA regulations. Employment records are those that relate to managing employees and the employment relationship.

    What is of concern here could be ADA (American's With Disabilities Act) or any other state laws addressing confidentiality. Under many of these laws, the employer has a duty to protect confidential medical information from unnecessary disclosure for non-business reasons. ADA could come into play if it creates an atmosphere of perceived disability by the employer, supervisor, etc.

    I would suggest that you obtain at least a verbal agreement to pass along the fact that an employee is ill (or a family member speaking on the authority of the employee if the employee is incapacitated). Absent that, I would avoid a general policy of passing around a get well card. I know that I personally, would be offended if news of a personal illness became public knowledge.
  • To maintain privacy of the sick ee, we do not want that ee to even perceive that HR was involved with sharing their illness with any ees. Once your name is signed to the card, it could be interpreted that HR intiated or was involved with letting the entire company know and they will wonder how much info you shared? HIPAA is not just related to Health Insurance, PHI refers to private health information which includes having the flu, a cold or even cancer. If this information is shared outside of operational purposes then you may be violating HIPAA.
  • [font size="1" color="#FF0000"]LAST EDITED ON 07-10-03 AT 12:44PM (CST)[/font][p]Sorry Scottor - I disagree on one point. HIPAA Privacy law is not an "employer" law. It is a law that affects only benefit plans. That an employer administers the benefit plan means that the employer is required to (on behalf of the plan) protect PHI.

    (The Privacy Rule, as well as all the Administrative Simplification rules, apply to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form...) [url][/url]

    Information that is used strictly for “employment records” is not subject to the Privacy provisions of HIPAA. (It is important to note that such records may be subject to employment privacy protections in other federal and state law.) An “employment record” is not defined in the law – but “Questions & Answers” in the recently released regulations state that it is not the nature of the information that determines whether or not it is an employment record but whether or not the employer creates and uses the information as an employer for employment purposes or as an administrator of a health plan for purpose of the health plan administration or maintenance. The latter means that it is subject to HIPAA Privacy Rules.

    Since "employment records" are not subject to HIPAA Privacy requirements (but as noted above may be subject to other privacy requirements) the difference is not one of semantics. Privacy requirements entail numerous procedural requirements - such as maintaining a disclosure log as well as identifying when, where, how and what information may be disclosed. This is a much more onerous task than the maintainence of normal confidentiallity requirements of non-HIPAA privacy laws.

  • [font size="1" color="#FF0000"]LAST EDITED ON 07-10-03 AT 12:56PM (CST)[/font][p]By the way, thank you for the link. I will read it carefully. I agree that it is not an employer law but as a plan administrator, there are certain privacy obligations that I am required to maintain. Our attorney and subsequent trainings I have attended on HIPAA have all said that I am required to obtain a release from the ee before sharing any PHI. They have all also said that the release must be specific as to who will receive the information and who will give the information. It is also my understanding that the disclosure log is intended for tracking purposes to insure that privacy has been maintained. Either way I still do not think HR should involve themselves with participating in get well cards.
  • Hi Scottor:
    Yes, my understanding is the same as yours, I believe. But a written authorization is needed only for disclosures that are not "automatically authorized" - in other words if your Notice of Privacy Practices and Plan Document identifies specific types of disclosures (such as communications with your insurance broker or the insurance carrier) those disclosures do not need a written authorization. A written authorization would be needed for those not specifically identified. For example, if your insurance broker wanted to release medical information to an insurance carrier from whom you were seeking a quote for a new benefit plan.

    The Disclosure log lists only such disclosures that were not "routine" (disclosures that were not authorized by virtue of the NPP and Plan Document OR were subsequent to a Written Authorization.)

    HIPAA is a typical law - written in such a way as to confuse everyone...

  • Hi Skyrocket,

    Thank you very much. With all of these changes who can keep up? Every time I see something about HIPAA, there is always new or different information. I was unaware of the information you just shared. Thanks again!
  • Unless my company is the exception, when someone is out sick, their co-workers usually know it. In most cases, they even know why. However, even before HIPAA, HR was not allowed to give out any information (home address, hospital, diagnosis, condition etc). If the ees ON THEIR OWN TIME want to send a card and/or collect money for flowers (even a group card), there is no way I can stop it. However, management and HR are not allowed to sign or contribute.
  • Wow, this is a new one on me and I honestly don't like it a bit. The workplace is getting more and more ridiculous if we can not even send a get well card to a co-worker who is out ill. NEVER would HR divulge the nature of an illness or private information. However, in our small company of 48 employees, it does not even make sense to think everyone does not know when someone is in the hospital or has the flu. We even send flowers or balloons for heaven's sake.

    Please tell me I am not crazy to think it is going a bit far to worry about sending or signing a get well card.
  • Hallmark watch out. There go your profits.
  • I agree with Dasher. If the employee out sick doesn't want anyone to know then they should say so, we will honor that.

    Once we forgot to send a card to someone when he was out and when he came back to work he was all bent out of shape because he got no card while in the hospital. I think cards mean a lot to sick employees. We have never had anyone upset at a card and flowers.

  • As long as the info didn't come from the Plan Administrator, how does sending a card violate HIPAA Privacy? Where I work everyone knows everyone's business anyway (40 employees) and the sick employee would be very hurt if he/she didn't get flowers or a card. How is a card disclosing protected personal health information? Are you putting the diagnosis code on the card or transmitting it electronically? Or is it generic "get well soon". Does "get well soon" violate HIPAA Privacy? I haven't seen it if it is; someone please point it out to me.

  • I'm a card sender. For that matter, I have flowers sent for anything that requires even one night in the hospital.

    I'll take my chances.
  • Way to go Frank. I agree.
  • [font size="1" color="#FF0000"]LAST EDITED ON 07-10-03 AT 01:36PM (CST)[/font][p]Maybe I'm unique, but I am the plan administrator for all of our benefits. But something tells me I'm not alone. If you as a friend want to send an ee a get well card feel free. I am all for that. But passing around a card from the company gets into an area I'm personally not comfortable with. It's not the card but what people say when they pass the card along. I heard from HR that Joe Smith has cancer thats why he is out.

    Now prove you weren't the one that said it! I'd rather avoid the hastle all together. I am speaking from personal experience. We had an ee out on leave and one of the HR people here signed the get well card. Three weeks later we got a letter from an attoney that said their clients privacy rights were violated. We're still fight it out trying to prove our HR Administrator did tell other about the ees illness. We will likely win the case but at what expense.
  • Heavens to Betsy, I think HIPAA has gotten people paranoid. There is nothing to violate in sending a "thinking of you" card to an ee who is out. FMLA requires that paperwork be filled out when an ee has to be out for illness, surgery, etc. What is wrong with sending a card and flowers? How does that violate privacy? Patients are asked at hospital pre-registration and upon entry if they want phone calls put through, do they want a chaplain to visit, are any individuals not allowed to visit, etc., so there are other safeguards in place. Our company is a small home health agency and I, on behalf of the company, send a card to ALL ees who are out, along with flowers. What is invasive about that? Most ee's are hurt if some sort of acknowledgment is not given. I think most people are sensitive enough not to "directly" pry. I do not give out addresses, but most offices keep a contact list with addresses, phone numbers, etc., that employees agree or not agree to provide. There is also a phone book that has information that is accessible to all. Common sense and courtesy are the key here.
  • I have recently asked our attorney this specific question. She said that as long as HR wasn't generating the actions, we should be okay. We have about 200 employees, but only about 35 here at the office. As mentioned in other posts, everyone knows what is going on - from the employee themself. Obviously, if an employee didn't want it known why they were on leave, people wouldn't know. Supervisors and HR won't release that info. I can say that know, but I did have to explain the rationale to one supervisor.

    We are a non-profit service agency and we want to serve our own! I read something ahile back, might have even been my Texas ELL about a person who filed some type of charges after having been on leave. In court it boiled down to they felt uncared for because no one from the company reached out to them to see how they were doing. We walk a fine line between watching the laws and privacy, etc. and ensuring employees feel cared about. I think it would be important that if your company doesn't allow cards to be circulated, etc. that HR (benefits rep or HR Mgr/Dir) take the initiative to send a card to the employee. Those little touches can mean alot!
  • And I thought things had really hit the skids following a UT football game during which Roy Williams limped off the field in front of thousands of fans and didn't return to the game. The next morning a news commentator reported that, due to privacy issues, no information regarding the incident would be forthcoming, including whether he was injured or not. If our rulemakers don't have any common sense, shouldn't we continue to exercise ours? I realize the correct answer to that is "No", but we in our department refuse to be bullied into pathetic treatment of our employees because of a vague understanding of some regulation, the interpretation of which even the authors aren't sure . A get well card only recognizes that someone isn't well. Is that a big surprise since it happens to practically everyone now and then? It doesn't give a diagnosis, a prognosis, or the schedule for the next chemo appointment. It isn't as though other employees don't know something is wrong with a fellow worker unless HR tells them. So what's the harm in signing a card? Some of the wild and crazy notes written in our "company" get well cards have made even the sickest employee chuckle. It probably worked better than medicine.
  • I think it's a poor excuse that an employee signing the card might reveal too much in his message. You would read the card before you mailed it, wouldn't you? (I certainly do.)

    I'll probably make somebody mad with this comment, but it's not intended to be mean-spirited... it's just that I think there are too many managers (of all disciplines) who take the easy way out instead of doing what is most effective for the company. In this case, saying "I don't know whether I can send a get-well card without violating HIPAA so I won't send them" is taking the easy way out. The effective route is to control the situation in such a way that it makes the sick employee feel missed, and a part of the team, while monitoring the content with HIPAA in mind.

    It's akin to the school of thought that says "I don't know if I can give a performance evaluation that won't be used against me later, so I won't give them."

    There are risks you incur the first day you open for business. Control them, monitor them, but don't throw the baby out with the bathwater.
  • For God's sake! How anal can we manage to get? Send the damned card, and flowers for that matter. Humanity has not changed one iota, just the regulations which seek to control us. DON'T send a card and you'll catch more hell from the ee than if you do. Can any among us recall an employee ever objecting to having been sent a get well card or flowers? And do any of you think the existence of HIPAA will trigger such resentment should you send a card?

    Imagine the conversation...."Honey, awhile back when you were in the hospital, I noticed the company didn't send flowers, not even a card. What's up with that?" "Oh, they stopped that in April of '03. Something about government regulations and what types of information the company can discuss or have or share with employees and flower shops I think. And if they know you're sick, they have to pretend they don't. Anyway, I understand, although flowers would have been nice. They're even talking about prohibitions on our asking "How are you feeling today?" when we greet each other in the mornings. And they've already stopped ordering cakes for retirements since they say it'll signal to all the rest of the staff that the retiree is old."
  • [font size="1" color="#FF0000"]LAST EDITED ON 07-10-03 AT 02:50PM (CST)[/font][p][font size="1" color="#FF0000"]LAST EDITED ON 07-10-03 AT 02:32 PM (CST)[/font]

    Just for your information, we send flowers immediately to the hospital in such situations. We did so in this case, too, with a card. The employee works at a branch and the card that caused my concern was being passed around the corporate office among people who have never met or worked with the sick employee. Many did not even know that she was out until the card was placed in front of them. Also, the person who circulated the card did it for the express purpose of telling everyone about the illness, and she did it because she was mad at me because I refused to announce the illness company-wide by e-mail. I understand that's a different issue. My thanks to everyone for offering your opinions on this.
  • [font size="1" color="#FF0000"]LAST EDITED ON 07-10-03 AT 02:08PM (CST)[/font][p]I have been reading all the threads and I think we are forgetting something very important. We in HR do not need to sign a card to show we care. If we are doing our job properly,we are doing more to help the sick employee than anyone else in the company. One of this best things about this job is that I can truly help someone when they need it. What is more important to the ee, that I sign a card or that I call to see how things are going, ask if there has been any problem in getting the paperwork done, help if there is a problem with the insurance company, explain benefits to family members. What is more important to the ee, the congratulations on your new baby card or the fact that I had that child enrolled for insurance within hours of being born. We are in a unique job. Because of the importance of confidentiality, there are many things we cannot do. I don't like firing people, or turning down FMLA requests, or worrying about all those expletive deleted government rules. But, I sure love knowing that I helped someone.
  • Whatever -

    You got it right on the nose! We all need to acknowledge that "human" is part of our job title and duties!

  • Mr. Creosote: I wasn't addressing you personally or your particular situation in my comments about cards and flowers. I simply am expressing my opinion as to the insanity of allowing regulations to control our every thought and movement when they were not intended to have those outcomes at all.
  • There is absolutely no violation of HIPAA to send a simple get well card. I agree that you are going to catch a lot more hell for not acknowledging an employee being out, etc. If I know of an employee who has been out, especially on an extended illness, I always call just to see how they are. I don't ask a thing about their illness, what's wrong with them, etc. (even though they don't hesitate to tell me). I simply tell them we were just checking to see how they are doing and that they are missed.

    I am all for legalities, but we are getting WAAAAY too paranoid at the expense of humanity.
  • Don, your previous postng just hit a nerve with me because it is exactly the type of argument I expect from my bad employee. When she asks me to announce the illness to all employees she says that we always have and that I'm a "creep." I explain that it's illegal to release the information. She releases the information anyway via a card under the pretense of sympathy, when she knows that we already sent a card and flowers. I explain that she can't do that. She replies, "For God's sake! How anal can we manage to get?" I explain that she is sharing confidential information. She replies, "Send the damned card, and flowers for that matter. Humanity has not changed one iota, just the regulations which seek to control us." I get a little frustrated because I know she is only making excuses to gossip, but she continues by saying, "DON'T send a card and you'll catch more hell from the ee than if you do. Can you recall an employee ever objecting to having been sent a get well card or flowers?" She's just getting more emotional and continues with a future doomsday scenario. She says, "Imagine the conversation....'Honey, awhile back when you were in the hospital, I noticed the company didn't send flowers, not even a card. What's up with that?' 'Oh, they stopped that in April of '03. Something about government regulations and what types of information the company can discuss or have or share with employees and flower shops I think. And if they know you're sick, they have to pretend they don't. Anyway, I understand, although flowers would have been nice. They're even talking about prohibitions on our asking "How are you feeling today?" when we greet each other in the mornings. And they've already stopped ordering cakes for retirements since they say it'll signal to all the rest of the staff that the retiree is old."
    And I just give up because she's obviously not listening to anything I've said. I don't think she's being reasonable but I don't know what to do about it so I just hope she'll retire soon. That's what I was thinking when I read your message.

  • Mr. Creosote -

    I think your argument is faulty because it is based on the premise that having employees sign a get-well card is automatically in violation of HIPAA.
  • I wasn't trying to make an argument. I was explaining my previous reaction and possible overreaction to Don's post. It was meant to be amusing. You are taking it more seriously than I intended.
Sign In or Register to comment.