HIPAA Privacy and e-mail

Our CEO would like to be able to send information about employees who are ill or having surgery or are hospitalized to all employees via e-mail. He understands HIPAA and privacy concerns, but he wants to find a way around it. We're thinking of having employees sign a release if they would like to have information shared with others. Any opinions? Do you think a signed release would protect us? I'd appreciate any comments.


  • 16 Comments sorted by Votes Date Added
  • I would never share another employee's information with anyone else. First of all, other employees have no business knowing the medical conditions of their co-workers. If John Doe wants Sally Smith to know what's wrong with him then it is up to him to divulge that information, not you or the CEO. This is a very bad idea and I would suggest it not be done.
  • And of course you never know where an email will end up outside the company. Not a good idea.
  • Why does he want to do this?
  • I agree with the previous answers. If the employee wants others to know of his/her condition, that is up to the employee.
    Even with a signed release, you might have other employees bring up concerns about the sharing of such private information w/all employees.

  • BAD BAD BAD idea. the fine for a HIPPA violation of this type can be $10,000 per occurance and this is a personal fine. Your CEO would bankrupt himself if he sent them out to enough people.

    I also wonder what his his reasoning for wanting to do this. Would he like people to know about a very personal problem that he might have.
  • The key part of your post is, "but he wants to find a way around it.". That smacks of trying to break the rules. And another poster told you the penalty for doing that.
  • MJ: I never liked it before HIPPA and certainly would not stand by and try to find a way around the it for the purpose of making sure that everyone knew that X-employee was out with "GUT" or some other Cancers. We have enough trouble trying to police the personal use of e-mail, so why even attempt trying to be nice in letting others know of my "prostate cancer"!

  • MJ, I agree with the advice others have given, but just in case you're feeling a little ganged up on here (even though you're only representing your CEO), let me assure you that there are workplaces other than yours (such as mine!) where there is a tendency for well-intentioned people to get too far into other people's personal/medical business in a electronic or other public venue. I call it the church bulletin approach -- i.e., Let's all pray for Mildred while she's recovering from her hysterectomy this week. Your CEO, I would imagine, wants a way to rally support for those sick employees who want or need it, and he probably wants to answer "Where's Mildred?" for everyone's information. You need to acknowledge what he's trying to accomplish at the same time you're telling him not to do it. Very few CEO's want to hear a flat NO from HR.

    Good luck!
  • That is where I was trying to get Whirl. I asked the question, but didn't get an answer. If we know his motivation we might be able to give you some advice to meet the CEO's needs without compromising HIPAA.
  • Thanks for the advice. I actually never wanted to do this, but I had to find some others who would back me up so that I wouldn't have to be the only one to say NO to my CEO. And, you're right--his motivation is to have everyone as one big happy family. You all have made my job easier. Thanks.
  • This is another example of an idea whose time has come and passed. Many people are really strict about medical issues and want nobody to know. HR should not gossip about these issues at all as employees need the assurance they can tell us anything and it goes no further. Now with new privacy law, the law is all on their side. Just say no (nicely).
  • By the way, HIPAA wouldn't apply to this situation.

    In some companies, this would be a fine thing to do, simply notifying that someone is out for a period of time. I would verify with the employee that he/she is comfortable with that (often times they want others to be aware - they get cards, flowers and emails from those who care).

    I dunno, I just don't think this is as terrible as some are making it out to be. Sure, I would stop short of revealing the reason for the leave, but otherwise it could be doable.
  • "By the way, HIPAA wouldn't apply to this situation."

    AJ SPHR - can you elaborate? Are you thinking that this kind of communication is not covered or that the employer is not a covered entity? Or something else?

  • HIPAA was intended to provide protection to patients whose PHI is shared between physician offices, hospitals, and other covered entities (including health insurers) via electronic format. The notice to patients is to tell them that some material may be shared, but they will have the ability to sign releases before it's shared.

    This kind of general email is not PHI. And, specifically FMLA and short disability benefits are excluded from coverage under HIPAA. That's why I stated that HIPAA wouldn't apply.

    That doesn't mean that you don't still use caution when sharing private medical information. But, HIPAA seems to be thrown around way too often as the reason to not do anything or even ask a colleague if they've gotten over the flu they had last week. x:-)
  • I have to agree w/ AJ on this. The many posters who said "NO" to putting out detailed announcements about an EE's medical condition are absolutely right: you're looking for big trouble w/ HIPAA. And to solicit such info, and/or signed releases from EEs to put out such info, is a gross invasions of the individuals personal life-- very inappropriate just on grounds of basic courtesy and personal privacy considerations (let alone HIPAA).

    But the only information that needs to be announced to staff is that "...___ will be out for awhile due to illness..." that is the outside limit of the information that an ER should be publishing to staff. If the EE wants to share w/ co-workers, that's their own personal business....period.

    We do this for EEs. If someone informs me or their supervisor that they're going in for surgery or whatever, we (usually their division head) announce to staff that ______ will be out for a period for health reasons. We send the EE flowers. And the division usually sends a card to the EE signed by all staff members who want to sign. That's it.
  • There are definitely HIPAA concerns. Hopefully your boss is not interested in releasing actual medical facts, such as diagnosis, type of surgery, etc. As long as the info releases are restricted to general get well wishes, there should be no HIPAA issues to contend with. That said, you will most certainly have other privacy issues with individual employees. Many folks just don't want to keep their private selves separated from their public selves, which means they prefer that the fact they are sick, were hospitalized, or have been challenged in some other way not be placed in a public workplace arena.

    To answer your question--I don't think an authorization will help or hurt because I don't really think there is a HIPAA issue unless the messages will contained specific PHI. I think that the message system is a bad idea because I think the fall out will be that you and your boss will be reminded about just how private some people want to be. I'd stay away from the practice.

    Let us know what happens.
Sign In or Register to comment.