Prayer Lists: How to Protect Privacy

Obtain permission before sharing sensitive information

Sweeping changes to privacy laws have changed the way doctors, hospitals, and even insurance companies handle health care information. Part of the Health Insurance Portability and Accountability Act (HIPAA) that took effect in 2003 made it illegal for health care providers to disclose information about a person’s medical condition. Generally, the Act doesn’t pertain to churches. However, the ensuing discussion of privacy rights has led many churches to reexamine how they share personal information through prayer ministries.

Here are some suggestions on how to maintain a prayer ministry without offending the prayer recipient or breaking the law.

Get Consent

There’s nothing that prevents a person from telling the congregation—or the whole world—that he has a medical condition and would like prayer. But some laws prevent you from telling the world for him. Therefore, it’s a good idea to obtain a person’s consent before disclosing personal information. It could be as simple as asking someone: “Would you like us to add you to the prayer list?” or “Would you mind if we shared this information with the congregation?” It’s easiest to get verbal consent, but you have far greater legal protection if you obtain it in writing.

Keep it Simple

Even with a person’s consent, it’s best to keep the information general. A notice that says “Sue Smith has been hospitalized, and we pray for a speedy recovery” is better than “Sue Smith has been suffering from debilitating panic attacks that have caused her to be admitted to the hospital. Please pray for her.”

Defer to a Spokesperson

Some churches avoid the problem of obtaining consent by printing information on how to reach a relative or close friend who has agreed to serve as spokesperson. The spokesperson can decide how much detail to release, and to whom. That person is probably in a better position than the church to know how much information to share.

Don’t Mention Employees

Churches should be extremely cautious about disclosing health-related information about their employees without their consent. In particular, churches can be held legally liable for disclosing such information about employees (or their dependents) obtained through the church’s health plan. You should obtain the employee’s consent to release the information. Even with permission, less is generally best.