Heal Your Church WebSite

Teaching, rebuking, correcting & training in righteous web design.

HIPAA (HIPPA), Disclosures and your Church Website

Posting sensitive information online isn’t just a good way to discourage new visitors, it is also a good way to get an existing member to quit while sending you to jail or worse – get your pants sued clean off.

It’s sorta fun and freaky to get comments that mention an issue I’m about to cover in an upcoming post. Yesterday’s comment had to do with the Christ Anchored Tabernacle church website that among other content problems, posted rather personal prayer requests. The commenter wrote:

Another issue I’d have is less of a design nature – the prayer requests section. Not only can people post requests publicly (apparently unmoderated), their e-mail addresses are also publicly available. Add to that the legal issues of someone posting another person’s health condition (with HIPPA that could be grounds for a lawsuit), and you’ve got potential trouble.

What the astute commenter (Joel A. Tyson of the New Life Singers) is referring to is the Health Insurance Portability and Accountability Act of 1996, otherwise known by its acronym HIPAA – and often typo’d as it is pronounced: HIPPA.

In short, this law was established to insure a number of privacy-related provisions as it pertains one’s medical health and records. And while I was clearly engaged in exaggerated hyperbole when I suggested one could land in jail – the part about getting yourself, your church and/or your congregation sued should be taken seriously.

I mean imagine this not-so-hard-to-imagine scenario: You set up a phpBB application to take prayer requests. One night while you’re not watching, well-intending member A broadcasts to the world that not-so-well-feeling member B has contracted the AIDS virus and requires our prayers. I dunno about you, but an image of sharks circling a pair of floundering baby seals immediatly comes to my mind … only the sharks are lawyers and member A and his/her church are the main course.

Not being a lawyer, and being frightened by sharks, I decided to assuage my fears by looking for a reasonable explanation. I found one in the form of a blockquote on Jefffrey Veen’s blog, which came courtesy of the Lutheran Church, Missouri Synod’s legal councel

HIPAA is not violated when a church publishes the names and medical conditions of church members who are either hospitalized or ill in church publications, such as a church bulletin, newsletter, prayer list or on the congregation’s website. However, it is possible that a congregation’s disclosure of a member’s medical condition or even non-medical information, without the consent of the member, would constitute an ‘invasion of privacy’ under state law. Such ‘invasion of privacy’ laws often give an individual the right to sue when a person publicly discloses information that is private in nature.

In other words, if you’re not sure, don’t post it. In fact, I’m of the mind that such prayer lists should remain hard-copy, available to only those who are attending the church. Moreover, names and conditions shouldn’t be published w/out the permission of the ailing party. Then again, one of my ambitions in life is not to get my pants sued off.

Of course with every storm, there is a silver lining:

Look. Sally needs our prayers. Sally’s oozing wound does NOT need our prayers. I kid you not when I tell you I’ve heard people go on for fifteen or twenty minutes with every minute detail of what some poor soul has experienced at the hands of modern medicine. I don’t need the details! HIPAA’s solitary contribution to the betterment of society may come from having shortened prayer meeting at the Baptist church on Wednesday night. – Rodent Regatta: Hipaa At The Baptist Church

Well-timed comic relief aside, if you are or about to publish a prayer request on your church’s website, you may want to first seek the advice of professional, competent and licensed legal counsel.

Oh yeah, one other point – I am not a lawyer, I do not play one on TV, I do not pretend to be an expert issues legal. Nothing in this post or on this website should be construed as legal advice. You’ve been warned.


  1. We get around this by allowing for public/private prayer requests and moderating all public ones (removing any last names, etc.).

  2. We’ve planned on setting up a prayer requests section for our church’s web site, but it would be moderated and only accesible to logged in members.

    btw, even with hard copies, you have to be careful if someone calls in a health-related prayer request regarding someone else, since the person in question is not the one who made the condition known.

    Thanks for posting all that info, Dean – and for correcting my typo. :) btw, it’s Joey. ;)

  3. And for those who have sites that are targeted towards their youth groups, don’t forget COPPA.


  4. For that matter, even if you get a form submission or a pew card with some prayer detail and a name, you really don’t know that *that* person was the one who wrote it. Presumably there are few malicious,. uses of prayer lists to purposely spread gossip quite that blatantly, but it could certainly happen if you don’t confirm before posting.

    We’re planning to start our own prayer email chain soon, and we’re definitely going to moderate info and names very carefully to protect privacy. Luckily the person who’ll moderate came from the medical field, so she’s already well versed in the importance of that privacy care.