Q: Are ministries subject to HIPAA requirements?

A: Many ministries are not subject to HIPAA, but some are. Even if your ministry is not required to follow HIPAA’s requirements, understanding the privacy laws is important.

HIPAA is a federal law concerning the privacy and security of protected health information. The law includes a series of requirements, known collectively as the HIPAA Privacy Rule, that protects the privacy of an individual's personal health information. The rule has created confusion for some ministries regarding the law’s application to prayer lists, pastoral counseling, a ministry’s professional counseling operations, and employee health information.

HIPAA applies to specific entities

The law applies to covered entities, as HIPAA defines them:

  1. Health care providers that electronically transmit health information in connection with a HIPAA covered transaction.
  2. Health plans.
  3. Health care clearinghouses (e.g., billing services).
  4. Business associates of these entities.

 

Many ministries don’t fit these categories and are not subject to the HIPAA Privacy Rule.  However, if your ministry provides a health insurance plan for its employees (including cafeteria and flexible spending account arrangements), you may have some obligations regarding HIPAA, including: 

  • Providing certain HIPAA notices to employees.
  • Signing information security agreements with vendors that service the ministry’s health plans.

 

Organizations that provide a self-funded and self-administered plan to fewer than 50 employees are probably exempt from HIPAA. Likewise, employers that provide a fully insured health plan also may be exempt because the insurer assumes most of the HIPAA obligations. 


Examples of ministry activities that are likely subject to the HIPAA Privacy Rule

  • A church camp operates a health clinic that electronically bills health insurance companies for patient services that camp-employed physicians have provided. 
  • A college employs licensed mental health practitioners for its professional counseling center. The center electronically bills health insurance companies for counseling services it provides.

 

Please note: once an event triggers the application of HIPAA’s requirements to an organization, it also invokes the HIPAA Privacy Rule and many other requirements. 

Schools may be subject to the HIPAA Privacy Rule 

If a school employs a health care provider that electronically transmits health care information subject to HIPAA requirements, the school also needs to comply with certain HIPAA requirements concerning the manner in which the information is transmitted. The Family Educational Rights and Privacy Act (FERPA) addresses the privacy of student health records that are considered “educational records.” This law imposes its own requirements, which schools must carefully consider in addition to any HIPPA rules that apply.

State privacy laws may apply

Even if HIPAA doesn't apply, state privacy laws that protect the health information privacy rights of individuals present a significant administrative concern for ministries. They are very likely to be applicable to the use of prayer lists, ministry employee health information, and pastoral counseling records.

How can ministries manage the risks regarding privacy laws?

Ministries can take several steps to help them comply with HIPAA and state privacy laws:  

  1. Seek attorney input. Contact a locally licensed attorney, who is familiar with HIPAA and state privacy laws to determine how to comply with the law’s requirements. 
  2. Insurance. Ministries that employ professional health care practitioners and licensed mental health providers should consider professional liability coverage options for their licensed practitioners and the ministry. 
  3. Obtain Consent. In all circumstances, it’s best to obtain a person’s written consent before disclosing personal information, preferably in writing. 

 

For additional information about HIPAA requirements for ministries, please refer to the article, Some—Not All—Ministries Are Subject to HIPAA Requirements, in the Resources section of BrotherhoodMutual.com.