When a member of the congregation has health issues, other members may ask for updates on their condition. These requests are well-intentioned, but they could put the ministry in an awkward position. On one hand, ministry workers may want to share information so friends can pray for one another. On the other, protecting members’ privacy is a serious responsibility.
There are several misconceptions about how privacy laws apply to ministries. Do the rules apply to prayer lists? Are pastoral counselors subject to these requirements? What if a ministry has a professional counseling center? Is employee health information protected by the rules?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law concerning the privacy of health information. HIPAA includes a set of requirements, known collectively as the HIPAA Privacy Rule, that protects the privacy of an individual's personal health information. HIPAA does not apply to many ministries. However, it’s a good idea to understand the law, so you can follow any requirements that may apply to your ministry.
As with all laws, understanding the meaning of a few definitions found within HIPAA is important. The law applies to specific organizations, defined by HIPAA as covered entities. These entities include:
Health care providers are persons or organizations that furnish, bill, or are paid for health care services in the normal course of business.
A covered transaction includes the electronic transmission of health care claims, health care payments, and health-plan enrollments, eligibility determinations, or premium payments.
Many ministries don’t fit within the categories mentioned above, so they are not subject to HIPAA’s privacy requirements. However, if a ministry provides a health insurance plan for its employees (including cafeteria and flexible spending account arrangements), the ministry may have some obligations regarding HIPAA, including:
For some employers, there are exceptions. Organizations that provide a self-funded and self-administered plan for fewer than 50 employees are probably exempt from HIPAA. Likewise, employers that provide a fully insured health plan also may breathe more easily, because the insurer assumes most of the HIPAA obligations. If your ministry provides any health benefits, it’s a good idea to consult with your health plan provider and your attorney for guidance concerning your HIPAA obligations.
A ministry may be subject to HIPAA’s privacy requirements when the ministry is a health care provider engaging in covered transactions (as described above).
Examples of ministry activities that are likely subject to the HIPAA Privacy Rule:
Please note: Once an event triggers the application of HIPAA’s requirements to an organization, it also invokes the HIPAA Privacy Rule and many other requirements. In some cases, a ministry may be able to legally separate ministry operations that are subject to HIPAA from those that are not. To be effective, separation of ministry operations must strictly comply with HIPAA requirements.
Examples of ministry activities that are probably not subject to the HIPAA Privacy Rule:
If a school employs a health care provider that electronically transmits health care information subject to HIPAA requirements, the school also needs to comply with certain HIPAA requirements concerning the manner in which the information is transmitted.
There are exceptions, however. If the school maintains health information only in student health records that are considered “educational records,” the privacy of those records is addressed by the Family Educational Rights and Privacy Act (FERPA). This law imposes its own requirements, which schools also must consider carefully. For example, FERPA requires schools to obtain parental consent before disclosing Medicaid billing information about a medical service that the school provided to a student.
Even if HIPAA doesn't apply to its operations, a ministry does have a legal duty under state privacy laws to protect an individual's privacy. Some of these laws may be more stringent than HIPAA requirements.
State laws protecting the health information privacy rights of individuals present a significant administrative concern for ministries. They are very likely to be applicable to the use of prayer lists, ministry-employee health information, and pastoral counseling records.
Ministries can take several steps to help them comply with HIPAA and state privacy laws:
Thank you for your interest in Brotherhood Mutual. We appreciate the opportunity to provide your church or other ministry with an insurance quote and will reply to your request as soon as possible.
Text to follow...