Some—Not All—Ministries Are Subject to HIPAA Requirements

When a member of the congregation has health issues, other members may ask for updates on their condition. These requests are well-intentioned, but they could put the ministry in an awkward position. On one hand, ministry workers may want to share information so friends can pray for one another. On the other, protecting members’ privacy is a serious responsibility.

There are several misconceptions about how privacy laws apply to ministries. Do the rules apply to prayer lists? Are pastoral counselors subject to these requirements? What if a ministry has a professional counseling center? Is employee health information protected by the rules?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law concerning the privacy of health information. HIPAA includes a set of requirements, known collectively as the HIPAA Privacy Rule, that protects the privacy of an individual's personal health information. HIPAA does not apply to many ministries. However, it’s a good idea to understand the law, so you can follow any requirements that may apply to your ministry.

HIPAA Applies to Specific Organizations

As with all laws, understanding the meaning of a few definitions found within HIPAA is important. The law applies to specific organizations, defined by HIPAA as covered entities. These entities include:

1. Health care providers that electronically transmit health information in connection with a HIPAA covered transaction.

2. Health plans.

3. Health care clearinghouses (e.g., billing services).

4. Business associates of these entities.

Health care providers are persons or organizations that furnish, bill, or are paid for health care services in the normal course of business. 

A covered transaction includes the electronic transmission of health care claims, health care payments, and health-plan enrollments, eligibility determinations, or premium payments.

Many Ministries Are Not Subject to the HIPAA Privacy Rule

Many ministries don’t fit within the categories mentioned above, so they are not subject to HIPAA’s privacy requirements. However, if a ministry provides a health insurance plan for its employees (including cafeteria and flexible spending account arrangements), the ministry may have some obligations regarding HIPAA, including: 

• Providing certain HIPAA notices to employees.

• Signing information security agreements with vendors that service the ministry’s health plans.

For some employers, there are exceptions. Organizations that provide a self-funded and self-administered plan for fewer than 50 employees are probably exempt from HIPAA. Likewise, employers that provide a fully insured health plan also may breathe more easily, because the insurer assumes most of the HIPAA obligations. If your ministry provides any health benefits, it’s a good idea to consult with your health plan provider and your attorney for guidance concerning your HIPAA obligations.

When is a Ministry Subject to the HIPAA Privacy Rule?

A ministry may be subject to HIPAA’s privacy requirements when the ministry is a health care provider engaging in covered transactions (as described above). 

Examples of ministry activities that are likely subject to the HIPAA Privacy Rule:

• A church camp operates a health clinic that electronically bills health insurance companies for patient services that camp-employed physicians have provided. 

• A college employs licensed mental health practitioners for its professional counseling center. The center electronically bills health insurance companies for counseling services it provides.

Please note: Once an event triggers the application of HIPAA’s requirements to an organization, it also invokes the HIPAA Privacy Rule and many other requirements. In some cases, a ministry may be able to legally separate ministry operations that are subject to HIPAA from those that are not. To be effective, separation of ministry operations must strictly comply with HIPAA requirements.

Examples of ministry activities that are probably not subject to the HIPAA Privacy Rule:

• Some churches have volunteer or employed nurses who direct parish nursing or faith community nursing programs. Typically, nurses in these programs provide first aid, CPR, and automatic external defibrillator (AED) training, health screenings, and wellness classes. Such services would not involve transactions that trigger HIPAA applicability. 

• A church’s pastoral staff members, who are not licensed mental health practitioners, provide free counseling assistance to members and others. The federal government has indicated that HIPAA is not applicable to clergy members who solely provide religious healing.

• A church places individuals’ names on a prayer list that includes people who have health issues. This activity does not make the ministry a health care provider for purposes of the HIPAA Privacy Rule.   

Schools May Be Subject to the HIPAA Privacy Rule 

If a school employs a health care provider that electronically transmits health care information subject to HIPAA requirements, the school also needs to comply with certain HIPAA requirements concerning the manner in which the information is transmitted. 

There are exceptions, however. If the school maintains health information only in student health records that are considered “educational records,” the privacy of those records is addressed by the Family Educational Rights and Privacy Act (FERPA). This law imposes its own requirements, which schools also must consider carefully. For example, FERPA requires schools to obtain parental consent before disclosing Medicaid billing information about a medical service that the school provided to a student. 

State Privacy Laws Also May Apply

Even if HIPAA doesn't apply to its operations, a ministry does have a legal duty under state privacy laws to protect an individual's privacy. Some of these laws may be more stringent than HIPAA requirements.

State laws protecting the health information privacy rights of individuals present a significant administrative concern for ministries. They are very likely to be applicable to the use of prayer lists, ministry-employee health information, and pastoral counseling records.

How Can Ministries Manage the Risks Regarding Privacy Laws?

Ministries can take several steps to help them comply with HIPAA and state privacy laws:  

1. Seek attorney input. Contact a locally licensed attorney, who is familiar with HIPAA, to determine how to comply with the law’s requirements. A knowledgeable attorney also can assist a ministry in understanding and following state and local laws related to privacy.

2. Insurance. Ministries that employ professional health care practitioners and licensed mental health providers should consider professional liability coverage options for their licensed practitioners and the ministry. Some professional liability insurance policies provide coverage for HIPAA violations.

3. Obtain Consent. Although HIPAA doesn’t likely apply to a most ministries’ operations, there’s nothing that prevents individuals from telling the congregation that they have a medical condition and would like to receive prayers. Some laws, however, prevent you from telling the congregation on an individual’s behalf. Therefore, obtain a person’s written consent before disclosing personal information. While it could be as simple as asking someone: Would you like us to add you to the prayer list? or Would you mind if we shared this information with the congregation?; you have far greater legal protection if you obtain the person’s consent in writing.   

Additional Resources

• U.S. Health and Human Services – Summary of the HIPAA Privacy Rule
• U.S. Health and Human Services – HIPAA’s Applicability to elementary and secondary schools
• U.S. Department of Education – Family Educational Rights and Privacy Act (FERPA)