Skip to the main content.
Talk to sales Start for free
Talk to sales Start for free

3 min read

Are crisis pregnancy centers HIPAA compliant?

Are crisis pregnancy centers HIPAA compliant?

Crisis pregnancy centers (CPCs) play a role in supporting individuals facing unintended pregnancies; however, these facilities may not comply with HIPAA.

 

What are crisis pregnancy centers?

CPCs are organizations, often non-profit and sometimes faith-based, that aim to provide counseling and support to individuals facing unintended pregnancies. Their services may include pregnancy testing, ultrasounds, counseling, and material assistance like baby clothes and diapers. CPCs are generally not medical facilities, though some may offer limited medical services like ultrasounds.

CPCs are distinct from comprehensive reproductive health clinics, as they typically do not provide or refer for abortion services and may focus on encouraging individuals to carry pregnancies to term. The goals and practices of CPCs can vary widely, but they often emphasize alternatives to abortion.

 

Understanding HIPAA and who it applies to

HIPAA is a federal law enacted in 1996 that establishes national standards to protect individuals' medical records and other personal health information (PHI). HIPAA applies to:

  • Healthcare providers: These include doctors, clinics, hospitals, psychologists, dentists, chiropractors, nursing homes, and pharmacies.
  • Health plans: This includes health insurance companies, HMOs, company health plans, and government programs that pay for healthcare, such as Medicare and Medicaid.
  • Healthcare clearinghouses: Entities that process nonstandard health information received from another entity into a standard format (or vice versa).

These groups are collectively referred to as "covered entities" under HIPAA. Additionally, HIPAA also applies to "business associates" of these entities, such as third-party administrators or IT service providers who have access to PHI.

Go deeper: What is HIPAA?

 

HIPAA compliance and CPCs

Whether a CPC is HIPAA compliant depends largely on whether it meets the criteria for being a "covered entity" under HIPAA. The key factors include:

  • Provision of healthcare services: To be a covered entity, the organization must provide healthcare services that involve the transmission of health information electronically. Many CPCs do not bill insurance companies or process electronic health transactions, which would typically trigger HIPAA compliance requirements.
  • Electronic transmission of health information: CPCs that do not engage in electronic transactions (such as billing insurance companies for services) are generally not covered by HIPAA. This is often the case with many CPCs, especially those that offer free services or do not have healthcare providers on staff.
  • Type of services offered: Some CPCs do offer limited medical services, like ultrasounds or STD testing, and may have licensed medical professionals on staff. However, unless these services involve electronic transactions related to PHI, HIPAA still may not apply.

“Most centers do not meet the legal definition of a covered entity under the HIPAA regulation because they do not furnish, bill, or are paid for health care in the normal course of business and do not transmit health information in electronic form in connection with a transaction for which a HIPAA standard has been adopted by HHS, says Care Net, a ministry of Pro Abundant Life CPC.

Related: Understanding and implementing HIPAA rules

 

Implications of non-compliance

For individuals seeking services at a CPC, the lack of HIPAA compliance can have significant implications:

  • Privacy risks: Unlike HIPAA-covered entities, CPCs not bound by HIPAA may not be required to protect your personal and medical information with the same rigor. This means your information could be shared with third parties, including other organizations, without your consent or knowledge.
  • Lack of recourse: If your information is mishandled at a CPC, you may have limited recourse compared to if the same happened at a healthcare provider covered by HIPAA. HIPAA provides a formal process for individuals to file complaints and seek redress for violations, but this process does not apply to non-covered entities.
  • Varied practices: While some CPCs might voluntarily adopt privacy policies similar to those required by HIPAA, these practices can vary widely. There is no federal mandate requiring CPCs to adhere to HIPAA standards unless they are covered entities.

Learn more: What are the consequences of not complying with HIPAA

 

What should you do?

If you are considering visiting a CPC and are concerned about your privacy, it’s important to ask questions upfront. Here are some steps you can take:

  • Inquire about privacy practices: Ask the CPC how they handle your personal and medical information. Do they share information with third parties? How is your data stored and protected?
  • Request written policies: If possible, request a copy of the CPC’s privacy policy to understand how your information will be used and protected.
  • Consider your options: If privacy is a top concern, you may want to consider visiting a HIPAA compliant healthcare provider, such as a clinic or hospital, where your information will be protected under federal law.

See also: HIPAA Compliant Email: The Definitive Guide

 

FAQs

Can I file a complaint if my information is mishandled by a CPC?

Since CPCs are generally not covered by HIPAA, the formal complaint process provided by HIPAA does not apply. However, you can still express your concerns directly to the CPC or seek advice from a legal professional regarding other potential avenues for addressing your privacy concerns.

See also: Filing a HIPAA complaint

 

What types of information might CPCs collect?

CPCs may collect a variety of information, including your name, contact information, pregnancy status, medical history, and details about your personal circumstances. How they use and store this information can vary, so it’s important to inquire about their privacy policies.

 

Are CPCs required to inform me if they are not HIPAA compliant?

CPCs are not legally required to disclose their HIPAA status unless asked. It’s up to the individual to inquire about their privacy practices and whether they follow HIPAA regulations.

 

 

 

Subscribe to Paubox Weekly

Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.