While the HIPAA privacy rule does not directly regulate churches and clergy members, it does apply to them in certain circumstances. The rule allows healthcare providers to disclose limited information to clergy members, provided the patient has not objected and the information falls within the specified directory criteria.
The HIPAA privacy rule grants patients greater control over how their health information is used and disclosed and provides remedies in case of privacy breaches. It applies to covered entities, including hospitals, doctors, health plans, and any other healthcare providers that conduct electronic transactions.
Read more:
One area of confusion surrounding the HIPAA privacy rule is how it affects churches and clergy members. While churches are not typically considered covered entities under HIPAA, the rule may apply to them in some instances.
The privacy rule specifies that covered entities may not use or disclose protected health information (PHI) without the patient's authorization, except in certain circumstances. One such exception, outlined in section 164.510 of the privacy rule, allows healthcare providers to maintain a directory of individuals in their facility and disclose limited information to members of the clergy.
While healthcare providers can disclose directory information to clergy members, they must inform the patient about the information that may be included in the directory and the individuals to whom it may be disclosed. Patients should also be allowed to restrict or prohibit the use or disclosure of their information for directory purposes.
Based on the provisions of the HIPAA privacy rule, it is clear that clergy members can receive limited information about patients from healthcare providers. However, there are still some considerations for clergy and churches to keep in mind.
The privacy rule does not provide a specific definition of a "minister." While it is commonly understood to include ordained clergy, it may also extend to non-ordained associate pastors, deacons, church board members, and lay workers who provide spiritual support.
It is important to note that the privacy rule does not grant automatic access to emergency rooms for clergy members. Each hospital may have its own policies regarding access to patients in crisis situations.
Hospitals may still ask incoming patients if they would like a visit from a chaplain. However, it is necessary to respect the patient's privacy and ensure that any disclosure of PHI to the chaplain is done with the patient's informed consent.
Unauthorized disclosure of PHI by churches can potentially be considered an invasion of privacy. Churches should exercise caution when publishing information about the health conditions of their members or employees, even to seek prayers and support. A case in Ohio, Mitnaul v. Fairmount Presbyterian Church, demonstrated that the inclusion of personal medical information on a church website without explicit consent could be seen as offensive or objectionable.
Similarly, a federal case, Travelers Indemnity Company v. Portal Healthcare Solutions, ruled that posting private medical records online without adequate security gave "unreasonable publicity" to the patients' private lives. This decision suggests that similar disclosures by churches, such as publishing prayer lists with medical details in bulletins or online, could lead to liability. Churches should strive to obtain consent and respect the privacy of their members.
According to the HHS, “Yes, the HIPAA Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual’s name; location in the facility; health condition expressed in general terms; and religious affiliation.”
Healthcare facilities can maintain a directory of patient details such as names, locations, general health conditions, and religious affiliations. This directory information can be disclosed to clergy members, facilitating appropriate spiritual support and care communication.
No, clergy are not covered entities under HIPAA. The law applies to healthcare providers, health plans, and related entities that handle protected health information (PHI).
Clergy may need to follow HIPAA guidelines if they work in healthcare settings or encounter PHI while providing spiritual care in hospitals or nursing homes.
Clergy can ensure compliance by attending HIPAA training, limiting access to PHI, securing communications, and collaborating with healthcare providers to protect patient privacy.
See also: HIPAA Compliant Email: The Definitive Guide