For a variety of reasons, a church can end up handling confidential health information about its volunteers, employees, and even members of its congregation. A church with employees may need to assist with the administration of a workers’ compensation claim. If the church provides other types of health care benefits, it may handle applications and other records that include private facts about employees. And in its role as a source of solace and support, a church may receive information through less formal channels, such as in a counseling session or through conversation, that an individual expects will be held in confidence.
The federal Health Insurance Portability and Accountability Act (HIPAA) imposes strict requirements of confidentiality for certain types of health information that an organization receives. Covered information may be received in writing, electronically, or even orally. It may be received by an employee, a member of clergy, or even a volunteer acting under the auspices of the church.
HIPAA applies to individually identifiable health information that is held or transmitted by a covered entity or its associates. It includes any information that identifies an individual, or could be used to identify the individual, and relates to the individual’s medical or mental health conditions (whether in the past, in the present, or anticipated), any receipt of health services, or matters related to payment for health care. Disclosures of such information can be made only in limited circumstances without the individual’s prior written consent.
HIPAA creates interesting pitfalls for churches. Here are just a couple examples of how it might apply:
- A member of the church’s clergy receives an email from a congregant explaining a complex medical condition that the congregant is suffering with and asking for advice on how to cope.
- A church manager receives information about an injury suffered by an employee working on church grounds.
- A volunteer working in support of an official church substance abuse assistance program receives information from an individual about the individual’s alcoholism, depression, and struggles with chronic pain.
In each of these cases, the individual receiving the information may have a HIPAA obligation to maintain the confidentiality of the information. If the information is disclosed outside of one of the exceptions to the confidentiality rule, the church may be held liable for violating HIPAA, with penalties varying based on the severity of the negligence from $100 per incident to substantially more.
The Church Law Center of California can help churches examine their legal compliance requirements to ensure that they stay in compliance. If you have questions about how HIPAA may affect your church’s operations, or how to best manage risks related to handling health information, please reach out to us today. Call us at (949) 892-1221 or reach out to us through our contact page.
