HIPAA Privacy Rule and Religious Organizations

HIPAA covered entities include, by definition, healthcare providers, health plans, and healthcare clearinghouses. Healthcare providers include not only hospitals and medical offices, but in some instances religious institutions. Under the HIPAA Privacy Rule, religious institutions that operate health clinics, whereas clinics are not distinct legal entities separate from the religious institution, may be considered covered entities. As covered entities, the religious institutions are generally subject to the entirety of the HIPAA Privacy Rule. The HIPAA Privacy Rule and religious organizations is discussed below.

HIPAA Privacy Rule and Religious Organizations: When Does HIPAA Apply

Religious organizations may be deemed to be covered entities, subject to the HIPAA Privacy Rule.

Covered entities include (among other entities):

  • Healthcare providers, who
  • Electronically transmit any health information in connection with certain transactions.
    • These transactions include electronic exchanges of information between two parties to carry out financial or administrative activities related to healthcare. For example, a healthcare provider will send a claim to a health plan to request payment for medical services.

When are Religious Organizations Deemed to Be Healthcare Providers Under the HIPAA Privacy Rule?

Religious institutions often engage in charitable work in their communities. This charitable work may consist of activities such as clothing and food drives, and providing services to individuals who may be in need of food or shelter.

Not uncommonly, religious institutions also provide medical services to individuals who may not be able to pay for those services. Services may be provided through religious institution-owned health clinics. These clinics, if they are not a distinct legal entity separate from the religious institution itself, meet the definition of “healthcare provider.”  “Healthcare,” by definition, includes the furnishing of care, services, or supplies related to an individual’s health. Healthcare includes (but is not limited to) the following:

  • Preventive, diagnostic, rehabilitative, maintenance, palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and 
  • Sale or dispensing of a drug, device, equipment, or other items in accordance with a prescription.

Religious institution-owned health clinics that provide these services are healthcare providers.

Healthcare providers who electronically transmit any health information to carry out financial or administrative information related to healthcare are regarded as covered entities.

Clinics that meet the definition of “healthcare provider,” AND that engage in these transmissions – which include, for example, electronic billing of Medicare, Medicaid, private insurance companies, or patients’ credit cards – are covered entities, and as such, are subject to the entirety of the HIPAA Privacy Rule. 

What are the Implications of a Religious Institution Being a Covered Entity?

Under HIPAA, covered entities that seek to use PHI for purposes other than their own treatment, payment, or healthcare operations, must generally obtain patient prior written authorization. This means, among other things, that the religious organization may not include PHI about congregants or individuals in bulletins, prayer lists, or other communications unrelated to payment, treatment, or healthcare operations.