Some pastors are expressing concern about a new federal law that prohibits churches from listing the names of hospitalized members in church bulletins or on church “prayer lists.” This article will review the law in question, and explain its application to pastors and churches.
In 1996 Congress enacted the massive Health Insurance Portability and Accountability Act (HIPAA) in order to improve “portability” and continuity of health insurance coverage; to combat waste, fraud, and abuse in health insurance; to promote the use of medical savings accounts; to improve access to long-term care; and to simplify the administration of health insurance. In order to simplify the administration of health insurance, HIPAA included “Administrative Simplification” provisions that required the U.S. Department of Health and Human Services (HHS) to adopt national standards for electronic health care transactions. At the same time, Congress recognized that advances in electronic technology could erode the privacy of health information. As a result, Congress incorporated into HIPAA mandatory federal privacy protections.
In response to the HIPAA mandate, HHS published a regulation in the form of the Privacy Rule in December 2000, which became effective on April 14, 2001. This Rule set national standards for the protection of health information for health care providers who conduct certain health care transactions electronically. By the compliance date of April 14, 2003 covered entities must implement standards to protect and guard against the misuse of health information. Failure to timely implement these standards may, under certain circumstances, trigger the imposition of civil or criminal penalties.
In response to public comments, HHS published a revised Privacy Rule in March of 2002. Following another round of public comments, in August of 2002 HHS adopted a final “Privacy Rule.” The final rule establishes, for the first time, a foundation of federal protections for the privacy of protected health information. The rule does not replace federal, state, or other law that grants individuals even greater privacy protections, and covered entities are free to retain or adopt more protective policies or practices.
What does the HIPAA Privacy Rule do?
The federal Privacy Rule guaranties patients access to their medical records; gives them more control over how their health information is used and disclosed; and provides a remedy if their medical privacy is compromised. The Privacy Rule will protect medical records and other personal health information maintained by hospitals and some other health care providers. Under the Privacy Rule:
- Patients must give specific authorization before entities covered by this regulation could use or disclose protected information in most non-routine circumstances, such as releasing information to an employer or for use in marketing activities.
- Hospitals will be required to follow the rule’s standards for the use and disclosure of personal health information.
- Hospitals will need to provide patients with written notice of their privacy practices and patients’ privacy rights. The notice will contain information that could be useful to patients choosing a health plan, doctor or other provider. Patients would generally be asked to sign or otherwise acknowledge receipt of the privacy notice from direct treatment providers.
- Patients will be able to access their personal medical records and request changes to correct any errors. In addition, patients generally could request an accounting of non-routine uses and disclosures of their health information.
Why is the HIPAA Privacy Rule needed?
In enacting HIPAA, Congress mandated the establishment of federal standards for the privacy of health information. Prior to HIPAA, the privacy of medical information was protected by a patchwork of state laws that varied from state to state. The Privacy Rule establishes a federal “floor” of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will continue to apply over and above the new federal privacy standards. Health care providers have a strong tradition of safeguarding private health information. However, in today’s world, the old system of paper records in locked filing cabinets is not enough. With information that is stored and transmitted electronically, the Privacy Rule provides clear standards for the protection of personal health information.
Who must comply with these new HIPAA privacy standards?
The HIPAA privacy standards apply to hospitals and other health care providers that conduct certain financial and administrative transactions electronically, such as electronic billing and fund transfers. Obviously, most public and private hospitals are covered entities.
How does the Privacy Rule affect churches and pastors?
The Privacy Rule specifies that a covered entity “may not use or disclose protected health information,” with some exceptions. One exception is contained in section 164.510 of the Privacy Rule, which provides:
A covered entity may use or disclose protected health information, provided that the individual is informed in advance of the use or disclosure and has the opportunity to agree to or prohibit or restrict the use or disclosure, in accordance with the applicable requirements of this section. The covered entity may orally inform the individual of and obtain the individual’s oral agreement or objection to a use or disclosure permitted by this section.
(a) Standard: use and disclosure for facility directories.
(1) Permitted uses and disclosure. Except when an objection is expressed in accordance with paragraphs (a)(2) or (3) of this section, a covered health care provider may:
(i) Use the following protected health information to maintain a directory of individuals in its facility:
(A) The individual’s name;
(B) The individual’s location in the covered health care provider’s facility;
(C) The individual’s condition described in general terms that does not communicate specific medical information about the individual; and
(D) The individual’s religious affiliation; and
(ii) Disclose for directory purposes such information: (A) To members of the clergy; or (B) Except for religious affiliation, to other persons who ask for the individual by name.
(2) Opportunity to object. A covered health care provider must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information (including disclosures to clergy of information regarding religious affiliation) and provide the individual with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by paragraph (a)(1) of this section.
(3) Emergency circumstances.
(i) If the opportunity to object to uses or disclosures required by paragraph (a)(2) of this section cannot practicably be provided because of the individual’s incapacity or an emergency treatment circumstance, a covered health care provider may use or disclose some or all of the protected health information permitted by paragraph (a)(1) of this section for the facility’s directory, if such disclosure is:
(A) Consistent with a prior expressed preference of the individual, if any, that is known to the covered health care provider; and
(B) In the individual’s best interest as determined by the covered health care provider, in the exercise of professional judgment.
(ii) The covered health care provider must inform the individual and provide an opportunity to object to uses or disclosures for directory purposes as required by paragraph (a)(2) of this section when it becomes practicable to do so.
The official explanation of these provisions, drafted by the Health and Human Services Department, provides the following helpful comments:
Under the final rule, we also establish provisions for disclosure of directory information to clergy that are slightly different from those which apply for disclosure to the general public. Subject to the individual’s right to object or restrict the disclosure, the final rule permits a covered entity to disclose to a member of the clergy: (1) the individual’s name; (2) the individual’s general condition in terms that do not communicate specific medical information about the individual; (3) the individual’s location in the facility; and (4) the individual’s religious affiliation. A disclosure of directory information may be made to members of the clergy even if they do not inquire about an individual by name. We note that the rule in no way requires a covered health care provider to inquire about the religious affiliation of an individual, nor must individuals supply that information to the facility. Individuals are free to determine whether they want their religious affiliation disclosed to clergy through facility directories.
We believe that allowing clergy access to patient information pursuant to this section does not violate the Establishment Clause because the exemption from the final rule’s authorization requirement for disclosure to clergy of the specified protected health information is a permissible religious accommodation. The purpose and effect of this provision is to alleviate significant governmental interference with the exercise of religion, and we anticipate that the exemption would rarely, if ever, impose any significant burdens on patients or other individuals.
Without this exemption, covered entities would have to obtain authorizations before disclosing the limited protected health information to clergy, thereby making it more difficult than it commonly has been for clergy to provide services to patients. Accordingly, the clergy exemption permitting limited disclosure of protected health information in the circumstances noted above is “rationally related to the legitimate purpose of alleviating significant governmental interference with the ability of religious organizations to define and carry out their religious missions.” Corporation of the Presiding Bishop of Jesus Christ of Latter-Day Saints v. Amos, 483 U.S. 327, 339 (1987). Moreover, in certain cases the clergy exemption might also alleviate significant governmental interference with patients’ religious exercise that the final rule’s authorization requirement otherwise would impose, for example, by eliminating delay that might inhibit the ability of a patient to obtain sacraments provided during last rights [sic].
What do these provisions mean, as a practical matter?
Consider the following rules:
(1) disclosure of medical information prohibited
In general, HIPAA prohibits hospitals to release “protected health information” about a patient, unless specifically authorized. Protected health information includes “Individually identifiable health information” which is defined to include any information regarding an individual that is “created or received” by a hospital and “relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) that identifies the individual; or (ii) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.”
This means that it would be unlawful for a hospital to release information to a church regarding the name and medical condition of a member who is hospitalized.
Example. John is a member of First Church. He works as a nurse in a hospital emergency room. This morning Joan was taken to the emergency room by an ambulance as a result of a heart attack. After being stabilized, Joan was taken to Room 222 in intensive care. John calls the office at First Church and informs them that Joan has suffered a heart attack and is in Room 222. John has violated HIPAA.
(2) limited exception-hospital lists
The Privacy Rule specifies that, unless an objection is raised, a hospital may use the following protected health information in a directory of individuals: (1) a patient’s name; (2) a patient’s location in the hospital; (3) the patient’s condition described in general terms that does not communicate specific medical information about the individual; and (4) the patient’s religious affiliation. A directory containing such information may be disclosed to members of the clergy, and, except for religious affiliation, to other persons who ask for the individual by name.
However, a hospital must inform a patient of the information that it may include in a directory and the persons to whom it may disclose this information (including disclosures to clergy of information regarding religious affiliation) and provide the patient with the opportunity to restrict or prohibit some or all of the uses or disclosures permitted by the Privacy Rule.
Example. Pastor Bob is the senior pastor of a Baptist church. He visits the local hospital several times each week to call on members of his congregation and other patients who are affiliated with Baptist churches. He goes to an information desk in the hospital lobby and asks to see the directory of patients so that he can determine who he wants to visit. The Privacy Rule permits hospitals to maintain directories containing the names of patients, their room numbers, their general medical condition, and religious affiliation, provided that patients have the right to object to some or all of this information being listed in the directory.
Example. Pastor Bob asks a hospital employee to forward to him the name, room number, and general medical condition of any new patient whose “religious affiliation” is listed as “Baptist” in the patient directory. Any compliance with this request by the hospital would violate HIPAA.
Example. Pastor Bob keeps a list of members of his church who are in the hospital, and this list is printed in the church bulletin each week in order to encourage the church to pray for these individuals. Neither Pastor Bob nor the church has violated HIPAA, since no hospital disclosed private information about any patient without authorization.
The HHS Office of Civil Rights issued written Standards for Privacy of Individually identifiable Health Information in December of 2002. These standards contain the following question and answer:
Q: Are hospitals able to inform the clergy about parishioners in the hospital?
(3) limited exception—emergencies
Often, a church member will end up in a hospital because of a sudden emergency, such as an accident or a heart attack, and is not capable of objecting to the inclusion of his name, room number, general medical condition, and religious affiliation in a hospital directory. In such a case, the Privacy Rule permits a hospital to include some or all of this personal information in its directory, if such disclosure is (1) consistent with a prior expressed preference of the individual, if any, that is known to the hospital, and (2) in the individual’s best interest as determined by the hospital in the exercise of professional judgment. The hospital must inform the patient and provide an opportunity to object to the inclusion of personal information in the patient directory when it becomes practicable to do so.
Example. Dawn is a 20-year-old member of a church. She is seriously injured in a car accident late on a Friday night, and is taken to a hospital emergency room. Since she is unconscious, she cannot object to the inclusion of personal information in the hospital’s patient directory. The hospital can include her name, room number, general medical condition, and religious affiliation in its patient directory if such a disclosure is consistent with any prior consent Dawn gave during a previous hospitalization, or is in her best interest as determined by the hospital. The hospital must provide Dawn with an opportunity to object to the inclusion of personal information in the patient directory when it becomes practicable to do so.
Informing the congregation
In order to ensure that pastors and church offices are apprised of members who are hospitalized, the following notice should be published periodically in church bulletins, newsletters, or on a church’s website:
A new federal law greatly restricts the disclosure of patient information by hospitals. As a result, the pastor and church office may not know that a member of the church has been admitted to the hospital. If you are hospitalized, and would like to notify the pastor, it is important that you (or a family member) inform the church office as soon as possible. Call us at [church phone number]. Remember, hospitals no longer can provide this information to us.
There are a number of questions that remain to be clarified, including the following:
- Who is a “minister”? The Privacy Rule provides no definition. Will this term be restricted to ordained clergy? What about noncredentialed associate pastors, deacons, church board members? What about lay workers who volunteer to visit people in the hospital for prayer and spiritual support?
- Will ministers have access to emergency rooms to visit families in crisis?
- Can hospitals continue to ask incoming patients if they would like a visit from a chaplain?
Ministers should check with the chaplain’s office at local hospitals for clarification of these questions and the other questions addressed in this article.
How does the Privacy Rule impact chaplains? There are a couple of points to consider.
First, the Privacy Rule states that a hospital may “disclose protected health information for treatment activities of a health care provider.” According to this language, a hospital can permit chaplains to have access to health information of patients if they are designated by the hospital as a “health care provider” who is engaged in treatment activities. For chaplains who have no desire to access patient medical information, this issue is no consequence. But some chaplains see their role as vitally involved in treatment, and desire access to patients’ medical records in order to adequately perform their duties. This is certainly possible under the Privacy Rule, but only to the extent that a hospital specifically identifies chaplains as health care providers who are involved in treatment activities. The very same considerations apply to chaplain interns.
Second, chaplains have access to the patient directory that a hospital is permitted to maintain, as noted above.
Invasion of Privacy
This article demonstrates that HIPAA is not violated when a church publishes a “prayer list” in a church bulletin, newsletter, website, or some other resource, that contains the names and medical conditions of church members who are either hospitalized or ill. HIPAA only addresses the unauthorized disclosure of patient information by hospitals. So, while HIPAA would be violated if a hospital contacted churches to inform them of members who have been hospitalized, a church is not liable for using this information (for prayer lists, or pastoral visits).
On the other hand, it is possible that a church’s unauthorized disclosure of members’ medical conditions would constitute an “invasion of privacy.”
Example. A church music director was hospitalized for severe depression. During the period of his hospitalization, the church placed him on a medical leave of absence, and an acting music director was appointed. A few months later, the music director was again hospitalized following a suicide attempt. A few days after the music director was discharged from the hospital, the church posted an article on its website that contained the following statements: “We have good news for you! Our music director is returning to the church after a long medical leave of absence. Since the summer of last year, he has been treated for bi-polar illness, a condition which at times has resulted in serious depression for him. Various therapies and medications have been tried, and finally, after much experimentation, his health has improved considerably. For that we are all very happy.” The music director was dismissed by the church, and he filed a lawsuit claiming that his dismissal amounted to wrongful discrimination based on disability. He also claimed that the church “invaded his privacy” by printing the notice on the church website regarding his hospitalization and medical condition. A trial court dismissed the privacy claim, but a state appeals court reversed this ruling and ordered the case to proceed to trial. It observed, “The right of privacy is the right of a person to be let alone, to be free from unwarranted publicity, and to live without unwarranted interference by the public in matters with which the public is not necessarily concerned.” The court concluded, “The comments made on the church’s website were based purely on the music director’s private affairs, i.e. his hospitalization for depression. While he did inform those necessary persons about his condition—the pastor and a few close friends who belonged to the church—this cannot be seen as a waiver to enter his private life …. While the church’s publication could be based upon informing the congregation of the music director’s return to the church, the inclusion of the additional personal information about his bi-polar illness could be viewed as offensive or objectionable to a reasonable person. Therefore … the trial court erred by granting summary judgment based on this claim.” Mitnaul v. Fairmount Presbyterian Church, 778 N.E.2d 1093 (Ohio App. 2002)
This case summarized in this example demonstrates the potential liability churches face when they publish information on their websites, or in church bulletins or newsletters, concerning the health condition of employees or church members. In order to eliminate this risk, these kinds of disclosures should not be made without consent, even if the purpose is to call the congregation to pray for the individuals. Consent may be obtained in various ways. It can be “express,” meaning that no information about the health condition of a member or employee is published by the church in any form without that person’s signed consent. Obviously, larger churches would find it difficult to obtain the express written consent of every member or employee who is ill or hospitalized. A second type of consent is “implied” consent. This can be obtained by publishing occasional notices in church publications (newsletters, bulletins, websites, etc.) advising members that prayer lists are compiled by the church that contain the names and medical conditions of persons who are known to be hospitalized or ill, and advising members who do not want their name and medical condition published on church prayer lists to so inform the pastor or church office. A list should be made of persons who object to being included on such lists. The same kind of notice can be published in an employee handbook or policy manual. Implied consent is not as effective as express consent, since a member can always claim that he or she did not see any of the notices printed by the church. But, implied consent is obviously easier to obtain.