When I first became an EMT, I worked for an ambulance service that was based at a hospital in rural Mississippi. As it was a hospital-based service, I was required to sit through the same new employee orientation as nurses and others who worked within the hospitals. A large chunk of the session was spent talking about HIPAA. As I have worked for other services and did internships while in paramedic school, I had to have further training on HIPAA. With these numerous training sessions and other research have done on my own, I feel pretty confident that I am well-versed in what HIPAA does and does do and to who it does and does not apply to.
There is much confusion and I would like to try and address some of that.
HIPAA – the Health Information Portability and Accountability Act – is a very far-reaching law and has many moving parts to it. The short version of what HIPAA is for is to specify how one’s health information is to be stored, the type of security measures which should be taken, who can access information, and so on. One of HIPAA’s requirements is that healthcare workers and healthcare organizations who have access to one’s health information may not disclose it in any way to anyone without express written permission, except in very limited ways as allowed under the law (and there are not many). This aspect of HIPAA seems to be what has caused the most confusion. There are many people who think that the general public is subject to HIPAA, who think that clergy persons are bound by HIPAA and that even such things as sharing a diagnosis during prayer requests during a worship service is a violation of the law.
If you are a pastor or a parishioner who fears that sharing about Aunt Mabel’s bunions is going to land you in hock due to a violation of HIPAA, fear not. That won’t happen because HIPAA does not apply to such things.
Simply stated, HIPAA does not even apply to the general public in the first place. You can share your own information to your heart’s content. Further, you can share diagnoses and other health information about anyone with anyone and you are not in violation of HIPAA. Is sharing information without permission unethical? Yes. Illegal? Not so much. The only way you would be in violation of HIPAA is if your information was obtained while you were an employee of a clinic, hospital, etc. and you were obtaining this information in the course of performing your job.
HIPAA does not apply to clergy any more than it does to anyone else. While pastors are bound to ethical standards – which certainly includes not sharing private information without permission or without a legal reason such as to report a person who is a danger to themselves or others – clergy persons are not bound by HIPAA in the performance of their pastoral duties. If a pastor is visiting Aunt Mabel in the hospital, HIPAA does not apply to them. The exception to that is if the clergy person is acting within the capacity of a hospital chaplain or other employment with a healthcare organization. Further, clergy persons are not going to get in trouble with the law for sharing health information in settings such as prayer request time.
Again: Is sharing health information without permission unethical? Yes. Is it illegal (in most cases)? No.
I get really bothered when clergy persons are told that anything they share with their congregation is a violation of HIPAA because this simply is not true. Unfortunately, this is the misinformation that clergy persons are given over and over again by people who should know better but don’t. I know of clergy persons who have been told by leadership within their annual conferences that if they share any sort of health-related information that they are in violation of HIPAA. This is simply not true and I encourage my colleagues to become better educated in the legal aspects of ministry. Such education is a benefit for many reasons.
For more about HIPAA and what it does and does not cover (and it’s likely not what you think), this is a good place to start.