Some—Not All—Nonprofits Are Subject to HIPAA Requirements
All nonprofits should maintain confidentiality of medical information related to their employees, program participants, and volunteers. Is such information subject to “HIPAA?” For many organizations, the answer is no – HIPAA does not apply across the board to all medical information generally. But privacy concerns may nonetheless warrant protection of such sensitive information. Such protection may be acutely important amidst current COVID times, with individuals’ medical information the subject of intense interest to employers, government agencies, and others.
The following article addresses HIPAA coverage and related legal and practical considerations for ministries, schools, health providers, and other organizations. It is adapted from an article published by Brotherhood Mutual Insurance Company, with its permission. Brotherhood Mutual® is a national property and casualty insurance company that provides innovative coverages and risk management resources, specifically designed to help Christian ministries operate safely and effectively. The original article can be found online in the Brotherhood Mutual® Safety Library.
Consider a church congregation with an involved and deeply engaged membership. That’s a sign of a healthy ministry! When a member of the congregation has health issues, other members may ask for updates on their condition. These requests are well-intentioned, but they could put the ministry in an awkward position. On one hand, ministry workers may want to share information so friends can pray for one another. On the other, protecting members’ privacy is a serious responsibility.
Now consider a workplace, also with caring co-workers who seek to share each other’s joys and burdens. When one employee gets sick, should his or her supervisor tell the other employees about this person’s illness? May that occur? In practical terms, much may depend on whether the employee shares such information himself or herself with others, or perhaps asks (or seems to expect) that such information will remain private.
Misconceptions abound about how privacy laws apply to employers, ministries, and other organizations. Do the rules apply to prayer lists? Are pastoral counselors subject to these requirements? What if a nonprofit has a professional counseling center? Is employee health information protected by the rules?
HIPAA’S NOT SO BROAD COVERAGE
The Health Insurance Portability and Accountability Act (HIPAA) is a federal law concerning the privacy of health information. HIPAA includes a set of requirements, known collectively as the “HIPAA Privacy Rule,” that protects the privacy of an individual’s personal health information. HIPAA does not apply to many organizations. Indeed, there is no general HIPAA coverage for employers, employees, or health information broadly. Rather, context is everything! It’s thus a good idea to understand HIPAA coverage, in order to follow applicable requirements and to take related measures.
HIPAA Coverage for Specific Entities
As with all laws, understanding the meaning of a few definitions found within HIPAA is important. The law applies to specific organizations, defined by HIPAA as covered entities. These entities include:
- Health care providers that electronically transmit health information in connection with a HIPAA covered transaction;
- Health plans;
- Health care clearinghouses (e.g., billing services); and
- Business associates of these entities.
Health care providers are persons or organizations that furnish, bill, or are paid for health care services in the normal course of business.
A covered transaction includes the electronic transmission of health care claims, health care payments, and health-plan enrollments, eligibility determinations, or premium payments.
Organizations Excluded from the HIPAA Privacy Rule
Many organizations don’t fit within the categories mentioned above, so they are not subject to HIPAA’s privacy requirements. However, if an organization provides a health insurance plan for its employees (including cafeteria and flexible spending account arrangements), it may have some obligations regarding HIPAA, including:
- Providing certain HIPAA notices to employees; and
- Signing information security agreements with vendors that service the ministry’s health plans.
For some employers, there are exceptions. Organizations that provide a self-funded and self-administered plan for fewer than 50 employees are probably exempt from HIPAA. Likewise, employers that provide a fully insured health plan also may breathe more easily, because the insurer assumes most of the HIPAA obligations. If an organization provides any health benefits, it’s a good idea to consult with its health plan provider and attorney for guidance concerning applicable HIPAA obligations.
WHEN IS AN ORGANIZATION SUBJECT TO THE HIPAA PRIVACY RULE?
An organization may be subject to HIPAA’s privacy requirements when it is a health care provider engaging in covered transactions, as described above. Examples of organization activities that are likely subject to the HIPAA Privacy Rule include the following:
- A camp operating a health clinic that electronically bills health insurance companies for patient services that camp-employed physicians have provided; or
- A college employing licensed mental health practitioners for its professional counseling center, which electronically bills health insurance companies for counseling services.
Note that once an event triggers the application of HIPAA’s requirements to an organization, it also invokes the HIPAA Privacy Rule and many other requirements. In some cases, an organization may be able to legally separate certain operations that are subject to HIPAA from those that are not. To be effective, separation of certain operations must strictly comply with HIPAA requirements.
Examples of organization activities that are probably not subject to the HIPAA Privacy Rule including the following:
- Organizations with volunteer or employed nurses who direct nursing or community nursing programs (typically providing first aid, CPR, and automatic external defibrillator (AED) training, health screenings, and wellness classes), not triggering HIPAA applicability;
- Pastoral staff members, who are not licensed mental health practitioners, providing free counseling assistance to members and others (viewed as solely religious healing by clergy); and
- Ministry use of prayer list with people’s health issues.
Each of these examples involve important confidentiality, discernment, and good judgment considerations. But they do not implicate HIPAA itself.
Schools May Be Subject to the HIPAA Privacy Rule
If a school employs a health care provider that electronically transmits health care information subject to HIPAA requirements, the school also needs to comply with certain HIPAA requirements concerning the manner in which the information is transmitted.
There are exceptions, however. If the school maintains health information only in student health records that are considered “educational records,” the privacy of those records is addressed by the Family Educational Rights and Privacy Act (FERPA). This law imposes its own requirements, which schools also must consider carefully. For example, FERPA requires schools to obtain parental consent before disclosing Medicaid billing information about a medical service that the school provided to a student.
STATE PRIVACY LAWS ALSO MAY APPLY
Even if HIPAA doesn’t apply to its operations, an organization does have a legal duty under state privacy laws to protect an individual’s privacy. Note too that some of these laws may be more stringent than HIPAA requirements. A prime example of non-HIPAA legal protection is a state “invasion of privacy” cause of action, which allows an offended person to pursue civil action (“tort”) and seek monetary damages and other relief against the wrongdoer.
State laws protecting the health information privacy rights of individuals thus may present a significant concern, especially for organizations that are not careful to guard confidential health information about their employees, volunteers, and program participants. Such legal protections may well be applicable to prayer lists, ministry-employee health information, and pastoral counseling records.
How Can Nonprofits Manage the Risks Regarding Privacy Laws?
Nonprofits can take several steps toward optimal legal compliance with HIPAA and state privacy laws, such as the following.
- Maintain confidentiality. Regardless of any particular legal protection such as HIPAA, keep medical information highly confidential. It should not be kept in employees’ personnel file or easily accessible by many people. Such information is sensitive and therefore warrants due sensitivity and care.
- Seek attorney input. Contact an experienced and knowledgeable attorney to address specific situations as they may arise, both in terms of handling such matters and improving related protocols for the future.
- Consider Insurance. Organizations that employ professional health care practitioners and licensed mental health providers should consider professional liability coverage options for their licensed practitioners and the ministry. Some professional liability insurance policies provide coverage for HIPAA violations.
- Obtain Consent. Although HIPAA may not apply to nonprofits’ operations, there’s nothing that prevents individuals from telling their congregation, co-workers, or others that they have a medical condition and would like to receive prayers or other support. Some laws, however, prevent an organization from sharing with others on an individual’s behalf. Therefore, obtain a person’s written consent before disclosing personal information. It could be as simple as asking someone: Would you like us to add you to the prayer list? or Would you mind if we shared this information with the rest of the staff? An organization will have far greater legal protection, however, if it obtains the person’s consent in writing.
Here are additional government resources about HIPAA and related privacy aspects: U.S. Health and Human Services – Summary of the HIPAA Privacy Rule; U.S. Health and Human Services – HIPAA’s Applicability to elementary and secondary schools; and U.S. Department of Education – Family Educational Rights and Privacy Act (FERPA)
Disclaimer from Brotherhood Mutual®: The information provided in this article is intended to be helpful, but it does not constitute legal advice and is not a substitute for legal advice from a licensed attorney in your area. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.