No products in the cart
CAMP COMPENSATION
WAGE ORDER 5 & LABOR CODE § 1182.4 Compensating...

Most churches and Christian schools want to protect the privacy of their employees, volunteers, students, and congregants. The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that governs the privacy and security of certain health information. However, HIPAA is one of the most misunderstood laws affecting ministries. Many leaders assume it applies to every medical conversation, doctor’s note, or prayer request. HIPAA applies much more narrowly.
This article explains what HIPAA is, who must comply, what information it protects, and the practical steps ministries should take to safeguard confidential health information.
HIPAA was signed into law on August 21, 1996, by President Bill Clinton. Its purpose is to protect the privacy and security of Protected Health Information (PHI) while establishing national standards for how certain organizations use, disclose, and safeguard that information.
HIPAA applies only to organizations that create, receive, maintain, or transmit PHI as Covered Entities or Business Associates. For most churches and ministries, HIPAA only becomes relevant when they provide healthcare services or work directly with a Covered Entity involving Protected Health Information (PHI).
Most churches, K-12 Christian schools, camps, and ministries are not HIPAA Covered Entities simply because they employ staff or sponsor a health insurance plan.
While most private and public K-12 schools are not HIPAA Covered Entities, colleges that operate healthcare clinics that bill insurance may have PHI that makes them a HIPAA Covered Entity.
Colleges and Universities that receive funding from the U.S. Department of Education are required to comply with the Family Educational Rights and Privacy Act (FERPA). FERPA protects the privacy of students’ Education Records. While most things that make up an Education Record are academic in nature, it also includes immunization records and school nurse records.
Covered entities include:
Business Associates are organizations or individuals that perform services for Covered Entities involving PHI. Examples include third-party administrators, billing companies, attorneys, accountants, consultants, and IT providers.
Many employment-related medical records are not considered PHI under HIPAA, including:
These records are generally governed by employment laws rather than HIPAA. Churches should also ensure their policies for handling employee medical information are clearly documented in their employee handbook.
Several states—including Alaska, Arizona, California, Delaware, Florida, Georgia, Iowa, Maryland, Massachusetts, Mississippi, Nebraska, New York, North Carolina, Texas, Vermont, and Washington—have enacted medical privacy laws that are more restrictive than HIPAA. Ministries should understand both federal and applicable state requirements.
Protected Health Information (PHI) is individually identifiable information relating to a person’s physical or mental health, healthcare services, or payment for healthcare.
Examples include:
Employment medical records maintained by an employer are generally not considered PHI under HIPAA.
The HIPAA Privacy Rule establishes standards for how Covered Entities and Business Associates may use, disclose, and protect PHI. It also gives individuals important rights regarding their health information.
The Privacy Rule permits the use or disclosure of PHI without written authorization for certain purposes, including:
In most other circumstances, written authorization is required before PHI may be disclosed.
The Privacy Rule also incorporates the Minimum Necessary Standard, requiring organizations to limit access to only the information needed to perform a specific job or function.
Covered Entities must provide patients with a Notice of Privacy Practices explaining how their information may be used, their privacy rights, and how to file a complaint. Organizations should also designate a Privacy Officer responsible for implementing HIPAA policies, training staff, responding to privacy concerns, and overseeing compliance.
Organizations that maintain electronic Protected Health Information (ePHI) must implement administrative, physical, and technical safeguards to protect that information.
Examples include:
Employees can help protect ePHI by:
Examples of security risks include:
A HIPAA breach occurs when PHI is accessed, used, or disclosed in a manner not permitted under HIPAA.
Common examples include:
Organizations should establish written procedures for reporting suspected breaches.
Employees who become aware of an improper use or disclosure of PHI should immediately notify the Privacy Officer or designated manager.
Employees who report suspected HIPAA violations in good faith should never be subject to retaliation.
Although most churches and Christian schools are not Covered Entities under HIPAA, they still have important responsibilities to protect confidential health information.
Whether required by HIPAA, state law, or employment regulations, ministries should handle medical information with care, limit access to those with a legitimate need to know, secure electronic records, and provide appropriate employee training. Ongoing HR support can also help ministries stay current with changing employment and compliance requirements. Protecting confidential information is not only good legal practice—it reflects Christian stewardship, integrity, and respect for the people entrusted to our care.
If your church or ministry needs assistance developing HR policies, employee handbooks, compliance training, or navigating complex employment regulations, Church HR Network provides practical HR solutions designed specifically for churches, ministries, and Christian schools. Learn more about our HR and compliance services or contact our team to discuss how we can help strengthen your ministry’s compliance program.
Most churches are not HIPAA-covered entities simply because they employ staff or offer health insurance benefits. However, churches that provide healthcare services or work as Business Associates may have HIPAA obligations. Church HR Network provides HR and compliance services to help ministries understand their legal responsibilities.
PHI is individually identifiable health information related to a person’s medical condition, treatment, healthcare services, or payment for healthcare that is protected under HIPAA.
Generally, medical records maintained by an employer for employment purposes—such as FMLA paperwork, ADA accommodations, and workers’ compensation records—are not considered PHI under HIPAA, though other employment and privacy laws may apply. Churches should establish clear policies for handling confidential employee information in their employee handbook.
The HIPAA Privacy Rule governs how Protected Health Information may be used and disclosed, while the HIPAA Security Rule establishes safeguards for protecting electronic Protected Health Information (ePHI).
Churches should limit access to confidential medical information, securely store physical and electronic records, train employees on confidentiality practices, and follow applicable federal and state privacy requirements. Regular employee training can help staff understand their responsibilities and reduce the risk of accidental disclosures.