HIPAA Fundamentals for Churches and Religious Schools

by | July 14, 2026

Most churches and Christian schools want to protect the privacy of their employees, volunteers, students, and congregants. The Health Insurance Portability and Accountability Act (HIPAA) is the federal law that governs the privacy and security of certain health information. However, HIPAA is one of the most misunderstood laws affecting ministries. Many leaders assume it applies to every medical conversation, doctor’s note, or prayer request. HIPAA applies much more narrowly.

This article explains what HIPAA is, who must comply, what information it protects, and the practical steps ministries should take to safeguard confidential health information.

What Is HIPAA?

HIPAA was signed into law on August 21, 1996, by President Bill Clinton. Its purpose is to protect the privacy and security of Protected Health Information (PHI) while establishing national standards for how certain organizations use, disclose, and safeguard that information.

HIPAA applies only to organizations that create, receive, maintain, or transmit PHI as Covered Entities or Business Associates. For most churches and ministries, HIPAA only becomes relevant when they provide healthcare services or work directly with a Covered Entity involving Protected Health Information (PHI).

Who Must Comply with HIPAA?

Most churches, K-12 Christian schools, camps, and ministries are not HIPAA Covered Entities simply because they employ staff or sponsor a health insurance plan.  

While most private and public K-12 schools are not HIPAA Covered Entities, colleges that operate healthcare clinics that bill insurance may have PHI that makes them a HIPAA Covered Entity.

Colleges and Universities that receive funding from the U.S. Department of Education are required to comply with the Family Educational Rights and Privacy Act (FERPA). FERPA protects the privacy of students’ Education Records.  While most things that make up an Education Record are academic in nature, it also includes immunization records and school nurse records.

Covered entities include:

  • Healthcare providers (physicians, hospitals, clinics, nursing homes, etc.)
  • Health plans
  • Healthcare clearinghouses

Business Associates are organizations or individuals that perform services for Covered Entities involving PHI. Examples include third-party administrators, billing companies, attorneys, accountants, consultants, and IT providers.

Many employment-related medical records are not considered PHI under HIPAA, including:

  • FMLA paperwork
  • Sick leave requests
  • Drug test results
  • Pre-employment physicals
  • Fitness-for-duty examinations
  • Workers’ compensation records
  • ADA accommodation records
  • Disability retirement documentation

These records are generally governed by employment laws rather than HIPAA. Churches should also ensure their policies for handling employee medical information are clearly documented in their employee handbook.

Several states—including Alaska, Arizona, California, Delaware, Florida, Georgia, Iowa, Maryland, Massachusetts, Mississippi, Nebraska, New York, North Carolina, Texas, Vermont, and Washington—have enacted medical privacy laws that are more restrictive than HIPAA. Ministries should understand both federal and applicable state requirements.

What Is Protected Health Information (PHI)?

Protected Health Information (PHI) is individually identifiable information relating to a person’s physical or mental health, healthcare services, or payment for healthcare.

Examples include:

  • Medical diagnoses
  • Treatment records
  • Insurance information
  • Medical record numbers
  • Dates of treatment
  • Laboratory results
  • Photographs used for treatment
  • Biometric identifiers

Employment medical records maintained by an employer are generally not considered PHI under HIPAA.

Understanding The HIPAA Privacy Rule

The HIPAA Privacy Rule establishes standards for how Covered Entities and Business Associates may use, disclose, and protect PHI. It also gives individuals important rights regarding their health information.

The Privacy Rule permits the use or disclosure of PHI without written authorization for certain purposes, including:

  • Treatment
  • Payment
  • Healthcare operations
  • Certain public health activities
  • Situations required by law

In most other circumstances, written authorization is required before PHI may be disclosed.

The Privacy Rule also incorporates the Minimum Necessary Standard, requiring organizations to limit access to only the information needed to perform a specific job or function.

Covered Entities must provide patients with a Notice of Privacy Practices explaining how their information may be used, their privacy rights, and how to file a complaint. Organizations should also designate a Privacy Officer responsible for implementing HIPAA policies, training staff, responding to privacy concerns, and overseeing compliance.

Understanding The HIPAA Security Rule

Organizations that maintain electronic Protected Health Information (ePHI) must implement administrative, physical, and technical safeguards to protect that information.

Examples include:

  • Encryption of electronic PHI
  • Automatic logoff features
  • Password-protected devices
  • Facility access controls
  • Locked storage areas
  • Secure disposal of electronic media
  • Security policies and employee training

Employees can help protect ePHI by:

  • Using strong passwords
  • Never sharing login credentials
  • Keeping software updated
  • Avoiding unauthorized software downloads
  • Securing laptops and mobile devices
  • Preventing unauthorized access to restricted areas

Common HIPAA Security Risks

Examples of security risks include:

  • Malware, phishing, and ransomware attacks
  • Hacking or unauthorized network access
  • Stolen or lost laptops and smartphones
  • Compromised passwords
  • Social engineering attacks
  • Improper disposal of electronic devices
  • Unauthorized employee access to PHI
  • Accidental disclosure of PHI

HIPAA Breaches

A HIPAA breach occurs when PHI is accessed, used, or disclosed in a manner not permitted under HIPAA.

Common examples include:

  • Sending PHI to the wrong recipient
  • Discussing PHI in public places
  • Posting PHI on social media
  • Unauthorized employee access
  • Theft of devices containing PHI
  • Cybersecurity attacks exposing PHI

Organizations should establish written procedures for reporting suspected breaches.

Employees who become aware of an improper use or disclosure of PHI should immediately notify the Privacy Officer or designated manager.

Employees who report suspected HIPAA violations in good faith should never be subject to retaliation.

HIPAA Compliance Best Practices for Churches and Christian Schools

Although most churches and Christian schools are not Covered Entities under HIPAA, they still have important responsibilities to protect confidential health information.

Whether required by HIPAA, state law, or employment regulations, ministries should handle medical information with care, limit access to those with a legitimate need to know, secure electronic records, and provide appropriate employee training. Ongoing HR support can also help ministries stay current with changing employment and compliance requirements. Protecting confidential information is not only good legal practice—it reflects Christian stewardship, integrity, and respect for the people entrusted to our care.

If your church or ministry needs assistance developing HR policies, employee handbooks, compliance training, or navigating complex employment regulations, Church HR Network provides practical HR solutions designed specifically for churches, ministries, and Christian schools. Learn more about our HR and compliance services or contact our team to discuss how we can help strengthen your ministry’s compliance program.

HIPAA FAQs

Does HIPAA apply to churches?

Most churches are not HIPAA-covered entities simply because they employ staff or offer health insurance benefits. However, churches that provide healthcare services or work as Business Associates may have HIPAA obligations. Church HR Network provides HR and compliance services to help ministries understand their legal responsibilities.

What is Protected Health Information (PHI)?

PHI is individually identifiable health information related to a person’s medical condition, treatment, healthcare services, or payment for healthcare that is protected under HIPAA.

Are employee medical records protected by HIPAA?

Generally, medical records maintained by an employer for employment purposes—such as FMLA paperwork, ADA accommodations, and workers’ compensation records—are not considered PHI under HIPAA, though other employment and privacy laws may apply. Churches should establish clear policies for handling confidential employee information in their employee handbook.

What is the difference between the HIPAA Privacy Rule and Security Rule?

The HIPAA Privacy Rule governs how Protected Health Information may be used and disclosed, while the HIPAA Security Rule establishes safeguards for protecting electronic Protected Health Information (ePHI).

How can churches protect confidential health information?

Churches should limit access to confidential medical information, securely store physical and electronic records, train employees on confidentiality practices, and follow applicable federal and state privacy requirements. Regular employee training can help staff understand their responsibilities and reduce the risk of accidental disclosures.

Related Articles