HIPAA does not affect church records
Reader Mary M. is up against a real problem.
An Ohio resident, she wants to see records of an old Polish church in the Roman Catholic Diocese of Cleveland, but every time she asks to see them, she’s told that “the bishop states that only the parish pastor or secretary can look at the records because of HIPAA.”
Mary notes that: “The older relatives are all deceased. Most of the older records are in Polish. Neither (the priest nor the parish secretary) can read Polish. If they can’t read it, they tell us that record is illegible and can’t give any further information. How does HIPAA play a part in researching the records and is there any way around it? I have over a hundred relatives who were either founding members of this parish or just members and I can’t even search them.”
HIPAA, for the record, is the Health Insurance Portability and Accountability Act of 1996,1 a federal law that — sigh — has absolutely nothing to do with church records.
And what she’s running into is a common problem: a total misunderstanding by laypeople and records custodians about HIPAA, what it is, what it does and what it just doesn’t do.
What Congress was out to do was make the health care system more efficient by getting electronic information exchanges working.2 To get people to go along, the law strongly protects the confidentiality of that information. It’s now a federal crime to disclose it without authorization.3 And Congress told the US Department of Health and Human Services (“HHS”) to set up privacy rules as well.4
The statute did a lot of different things, but the aspect we’re all concerned with is its effect on what the law called “individually identifiable health information.”5
The definition of that sort of information in the statute and in the regulations is pretty broad. It includes anything that identifies the person by name (or can be used to do that) and shows:
• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual.
Individually identifiable health information includes things like a person’s name, address, birth date, Social Security Number.6
And even with that very broad definition, absolutely not one bit of the law or the regulations affects church records or church archives at all.
The reason is simple: HIPAA only affects “covered entities” — health plans, health care clearinghouses, and health care providers, and only if they transmit information in electronic form about certain “covered transactions.”7 That means, just as an example, that a K-12 public school that has doctors and nurses and psychologists and counselors working with students is NOT a covered entity (in this case, because it doesn’t bill for its health-related services).8
And it means, as well, that — unless we’re talking about a church-operated medical clinic or hospital — church records like the parish records Mary would like to see are not affected by HIPAA because the church is NOT a covered entity.
This couldn’t be clearer under the law, and The Legal Genealogist is hardly the first person to have said it outright: a church is NOT a covered entity.9 Here, as just one example, is what the American Bar Association has to say:
Many private employers, churches, or social organizations that receive medical information about employees, parishioners, or members have the mistaken notion that they become subject to the HIPAA regulations once they receive such information. They do not. The privacy standards are applicable only if the individual or entity is a healthcare provider, health plan, or health clearinghouse (not addressed in this article) or has a business associate agreement with such a covered entity.10
And, for the record, a genealogical archive like a local historical society museum is NOT a covered entity. A library is NOT a covered entity. A cemetery is NOT a covered entity. They’re not in the health care business, and even if somehow a piece of health-related information shows up in a document they possess that doesn’t magically morph them into covered entities.
So no. HIPAA doesn’t lock up those records at all.
Convincing the parish priest, secretary and bishop… that’s another story. But one thing Mary can try is to find out who the attorney for the diocese is and write to the attorney directly, explaining the problem and asking for clarification on records access. She could even enclose a copy of this post…
- P.L. 104-191 (1996), codified at various parts of the United States Code and particularly at 42 U.S.C. § 1320d et seq. ↩
- 67 Fed. Reg. 14776, 14776 (27 March 2002). ↩
- 42 U.S.C. §§ 1320d-1(d), 1320d-2. ↩
- See 42 U.S.C. §§ 1320d-1(d), 1320d-2. ↩
- 42 U.S.C. § 1320d(6). ↩
- See generally 45 C.F.R. § 164.514(b). ↩
- 42 U.S.C. § 1320d-1(a). See also 45 CFR § 160.102. ↩
- USHHS, Office for Civil Rights, “Does the HIPAA Privacy Rule apply to an elementary or secondary school?” (http://www.hhs.gov/ocr/privacy/hipaa/faq/ferpa_and_hipaa/513.html : accessed 29 Apr 2014). ↩
- See e.g. Hindson & Melton, “The HIPAA Privacy Rule And Your Church,” Hindson & Melton Attorneys at Law (http://hindsonmelton.net : accessed 29 Apr 2014). Also United Methodist Church, General Council on Finance and Aministration, “HIPAA Privacy Rule and Local Churches,” PDF (http://www.churchadminpro.com : accessed 29 Apr 2014). ↩
- Susan Scheutzow, “HIPAA: A Primer,” American Bar Association, GPSolo Magazine – April/May 2004, reprinted online (https://www.americanbar.org/ : accessed 29 Apr 2014). ↩