The HIPAA Privacy Rule establishes national standards for the protection of certain health information. The Privacy Rule provisions became effective in April 2003. Since then, as individuals and churches, we’ve become familiar with the basic provisions.
The Privacy Rule protects the uses and disclosure of individuals’ health information by covered entities. The goal of the Privacy Rule is to assure proper protection of individuals’ health information while still allowing information to be shared freely enough to promote health care of the highest quality. The first question is, “What is a covered entity?” In other words, “Is my local church a covered entity?” According to the Privacy Rule,covered entities are health plans, health care clearinghouses, and any health care provider who transmits health information in electronic form in connection with standard transactions such as billing. Thus, based on this definition, our local congregations would not normally be covered entities subject to the requirements of the Rule. Some church related organizations, such as church related counseling centers or hospitals, will need to understand just exactly how the Privacy Rule might apply to them.
Another question is, “Does the Privacy Rule apply to the information our phone volunteers give out regarding parishioners who are in the hospital?” Basically, the Privacy Rule does not restrict us in this regard. However, it is prudent to instruct our phone volunteers to share only the basic factual information with callers, such as the location of the parishioner (hospital, rehabilitation facility, etc.) and when the parishioner was admitted, if you know. Of course, if a parishioner has requested that the church give out no information, then that instruction should be followed.
Hospitals and health care facilities are still permitted under the Privacy Rule to maintain facility directories and to share a patient’s location information, such as the room number or unit number, with those who inquire by phone or in person. These entities are also still permitted to share religious affiliation information with clergy persons. Each patient must be informed of the facility directory and its uses. If the patient desires to restrict the dissemination of some or all of this information and makes her desire known, then the facility must honor the patient’s instructions. Furthermore, healthcare providers such as hospitals and physicians are permitted to share patient status and treatment information with the patient’s family and friends, if the patient does not object. In this respect, the sharing of information for the assistance of the patient, for example informing the patient’s spouse of the needs for physical therapy or specific medication, is not impeded by the requirements of the Privacy Rule.
The Privacy Rule was developed out of a concern that in today’s high tech healthcare environment, information that a patient wants kept private could and would be disseminated to easily through electronic processes. The rule does provide significant restrictions on sharing of patient information; however, our abilities to communicate with parishioners and to provide loving care for them remain intact. Let’s not give up our ministries of compassion and presence with those who need us.