Do Churches Have to Follow HIPAA? When It Applies and When It Doesn’t

HIPAA Applicability to Churches

Short answer: a church must follow HIPAA only when it functions as a Covered Entity or as a business associate to one. HIPAA regulates how certain organizations handle Protected Health Information (PHI), not how every organization handles all personal details.

Under HIPAA, Covered Entities include health plans, health care clearinghouses, and health care providers that transmit health information in connection with Standard Electronic Transactions (for example, electronic claims or eligibility checks with a health plan). If your church never operates in those roles, HIPAA generally does not apply to its typical ministry activities.

• Usually not covered: worship services, prayer chains, pastoral counseling that does not bill insurance, benevolence and visitation notes.
• May be covered: a church-run clinic or counseling center that bills insurers electronically; a Group Health Plan for employees; or situations where the church creates, receives, or maintains PHI on behalf of a Covered Entity.

Remember, PHI is health information held by a Covered Entity or its business associate. Information a member voluntarily shares with you for prayer or care is not PHI under HIPAA—but you should still handle it under strong Confidentiality Rules.

Church Health Ministries as Covered Entities

Many churches host health ministries—blood pressure checks, support groups, vaccination events, or short-term counseling. These activities become subject to HIPAA only if the ministry is a health care provider that conducts Standard Electronic Transactions with a health plan. Cash-only or free services that never submit claims or eligibility inquiries typically are not Covered Entities.

Ask these questions to gauge applicability:

• Do you submit electronic claims, check eligibility, obtain prior authorizations, or receive electronic remittance from health plans?
• Do licensed professionals provide clinical services under the church’s auspices and bill insurers electronically for them?
• Does any part of the ministry maintain PHI for billing or insurance purposes?

If yes, you must implement HIPAA policies for that health-care function, train involved staff and volunteers, and keep those records and workflows segregated from broader church operations to prevent unauthorized PHI Disclosure.

Business Associate Relationships

A business associate is any person or entity that performs services for a Covered Entity involving PHI. If your church operates a covered clinic or Group Health Plan, you must have a Business Associate Agreement (BAA) with vendors that access PHI—such as billing services, IT providers, cloud storage, or transcription.

Conversely, your church can be a business associate to someone else. For example, if a church-affiliated team provides practice management or data services to a local clinic and handles PHI, the church must sign a Business Associate Agreement and follow HIPAA safeguards for that work.

• Ensure each BAA defines permitted uses/disclosures, security safeguards, breach reporting, subcontractor obligations, and termination steps for PHI.
• Maintain an inventory of BAAs, restrict access to the minimum necessary workforce, and review vendors’ security practices regularly.

Congregational Care and Prayer Lists

Prayer lists, meal trains, and visitation updates are usually outside HIPAA because the church is not acting as a Covered Entity. Still, treat health details with care and dignity. Obtain consent before sharing and avoid unnecessary medical specifics.

• Use opt-in consent; let members specify what can be shared, with whom, and for how long.
• Limit details (for example, “recovering from surgery”) and avoid diagnoses or treatment plans unless explicitly authorized.
• Do not re-share information a hospital, clinic, or insurer provided to you; that may be a PHI Disclosure needing patient authorization.
• Store lists securely, limit distribution, and provide an easy opt-out for members who change their minds.

These steps help you honor privacy while supporting pastoral care, even when HIPAA does not directly govern the activity.

Church-Operated Clinics and HIPAA

If your church runs a clinic, counseling center, or pharmacy service and conducts Standard Electronic Transactions, that operation is a Covered Entity and must fully comply with HIPAA. Treat it as a distinct health-care function with clear boundaries from church administrative records.

• Establish written privacy and security policies; provide a Notice of Privacy Practices to patients; designate privacy and security leads.
• Train all workforce members; apply role-based access; use encrypted systems; and perform ongoing risk analysis and mitigation.
• Honor patient rights (access, amendments, restrictions, and an accounting of disclosures) and maintain records and retention schedules.
• Execute Business Associate Agreements with any vendor that can access PHI, and have a breach response plan.

If the clinic does not conduct covered transactions, HIPAA may not apply—but you should still implement confidentiality, data security, and incident response practices to protect people and maintain trust.

Church Employee Health Plans

When a church sponsors a Group Health Plan for staff, HIPAA applies to the plan itself as a health plan. The church as employer is not a Covered Entity, but it must keep plan PHI separate from general HR files and limit who can access it for plan administration.

• Fully insured plans: typically, the insurer handles claims PHI. The church should receive only enrollment/disenrollment and summary information unless plan documents are amended to permit limited administrative PHI access.
• Self-funded plans: the plan (and its third-party administrator) must meet full HIPAA requirements. Create administrative “firewalls,” train authorized personnel, and restrict PHI to plan purposes only.
• Related programs: employee assistance programs and wellness initiatives that provide clinical services can be subject to HIPAA; design them with minimum necessary access and clear participant notices.

Employment records (like doctor’s notes for sick leave) are not PHI under HIPAA, but you should still protect them under employment laws and your Confidentiality Rules.

Privacy Practices for Exempt Churches

Even if HIPAA does not apply, members expect discretion. Adopt simple, consistent practices that reflect pastoral care values and reduce risk.

• Publish a short privacy statement for care ministries; define how health-related details will be requested, used, and shared.
• Use consent forms for prayer lists and visitation updates; capture preferences and expiration dates for sharing.
• Limit access to need-to-know staff and volunteers; avoid open email lists and social media posts about someone’s health.
• Protect records with secure storage and retention schedules; never mix care notes with general membership databases without safeguards.
• Train volunteers on respectful language, minimum necessary sharing, and how to handle sensitive requests.

Bottom line: Do churches have to follow HIPAA? Only when they operate a covered clinic or similar service, act as a business associate, or sponsor a Group Health Plan that handles PHI. For most ministry contexts, HIPAA does not apply—but thoughtful Confidentiality Rules, consent, and restrained sharing are essential to serve people well.

FAQs

When is a church considered a Covered Entity under HIPAA?

Your church is a Covered Entity only if it operates as a health plan, a health care clearinghouse, or a health care provider that conducts Standard Electronic Transactions with a health plan (such as electronic claims, eligibility checks, or authorizations). Typical worship and care activities do not trigger HIPAA.

Can churches share prayer list information without violating HIPAA?

Yes, if the church is not functioning as a Covered Entity, prayer lists are generally outside HIPAA. Still, obtain opt-in permission, avoid diagnoses, limit distribution, and never re-share information received from a medical provider without the individual’s authorization.

What privacy practices should exempt churches follow?

Use clear consent, share the minimum necessary details, maintain secure records, restrict access to authorized volunteers, and establish written Confidentiality Rules. Train your care teams to avoid unnecessary PHI Disclosure and to honor members’ preferences and opt-outs.

Does HIPAA apply to church employee health plans?

Yes. A church-sponsored Group Health Plan is a HIPAA-covered health plan. Keep plan PHI separate from general HR files, limit access to designated plan administrators, and ensure Business Associate Agreements are in place with any vendor that handles plan PHI.