HIPAA Compliance Checklist for Faith-Based Health Organizations

HIPAA Compliance Applicability

Faith-based clinics, missions, counseling ministries with health components, and church-run hospitals must determine how HIPAA applies to their services. If you create, receive, maintain, or transmit Protected Health Information (PHI) in connection with health care operations or billing, you are likely a covered entity or a business associate—even if your organization is nonprofit or volunteer-led.

Begin by mapping how you handle PHI under the HIPAA Privacy Rule, the HIPAA Security Rule, and the Breach Notification Rule. Many ministries qualify as hybrid entities; in that case, formally designate which components are subject to HIPAA and separate them from purely religious or pastoral functions.

Checklist

• Identify your role: covered entity, business associate, or hybrid entity health care component.
• Inventory PHI sources (intake forms, EHR, messaging, prayer requests that include health details) and data flows.
• Confirm if you transmit electronic PHI for standard transactions (e.g., claims) that trigger covered entity status.
• Appoint a Privacy Officer and a Security Officer with documented responsibilities.
• Document how the HIPAA Privacy Rule, HIPAA Security Rule, and Breach Notification Rule apply to your operations.

Administrative Safeguards

Administrative safeguards set the governance foundation for security and privacy. They translate your mission and values into policies, procedures, and oversight that protect PHI every day.

Core Actions

• Perform a formal Risk Analysis and ongoing risk management; prioritize remediation with timelines and owners.
• Define workforce security: role-based access, onboarding and termination steps, and a sanction policy.
• Implement information access management and the minimum necessary standard for PHI uses and disclosures.
• Establish a security awareness program (phishing defense, safe messaging, mobile device use, social media).
• Create a contingency plan: data backup, disaster recovery, and emergency-mode operations; test restores.
• Develop an incident response plan with clear reporting channels and decision criteria.
• Evaluate vendors and maintain a Business Associate Agreement (BAA) before sharing PHI.
• Schedule periodic evaluations to ensure policies remain effective as ministries and technologies change.

Physical Safeguards

Physical safeguards protect the places and equipment where PHI lives. In multi-use faith facilities, clear boundaries keep health operations distinct from worship and community spaces.

Facility and Workstation Controls

• Restrict access to records rooms, server closets, and clinician work areas; use keys, badges, or codes.
• Maintain visitor sign-in, escort procedures, and clean-desk practices for paper PHI.
• Secure workstations with privacy screens, cable locks, and automatic screen locks.

Device and Media Protections

• Track all devices that store or access PHI (laptops, tablets, USB drives, copiers).
• Wipe and validate before reuse; shred or degauss when disposing of media; document chain of custody.
• Store backup media offsite securely; limit transport and require check-in/check-out.

Technical Safeguards

Technical safeguards enforce who can access PHI and how data stays secure. Design controls that fit your resources while meeting regulatory expectations.

Access and Authentication

• Issue unique user IDs and implement multi-factor authentication for remote or privileged access.
• Enable emergency access procedures for continuity of care; configure automatic logoff.

Encryption and Transmission Security

• Apply PHI Encryption for data at rest and in transit; use secure messaging instead of standard email/SMS.
• Enforce TLS for web portals and VPN for administrative access; disable insecure protocols.

Audit, Integrity, and Monitoring

• Turn on audit logs for EHR, email, and file systems; review access to detect inappropriate viewing.
• Use integrity controls (hashing, change monitoring) and validated backups to prevent and recover tampering.

Risk Assessment

A HIPAA-compliant Risk Analysis identifies where ePHI is stored, how it flows, and what threats could compromise it. Your assessment should weigh likelihood and impact to produce a risk rating, then drive a prioritized treatment plan.

How to Execute

• Catalog assets (EHR, laptops, mobile apps, cloud services) and PHI data flows across ministries.
• Identify threats and vulnerabilities (loss/theft, misdirected email, misconfigured cloud, volunteer turnover).
• Score likelihood and impact; document current controls and gaps; select mitigations and owners.
• Track remediation to completion; reassess after major changes, new vendors, or security incidents.

Employee Training

Your workforce includes employees, clergy providing care, volunteers, students, and contractors. Train everyone before they access PHI and refresh regularly so safe practices become habit.

Training Essentials

• Overview of the HIPAA Privacy Rule and HIPAA Security Rule, minimum necessary, and patient rights.
• Recognizing PHI in pastoral contexts (e.g., prayer lists, support groups) and avoiding public disclosures.
• Secure use of email, texting, telehealth platforms, and social media; reporting lost devices or phishing.
• Incident reporting steps, sanction policy, and confidentiality acknowledgments; keep attendance records.

Business Associate Agreements

Any vendor that creates, receives, maintains, or transmits PHI for you is a business associate. Examples include EHR providers, billing services, cloud storage, telehealth platforms, translators, and shredding companies.

Checklist Before Sharing PHI

• Confirm the vendor’s role and due diligence (security controls, certifications, past incidents).
• Execute a Business Associate Agreement specifying permitted uses and disclosures of PHI.
• Require safeguards aligned to the HIPAA Security Rule and the Breach Notification Rule.
• Flow down obligations to subcontractors; set prompt incident and breach reporting requirements.
• Define breach cooperation, mitigation, right to audit, and termination with return or destruction of PHI.

Documentation and Policies

Written policies operationalize compliance and prove you are doing what you say. Keep them current, make them accessible to staff, and retain documentation for at least six years from creation or last effective date.

Must-Have Documents

• Notice of Privacy Practices; uses/disclosures, authorizations, and minimum necessary procedures.
• Access management, password, PHI Encryption, mobile/BYOD, media disposal, and remote access policies.
• Risk Analysis, risk management plan, training records, sanction procedures, and vendor/BAA files.
• Contingency plan, disaster recovery, incident response, and breach notification procedures.

Breach Notification

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security. If PHI is properly encrypted to HHS-recognized standards, the incident may not be a reportable breach.

Respond and Report

• Contain the incident, preserve evidence, and begin your incident response plan immediately.
• Perform the required four-factor risk assessment: type/sensitivity of PHI, unauthorized recipient, whether PHI was actually viewed/acquired, and mitigation performed.
• If a breach is confirmed, notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• Notify HHS via its breach portal as required: promptly for incidents affecting 500+ individuals; for fewer than 500, submit within 60 days after the end of the calendar year.
• Provide media notice if 500+ individuals in a state or jurisdiction are affected, and document every decision.
• If a business associate is involved, ensure notification to you per the Business Associate Agreement.

Conclusion

Building a HIPAA compliance program in a faith-based setting means uniting mission with method: confirm applicability, implement administrative/physical/technical safeguards, perform ongoing Risk Analysis, train your workforce, manage BAAs, maintain clear policies, and follow the Breach Notification Rule. Treat the checklist as a living practice that protects patients and your ministry.

FAQs.

What are the key HIPAA requirements for faith-based health organizations?

Determine whether you are a covered entity, business associate, or hybrid entity; appoint privacy and security leaders; implement the HIPAA Privacy Rule and HIPAA Security Rule; conduct a documented Risk Analysis and risk management; apply administrative, physical, and technical safeguards (including PHI Encryption); execute and manage Business Associate Agreements; maintain required policies and records; honor patient rights; and follow the Breach Notification Rule when incidents occur.

How often should risk assessments be conducted?

HIPAA requires regular, ongoing evaluation. In practice, you should perform a comprehensive Risk Analysis at least annually, update it upon significant changes (new EHR, telehealth rollout, cloud migrations, mergers), and reassess after any security incident or compliance finding.

What is required in a Business Associate Agreement?

A BAA must define permitted and required uses/disclosures of PHI; require safeguards consistent with the HIPAA Security Rule; mandate prompt incident and breach reporting; ensure subcontractors follow the same obligations; support access, amendment, and accounting requests as appropriate; address breach cooperation and mitigation; permit verification or audit; and require return or destruction of PHI upon termination where feasible.

How should a breach of PHI be reported?

Activate your incident response, contain and investigate, and complete the four-factor risk assessment. If a breach is confirmed, notify affected individuals without unreasonable delay and no later than 60 days after discovery, notify HHS within applicable timelines (immediately for 500+ individuals; annually for smaller breaches), and notify the media for large regional incidents. Document actions and mitigation, and ensure business associates notify you as required by the BAA.