HIPAA does not affect church records
Reader Mary M. is up against a real problem.
An Ohio resident, she wants to see records of an old Polish church in the Roman Catholic Diocese of Cleveland, but every time she asks to see them, she’s told that “the bishop states that only the parish pastor or secretary can look at the records because of HIPAA.”
Mary notes that: “The older relatives are all deceased. Most of the older records are in Polish. Neither (the priest nor the parish secretary) can read Polish. If they can’t read it, they tell us that record is illegible and can’t give any further information. How does HIPAA play a part in researching the records and is there any way around it? I have over a hundred relatives who were either founding members of this parish or just members and I can’t even search them.”
HIPAA, for the record, is the Health Insurance Portability and Accountability Act of 1996,1 a federal law that — sigh — has absolutely nothing to do with church records.
And what she’s running into is a common problem: a total misunderstanding by laypeople and records custodians about HIPAA, what it is, what it does and what it just doesn’t do.
What Congress was out to do was make the health care system more efficient by getting electronic information exchanges working.2 To get people to go along, the law strongly protects the confidentiality of that information. It’s now a federal crime to disclose it without authorization.3 And Congress told the US Department of Health and Human Services (“HHS”) to set up privacy rules as well.4
The statute did a lot of different things, but the aspect we’re all concerned with is its effect on what the law called “individually identifiable health information.”5
The definition of that sort of information in the statute and in the regulations is pretty broad. It includes anything that identifies the person by name (or can be used to do that) and shows:
• the individual’s past, present or future physical or mental health or condition,
• the provision of health care to the individual, or
• the past, present, or future payment for the provision of health care to the individual.
Individually identifiable health information includes things like a person’s name, address, birth date, Social Security Number.6
And even with that very broad definition, absolutely not one bit of the law or the regulations affects church records or church archives at all.
The reason is simple: HIPAA only affects “covered entities” — health plans, health care clearinghouses, and health care providers, and only if they transmit information in electronic form about certain “covered transactions.”7 That means, just as an example, that a K-12 public school that has doctors and nurses and psychologists and counselors working with students is NOT a covered entity (in this case, because it doesn’t bill for its health-related services).8
And it means, as well, that — unless we’re talking about a church-operated medical clinic or hospital — church records like the parish records Mary would like to see are not affected by HIPAA because the church is NOT a covered entity.
This couldn’t be clearer under the law, and The Legal Genealogist is hardly the first person to have said it outright: a church is NOT a covered entity.9 Here, as just one example, is what the American Bar Association has to say:
Many private employers, churches, or social organizations that receive medical information about employees, parishioners, or members have the mistaken notion that they become subject to the HIPAA regulations once they receive such information. They do not. The privacy standards are applicable only if the individual or entity is a healthcare provider, health plan, or health clearinghouse (not addressed in this article) or has a business associate agreement with such a covered entity.10
And, for the record, a genealogical archive like a local historical society museum is NOT a covered entity. A library is NOT a covered entity. A cemetery is NOT a covered entity. They’re not in the health care business, and even if somehow a piece of health-related information shows up in a document they possess that doesn’t magically morph them into covered entities.
So no. HIPAA doesn’t lock up those records at all.
Convincing the parish priest, secretary and bishop… that’s another story. But one thing Mary can try is to find out who the attorney for the diocese is and write to the attorney directly, explaining the problem and asking for clarification on records access. She could even enclose a copy of this post…
SOURCES
- P.L. 104-191 (1996), codified at various parts of the United States Code and particularly at 42 U.S.C. § 1320d et seq. ↩
- 67 Fed. Reg. 14776, 14776 (27 March 2002). ↩
- 42 U.S.C. §§ 1320d-1(d), 1320d-2. ↩
- See 42 U.S.C. §§ 1320d-1(d), 1320d-2. ↩
- 42 U.S.C. § 1320d(6). ↩
- See generally 45 C.F.R. § 164.514(b). ↩
- 42 U.S.C. § 1320d-1(a). See also 45 CFR § 160.102. ↩
- USHHS, Office for Civil Rights, “Does the HIPAA Privacy Rule apply to an elementary or secondary school?” (http://www.hhs.gov/ocr/privacy/hipaa/faq/ferpa_and_hipaa/513.html : accessed 29 Apr 2014). ↩
- See e.g. Hindson & Melton, “The HIPAA Privacy Rule And Your Church,” Hindson & Melton Attorneys at Law (http://hindsonmelton.net : accessed 29 Apr 2014). Also United Methodist Church, General Council on Finance and Aministration, “HIPAA Privacy Rule and Local Churches,” PDF (http://www.churchadminpro.com : accessed 29 Apr 2014). ↩
- Susan Scheutzow, “HIPAA: A Primer,” American Bar Association, GPSolo Magazine – April/May 2004, reprinted online (https://www.americanbar.org/ : accessed 29 Apr 2014). ↩
It is also possible that the person who is giving Mary the information is adding “because of HIPAA” as part of their own understanding, not as part of the official reason. Catholic church records are open or closed at the discretion of the church’s pastor (if the church is still open). As you noted, access is not governed by civil law. It is governed by the church. The option to open or close is up to the pastor. (That having been said, some bishops do “encourage” their pastors to either grant or deny access.)
Entirely possible that this is being used as an excuse, Amy, which is why getting records access policies clarified from the official representatives of the diocese is really the way to go.
I also ran into problems with Catholic church records in Clinton, Iowa. There use to be five Catholic churches in Clinton but they have since lost membership and merged into only one. This church holds all of the records for e previous churches. When I contacted them, the response I got was, “We don’t do genealogy.” They do have a wonderful Catholic History Center located in one of the closed churches. It is staffed by wonderful, kind and generous volunteers. Several years ago, a church member was allowed to create an index of the records and the center has those – sort of. There was no printer and I was not allowed access to the computer database as the computer was old, the software was old, and ??? Anyway, one of the volunteers patiently looked for every record and name I told him and then I would have to write it down as he read it off to me. I could look over his shoulder at the screen as I wrote. There were many mistakes due to unreadable had writing I am sure. The original indexer is now in a nursing home last I heard. When I contacted the church hoping to get a copy of my gr. grandmother’s birth/baptism record, the secretary told me that wouldn’t be possible because she would have to cover up all the other names on the page for privacy – my gr. grandmother was born in 1864!! Really?
Sigh… yeah I’m sure a lot of those born-in-1864 people really care about their privacy… sigh…
I was told you could write to Rome and get a letter stating that you can see the church records, if it is your family.
I seriously would start with the Diocese first. Going to Rome is overkill if going to Cleveland works.
I’ve run into circumstances where they would only give me information on the specific name also. There is an Episcopal Church that I’d like to see records for however I was told they were too fragile for anyone to look at except staff. With a last name of Brown, I’m hoping that the next time I’m in the area I can appeal to them using professional experience, I work at a State Historical Society in the Archives/Library Division, to convince them that I will handle their records carefully enough to get access. I’ve been to two other churches with no trouble so it really varies. But then in the 1980s I went to a courthouse that wouldn’t let me look at probate records. A woman there climbed the ladder, pulled the record and said what do you want to know. How do I know what I want unless I know what’s there? Fortunately policy changed at that courthouse later.
I do know there are some sets of records that are too fragile to permit public access to — there are a large number of such records even at the National Archives. But as long as they give SOME access… it’s the ones who won’t allow any access at all that are the major problems.
You are right on target in highlighting the definition of a covered entity. One complication: a library (or more likely archives) that is part of a covered entity and receives records from that entity may become a covered entity itself and have to follow HIPAA rules.
But even with covered entities, some access is possible. Archivists were instrumental in getting DHHS to exclude from its definition of “protected health information” information related to individuals who have been deceased for more than 50 years. You can find the discussion of capping the period for HIPAA’s protections here. The new rule is codified in 45 CFR 164.502(f). It states “A covered entity must comply with the requirements of this subpart with respect to the protected health information of a deceased individual for a period of 50 years following the death of the individual.”
Yes, indeed, the HIPAA privacy rule has changed and in a very good way, as reported here in this blog last year (see “Breakthrough for medical genealogy,” posted 8 April 2013). Before the privacy rule was changed, there was NO access to medical information from a covered entity at all: the rule had no end date. So the 50-years-after-death change was very welcome.
And, of course, you are also right that a hospital archive may be impacted by HIPAA because of its relationship with the hospital that is the covered entity.
Thank you everyone for your comments but most of all thank you Judy for clarifying exactly what HIPPA is. I will write a letter to the diocese’s attorney and will include the information you listed above. I will keep you all posted!!
Glad I could help, Mary. Good luck!