Comprehensive privacy legislation, known as the Health Insurance Portability and Accountability Act (HIPAA), was passed by Congress in 1996. It was finalized on December 28, 2000 and received its final modifications on April 14, 2002. It became effective on April 14, 2003.

The basic intent of HIPAA is very simple: to keep a firm grasp on the confidentiality rights and needs of patients (while not encumbering their treatment) and making certain that the patient understands all of his/her rights about care and the necessary release of information to provide that care while still protecting the patient's privacy.

The Office of Health Ministries has been receiving calls from clergy and others concerning the new HIPAA regulations regarding the visitation of parishioners at local hospitals. In one particular instance, a minister visited parishioners at two hospitals in his area, yet the hospitals appear to have different rules. During these first months of implementation there will be confusion as hospitals and health care providers develop and implement their unique and varied responses to the new law. In some instances, policies about releasing names of patients and patient information to clergy may change without notice being given, thus, to avoid the impact of unannounced changes, please check with the hospitals. In response to these inquires, we have put together information on the new regulations.

The New Privacy Rule
The new privacy rule is a comprehensive federal regulation that gives patients protection regarding the privacy of their medical records. Issues of the patient's confidentiality have been a concern of the federal government for several years. In 1996, Congress recognized the need for national patient record privacy standards when they enacted the Health Insurance Portability and Accountability Act of 1996 (HIPAA). In November 1999, United States Department of Health and Human Services (HHS) published proposed regulations to guarantee patients new rights and protections against the misuse or disclosure of their health records.

The Health Insurance Portability and Accountability Act's (HIPAA) medical privacy regulations govern the use and release of patient's personal health information, also known as "protected health information" (PHI). Its basic intent is very simple: to keep a firm grasp on the confidentiality rights and needs of patients (while not encumbering their treatment) and making certain that the patient understands all of his/her rights about the care being received, and the necessary release of information to provide that care while still protecting the patient's privacy.

How a hospital carries out these new regulations may vary from one hospital to another. Some hospitals may ask that you wear a badge, supply a picture and/or give your contact information where others may ask you to register or sign in when visiting a patient. Who is permitted to come into the patient's room with the minister may also be restricted depending on a particular hospital's rules. Check with each hospital you visit and find out their new procedures. It will save you time and frustration to do so before you have to go on a visit.

What Clergy Need to Know

Clergy's Responsibility
The issue for the pastor, under the new HIPAA regulations, is confidentiality of the patient's condition/illness. This can be a very tricky issue at times, especially around corporate prayers, prayer chains, etc. For example, if you include someone in prayer, by name, make sure that it is the wish of the patient. Additionally, when you have parishioners bringing specific (by name) concerns to you, be cautious, check it out with the individual/family before an announcement is made. To be proactive, it will be important to tell your members that they need to either inform you prior to an elective hospitalization, or indicate preference of notification (with signature) on their admission papers. Hospitals will typically not give this information out.

Release of Patient Information to Clergy
Under the new Federal Privacy Rule, clergy can still have access to certain patient information. Clergy can receive the following information (without patient authorization)

• Patient name
• Location in the hospital
• General condition (one word description)
• Religious affiliation

However, if the patient said that they didn't want to be part of the patient directory, or expressly said that they didn't want visits from the clergy, then the request must be honored.

The United States Department of Health and Human Services Questions and Answer Page
The explanation provided in answer to the question: Are hospitals able to inform the clergy about parishioners in the hospital follows:

Yes, the HIPAA Privacy Rule allows this communication to occur, as long as the patient has been informed of this use and disclosure, and does not object. The Privacy Rule provides that a hospital or other covered health care provider may maintain in a directory the following information about that individual: the individual's name; location in the facility; health condition expressed in general terms; and religious affiliation. The facility may disclose this directory information to members of the clergy. Thus, for example, a hospital may disclose the names of Methodist patients to a Methodist minister unless a patient has restricted such disclosure. Directory information, except for religious affiliation, may be disclosed only to other persons who ask for the individual by name. When, due to emergency circumstances or incapacity, the patient has not been provided an opportunity to agree or object to being included in the facility's directory, these disclosures may still occur, if such disclosure is consistent with any known prior expressed preference of the individual and the disclosure is in the individual's best interest as determined in the professional judgment of the provider. See 45 CFR 164.510(a).

Hopefully additional specific questions and answers will be posted on this Web site in the future. To check go to answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php. It purports to specify the patient information that clergy are allowed to have access to through the HIPAA Privacy Rule.

What Parish Nurses Need to Know

Background Information
PHI includes all "individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. "Individually identifiable health information" includes many common identifiers such as name, address, birth date and Social Security Number. HIPAA governs privacy and security issues as to how we must process and protect patient information. For example, when transmitting data electronically (FAX) it must be done in a standard way.

HIPAA and the impact on Parish Nurses and Health Ministers
How does the HIPAA regulations impact our health ministry teams and parish nurses in our congregations? HIPAA Privacy Rules pertain to the following covered entities: health plans, health clearinghouses which unify data in standardized formats, and health care providers. As written, the law does not appear to specifically to reference parish nursing /health ministry. Essentially, congregations are not considered a "covered entity" and are not bound by these regulations. This is primarily due to the fact that charges are not rendered for the services provided by our nurses and others on the health team in the congregation. It does mean that keeping medical records of all types confidentially locked and secure to protect the privacy of those individuals must continue to be done. Also, when talking with an individual about their medical condition, screening results and/or test results, make sure you do it in private where the conversation won't be overhead by others. Parish nurses need to be vigilant about protecting an individual's health information both oral and written.

Sharing a patient's medical information with other parties is permissible, if for the purposes of treatment (usually to doctors), payment (to insurance or third party payers) or for other purposes, such as quality review or student teaching in a hospital setting. In the congregation for example, it would be permissible to contact someone's physician (over the phone or via FAX) with a screening result, or pertinent information from a home visit, as this is important to the ongoing care and treatment of the individual. A word of caution: inform the patient of this prior to disclosing the information. This does not permit the sharing of patient information for the sake of conversation or gossip, even with the best of intentions.

Although the HIPAA standards do not specifically spell out duties and responsibility for parish nurses, it is more critical than ever that all staff or volunteers working with a particular person be vigilant about confidentiality. Any papers with a patient's name on them should be kept in a safe, secure and private place.

Patient Condition Reports and Information
Patient condition information may be provided consistent with the limitations imposed by the HIPAA privacy standards. The American Hospital Association has suggested the following one-word descriptions and explanations of a patient's general condition.

Undetermined: Patient awaiting physician assessment.

Good: Vital signs are stable and within normal limits. Patient is conscious and comfortable. Indicators are excellent.

Fair: Vital signs are stable and within normal limits. Patient is conscious but may be uncomfortable. Indicators are favorable.

Serious: Vital signs may be unstable and not within normal limits. Patient is acutely ill. Indicators are questionable.

Critical: Vital signs are unstable and not within normal limits. Patient may be unconscious. Indicators are unfavorable.

Treated and Released: Received treatment but not admitted.

Treated and Transferred: Received treatment. Transferred to a different facility.