HIPAA and the Church

Just to be clear, the Health Insurance Portability and Accountability Act (“HIPAA”)[fn1] does not prevent your bishop from asking you about your vaccination status. It doesn’t prevent your ward from doing contact tracing and informing people who attended church that someone had Covid at a meeting you attended. It doesn’t prevent the ward from asking (or requiring) attendees to wear masks.[fn2]

And look, I guess it’s fair to be a little scared. HIPAA does provide that a “person who knowingly and in violation of this part … discloses individually identifiable health information to another person[] shall be punished” with fines and potential imprisonment.

But–and this is critical–those penalties do not apply to just anybody who discloses individually identifiable health information to another person. It has to be someone who does so in violation of the HIPAA rules. And guess what? The HIPAA rules define the scope of who they apply to: health plans, health care clearinghouses, and certain health care providers. (Congress subsequently added Medicare prescription drug health card sponsors to this list.) If you’re not one of these four types of people–and the church is not–HIPAA doesn’t apply to you.[fn3]

Also, for what it’s worth, courts have consistently held that HIPAA does not create a “private right of action.” In non-lawyer-speak that means that even if your HIPAA rights are violated, you don’t get to sue. The civil prohibitions are enforced by fines from the Secretary of Health and Human Services. So if you think your HIPAA privacy rights have been violated and you go to court, the court will dismiss your suit. If you want something done about it, you file a complaint with HHS.

Which is to say, there’s nothing in the law prohibiting the church from asking if you’ve been vaccinated, from requiring you to wear a mask at church, or from doing contact tracing. If it choses not to do any of these things, the church has made a deliberate choice.

Note that I’m not a health law expert and that this post doesn’t represent legal advice. But also, I’m perfectly capable of reading the law and I’m right.

[fn1] Remember, the acronym has two As, not two Ps. This chart is really helpful in remembering the difference between HIPAA and HIPPA (and, for that matter, HIPPO).

[fn2] I’ve heard about church leaders in various places around the country asserting that they can’t do [X] because of HIPAA. So I’m subtweeting all of them here.

[fn3] If you still aren’t sure that the church isn’t subject to HIPAA, you can use this tool from the Centers for Medicare and Medicaid Services.


  1. Steve Evans says:

    A few points:

    1. Missed opportunity to call a post “Hungry Hungry HIPAA”.
    2. I am a health law expert and you are right.
    3. If the Church operates as a Covered Entity (ie is a health care plan payor, provider, etc) then it could theoretically violate HIPAA by disclosing the PHI of patients under those plans.
    4. Anytime some crank tries to invoke HIPAA to support their anti-mask/antivax agenda the heavens grieve.

  2. Thanks Steve! (And your name is way better–now I have to decide whether to go back and edit the title.)

  3. john f. says:

    This post and Steve’s comment are perfect. Thank you!

  4. A Turtle Named Mack says:

    And I think HIPAA still doesn’t apply, even if your Bishop or RS President is a physician or other health care provider, unless they’re YOUR provider.
    In the organization in which I work our direct Supervisor is not allowed to ask an employee about vaccination status. However, we can ask each other, and that information is definitely passed along to our Supervisor, which helps her make decisions about how and when common office spaces are used.
    Vaccination status of Ward members would be very useful information for local leaders to have when making decisions about who should be preparing the sacrament (although food-borne transmission isn’t a thing), Primary teaching, ministering to immunocompromised members, or other such things.

  5. Our stake presidency has made vaccination status disclosure a requirement for those accepting mission calls and other callings that require face-to-face interaction with members. The Mission Department is not formally requiring prospective missionaries to be vaccinated, but our stake presidency has indicated that vaccination is a sign of obedience.

  6. But is it RICO?

    (Twitter reference)

  7. Angela C says:

    “vaccination is a sign of obedience” Let me forever be on record that those who invoke “signs of obedience” as a distinction rather than “signs of not being a gullible dumbass” are choosing the lesser compliment by a long stretch.

  8. Mark B. says:

    I am relatively confident that calling people who have chosen not to be vaccinated “gullible dumbass[es]”–even if in fact they are misinformed, bad at assessing risk and probabilities, etc., etc., is not likely to change those people’s minds.

  9. There are a lot of legitimate reasons a bishop or stake president might choose to ask about vaccination status or require masks or to not do those things. There’s no need to hide behind HIPAA.

  10. Bookish says:

    Thanks Steve and Sam. Bad faith interpretations of HIPAA are a problem even within organizations subject to knowing and complying with the law.

    As an adult who accepts the scientific, medical, and ecclesiastical basis to be fully vaccinated there are a lot of situations I just want to understand the scope of the danger present in groups.

    Knowing the balance of vaccinated, unable to be vaccinate, and dangerous COVID-19 truthers is important. Many Saints have infants, young children, and immunocompromised family members we are responsible to protect from REAL dangers. As a result, our ability to responsibly return to in-person church depends on our ability to asses risks for our whole family.

    It’s equal parts infuriating and mind numbing in every setting of life to have antivaxxers and their allies (unwitting or not) invoke HIPAA in the same fashion the fictional Michael Scott of “The Office” declares bankruptcy.

    For our meeting houses to be places safe from the dangers of the world we all need to do all we can to mitigate the risk of spreading COVID-19. We need to help Saints be able to trust their peers are being truthful and behaving morally in the most urgent life or death issue of our time. We need that tone set at the top of the community and inculcated at every level below.

  11. I work for a consultant who has BAAs with a bunch of covered entities. I take so much HIPAA training. This post is a thing of beauty, but I think it won’t substitute for the training I have yet to take this year :(

  12. Geoff - Aus says:

    Mark B Is anything likely to change a trumpers mind? If it is true it should be said anyway. A bit like missionary work, they should be given the truth, and then they can be held accountable for their response. Calling them to repentance probably won’t work either but that should be tried too, by the Prophet. Any thing that might bring them back to truth should be tried.

  13. ISupportTheConstitutionOfTheUnitedStates says:

    The issue isn’t about the HIPPA law. You clearly haven’t done your research correctly. The Covid vaccines are EXPERIMENTAL, and thus this is a matter of the NUREMBERG TREATY, which you obviously haven’t researched.

    The US is a signer on the Nuremberg treaty, so therefore we are bound by it. In fact, we were involved it’s creation. It IS absolutely illegal, via the constitution, to violate it, as all treaties that the US signs onto and are approved by 2/3 of the senate are the SUPREME law over the land, over and above any federal, state, or local laws. In other words, any law against the Constitution, which includes the treaties we’ve signed onto and have been passed by 2/3 of the senate, are not allowed to be followed. Those who follow illegal laws are liable for it.

    The Covid Vaccines are EXPERIMENTAL, as stated before. Anyone who tries to coerce you into taking it (such as saying that you can loose your job if you don’t take it, or you can be kicked out for not taking it), are ACTUALLY liable to be prosecuted via the fact we’re part of the Nuremberg treaty, and the penalty for violating the Nuremberg Treaty is actually the death penalty. That’s partly why, even into the 1950’s, you still had people being tried and executed for their part in the atrocities of World War II.

    You need to read your history more, -and the Constitution. And you need to be reading from the direct sources, not third party. You’re NOT well informed.

  14. Aussie Mormon says:


    Are you really trying to claim that asking someone’s vaccination status is experimental research?

  15. John Buffington says:

    Hello ISupportTheConstitutionOfTheUnitedStates

    Can you do a fellow a solid?

    My google is broken so I am not able to find the “Nuremburg Treaty” which the USA signed and the US Senate approved.

    I CAN find the Nuremburg Kodex which outlines some principles/guidelines of research using human subjects.

    Can you help a simple country Canadian out and send me some links about the Nuremburg Treaty and the timeline of when it was taken up in the US Senate?

    Appreciate it

  16. John Buffington says:

    *Nuremberg, not Nuremburg

  17. John Buffington says:

    Hey Crickets, I mean, ISupportTheConstitutionOfTheUnitedStates

    I know you are self-admittedly well informed, and clearly know the difference between “emergency” and “experimental” but here is a link to information that your usual sources might not have revealed,


    To make it easy, you can just read the URL if you are busy

    Glad to be of service


  1. […] least in the eyes of federal health privacy laws, according to By Common Consent blogger Sam Brunson, a law professor at Loyola University in […]

  2. […] least in the eyes of federal health privacy laws, according to By Common Consent blogger Sam Brunson, a law professor at Loyola University in […]

  3. […] least in the eyes of federal health privacy laws, according to By Common Consent blogger Sam Brunson, a law professor at Loyola University in […]

  4. […] least in the eyes of federal health privacy laws, according to By Common Consent blogger Sam Brunson, a law professor at Loyola University in […]

  5. […] least in the eyes of federal health privacy laws, according to By Common Consent blogger Sam Brunson, a law professor at Loyola University in […]

%d bloggers like this: