HIPAA
HIPAA (Health Insurance Portability and Accountability Act) is the U.S. federal law that regulates Protected Health Information (PHI). It applies to healthcare entities and their business associates: companies that process PHI on behalf of a covered entity. Ministrium is not a healthcare entity, but by handling minors’ health information in Child Check-in and optionally in pastoral records, it operates under the HIPAA framework when a U.S. church requires it.
When HIPAA applies to a church
HIPAA does not apply automatically to churches. It applies when:
- The church operates a health ministry (free clinic, medical counseling) and is classified as a covered entity.
- The church has an agreement with a covered entity and processes PHI on its behalf.
- The church voluntarily decides to operate under the HIPAA standard as good practice, especially when handling minors’ health information.
What Ministrium does
Business Associate Agreement (BAA)
When a U.S. church needs to operate under HIPAA, we sign a BAA (Business Associate Agreement) that documents:
- What PHI Ministrium will process on the church’s behalf.
- What security measures we implement (technical, administrative, and physical).
- How we notify breaches within the legal 60-day window.
- How we return or destroy PHI at the end of the contract.
To request a BAA: write to legal@ministrium.com stating the plan you’ve contracted and the use case. We have a standard template reviewed by U.S. legal counsel.
BAAs with subcontractors
Ministrium operates with subcontractors for infrastructure (Replit, Neon, Stripe, SendGrid). We have signed BAAs with all those that may touch PHI:
| Subcontractor | Role | BAA signed |
|---|---|---|
| Replit | Hosting, secrets, deployment | Yes |
| Neon | PostgreSQL database | Yes |
| Cloudflare | CDN and DDoS mitigation | Yes |
| SendGrid | Transactional email | Yes (enterprise version) |
| Stripe | Donation processing | Does not process PHI; PCI-DSS applies instead |
Technical safeguards
- Encryption in transit: TLS 1.2+ required. See Encryption.
- Encryption at rest: AES-256 in the database and object store.
- Access control: RBAC with mandatory MFA for roles that can see PHI.
- Audit logging: every access to a field marked as PHI leaves an immutable record. See Audit and logs.
- Isolation: Postgres Row-Level Security isolates each church’s PHI.
Administrative safeguards
- Formal information security policy, reviewed annually.
- Mandatory training for the entire Ministrium team on HIPAA and PHI handling.
- Confidentiality agreements signed by all staff with technical access.
- Quarterly review of system access.
- Documented incident response procedure with notification SLA.
Physical safeguards
Ministrium operates cloud infrastructure with no servers of its own. Physical safeguards are covered by certified providers (Replit, Neon, Cloudflare) and documented in their respective SOC 2 reports and HIPAA attestations.
Breach notification
If Ministrium detects a breach that could potentially expose PHI:
- Immediate containment within the first hours.
- Forensic investigation with evidence preservation.
- Notification to the affected church within 72 hours of confirmation.
- Notification to the affected individual and to HHS following HIPAA timelines, coordinated with the church.
Data Ministrium classifies as PHI
By default, the following fields are treated as PHI when a church operates under a BAA:
- Health information in the minor’s record (allergies, medications, conditions).
- Health information in pastoral notes if the pastor records it.
- Any attached file marked as health-sensitive.
If your church doesn’t operate a health ministry and doesn’t handle PHI beyond child check-in allergies, COPPA is typically the more relevant framework. See COPPA.
Next steps
- COPPA — for minors’ data.
- DPA — for outside the USA.
- Audit and logs — the immutable log that supports compliance.
- Request a BAA — write to legal@ministrium.com.