Most Commonly Asked Questions About the Health Insurance Portability and Accountability Act of 1996 (HIPAA) also Known as the Privacy Rule

By William C. McGinly, Ph.D., CAE
AHP President, Chief Executive Officer
Source: AHP E-Connect, May 2003

Now that we are past the compliance date for the implementation of the U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) as it relates to fundraising, it is imperative that we continue our efforts to assure we have fully considered and adequately implemented the safeguards required in the privacy regulations.

Here are some questions we are receiving and key ones that you should have addressed for your implementation program—and we hope the appropriate answers reviewed by AHP legal counsel Venable, Washington, D.C.

  1. Is the development office/institutionally related foundation allowed to receive a patient list from the hospital so that the development officer can visit patients, many of whom are donors?

    The hospital is permitted to maintain a directory that lists patients in the hospital, and may provide general information about the patient's location in the hospital and general condition to persons who inquire. The same list can be provided to the development office or institutionally related foundation for fundraising purposes.

  2. If a patient exercises his/her right not to put their name into the provider (hospital) directory when they receive service, is the development department or institutionally related foundation prohibited from contacting this patient under the HIPAA regulations?

    This is not a HIPAA question, but a management one. Because a patient decides not to be included in the provider's directory does not mean the provider discontinues treatment, payment processes, or health care operations (remember fundraising is part of health care operations under the regulations) based upon the patient's information. This directory reference is the public directory in accordance with the policies established by the provider. It is clear that providing care, arranging for payment/reporting, and conducting health care operations as defined in the HIPAA regulations must continue uninhibited. Given that a patient decides not to be included in the directory information would not deny the physician access to his/her patient or the nurse access, or the development department or institutionally related foundation from providing their respective services. In the case of the development effort, of course, the fundraiser would follow the wishes of the patient once initial contact is made. Clearly, under the HIPAA regulations, the health care provider can not deny the demographic patient information simply because the patient decides not to be included in the provider's directory.

  3. Is there a point when the opt-out language is no longer required on the development office/institutionally related foundation's fundraising materials? For instance—after a relationship has developed over several years with a former grateful patient, now a donor?

    The Privacy Rule requires that the solicitation must include in "any fundraising materials it sends to an individual under this paragraph a description of how the individual may opt out of receiving any further fundraising communications." The entity could no doubt honor a written statement from the individual, but that approach does not strike us as feasible.

  4. Many long-term care providers solicit the family members of their residents. Is that permissible under HIPAA without authorization? Is the opt-out language required as well?

    Long-term care providers that are covered entities under the Privacy Rule are subject to exactly the same rules as everybody else. Whether the names of family members were obtained in the course of providing treatment to the patient or otherwise, they can be used in the course of any fundraising effort that fits within the Privacy Rule. Fundraising under HIPAA does not require patient authorization. Any fundraising under HIPAA must contain the opt out language. Fundraising that does not use protected health information (PHI) does not require the opt-out language. If the fundraising entity can satisfy itself that it is not using PHI to direct a solicitation, it does not have to add the opt-out language.

  5. In the U.S. Fundraising Under HIPAA - AHP Special Analysis, it lists insurance status as a permissible use of protected health care information (PHI). Does that mean that the development office/institutionally related foundation is allowed to know that "yes" the grateful patient has insurance or "no" they do not, or can we know what type of insurance (HMO, Medicaid, Medicare, etc.)?

    The regulations do not provide any guidance. We would presume that insurance status means the type of insurance, and not just whether or not the patient was insured. However, the minimum necessary rule always applies, so that the insurance status should only be requested by or given to the foundation if it was reasonably necessary provided by the provider in order for the foundation to perform the task for which it requested the information. That means there should be some specific reason to request or give the specific insurance status. In our case knowing that a patient is a Medicaid or Medicare patient would be relevant to our fundraising efforts.

  6. Many times our development office sends out newsletters or brochures to a grateful patient mailing list with information about planned giving and a response card requesting more information. They are informational pieces rather than direct fundraising appeals. Do these materials need the opt-out language?

    You must decide. If you are convinced that the materials are purely educational, and do not involve fundraising, the opt-out language is not required. However, if the planned giving is for the benefit of the institution, including the opt out would provide protection.

  7. We understand that our foundation newsletter does not need the opt-out language. However, if we include a return envelope intended for donations, do we then need to include the opt-out language? If yes, would it go on the envelope or on the newsletter?

    If your newsletter contains fundraising materials, the materials require the opt-out language. There is no blanket exception in the regulations, and the content, not the name, of the solicitation material controls. The regulations require that the "materials" contain the description of how to opt out, without specifying where the description must appear.

  8. Is the application for grants by a hospital's foundation considered fundraising? When applying for grants, our foundation receives protected health information (PHI) from our hospital and the foundation derives general statistical information from the list. Names of patients, their medical conditions and other PHI is never used as a part of the grant process, just general statistical patient information that is derived from PHI. Is this allowed under HIPAA?

    It may not matter. Neither the regulations nor any of the introductory and explanatory language provide guidance on this issue. Fundraising is not defined in the Privacy Rule, but an argument that grant applications are a form of fundraising would appear to have merit. If grantsmanship is a part of fundraising, the foundation could use the same limited demographic information for grant applications that it uses for fundraising. If only de-identified information is used in grant applications, no HIPAA concerns are presented at all. Either approach does not appear to present significant HIPAA issues. If grant applications are not fundraising, it is not clear that they are part of operations. If they are not part of operations, no PHI could be used in connection with the grants in the absence of authorizations. Fundraising is defined to be part of operations, which permits the use of PHI. We do not believe that that use of limited (i.e. fundraising) PHI in grant applications would present a HIPAA violation.

  9. If the foundation decides to use an authorization form so that it can use department of service for targeted appeals, is there suggested language that AHP could provide?

    Sample Authorization Form

  10. If people decide to opt out from receiving future fundraising materials from the foundation/development office, should we only accept the request in writing? Is there a requirement in HIPAA? What if we receive a request via a phone call?

    The regulations do not specify how the opt out limitation is to be applied. Please keep in mind that the Privacy Rule is intended to balance the individual's legitimate need and expectation for protection of their health information against the need to permit the health system to function. It may be reasonable to require the request to be in writing, if that is your adopted policy, due to the difficulties inherent in verifying the identity of the person on the other end of the phone. If your institution is requiring most of the individual rights to be exercised in writing, it could also require the opt out to be elected in writing. If that is your policy, however, make sure the opt-out language contained in your fundraising solicitations clearly states the requirement to opt out in writing.

  11. Our foundation sends invitations to special events for our grateful patients and donors. Do these invitations need the opt-out language?

    Sometimes the invitations include a "donation per plate" and others have no fundraising requests whatsoever."
    If the invitation involves fundraising, the solicitation must include the opt-out language. If it does not, the opt-out language need not be included.

  12. Can the development office/foundation solicit health care providers' employees or alumni (teaching hospitals)? Are there any restrictions in HIPAA?

    Yes to question 1, no to question 2. There are no restrictions in HIPAA with respect to the use of information that is not individually identifiable health information (IIHI). Names and identifying information about employees and alumni are not IIHI.

  13. Can a long-term care provider solicit family members of their residents? Do they need to follow the HIPAA regulations if they do so?

    If the information used to target the solicitation is derived from individually identifiable health information (IIHI), the HIPAA rules apply and must be followed. If the names of family members are derived from some other source, the HIPAA rules do not apply.

  14. Are home health care providers (i.e. - visiting nurses) that frequently receive referrals from hospitals required to follow the requirements of HIPAA?

    If they are Covered Entities, or members of the workforce of or business associates of covered entities, they are required to follow the requirements of HIPAA. It is anticipated that most home health care entities would be covered entities, so that their employees and workforce members would be required to follow the agency's HIPAA policies and procedures. It is possible that some home health care entities would not be either covered entities nor business associates of covered entities, in which case HIPAA would not apply.

  15. Many foundations/development offices have shadow programs for donors. A donor shadows a physician for a day. Many development offices have the donor sign a confidentiality agreement before participating. Also, the donors are told that they are not allowed to interact with patients, only observe. Can programs like this continue under the HIPAA regulations? Does the foundation need permission from patients? What about children's hospitals—would they need permission from the parent?

    There do not appear to be any exceptions that would permit this activity to continue in the absence of patient authorization from the patient, or in the case of most children, their parent as personal representative. The incidental disclosure rules permit disclosure to individuals involved in health education and training programs without specific patient authorization, but the activity described does not appear to fit within health education and training. This activity would go well beyond the minimum necessary requirement in performing specific fundraising tasks.

  16. Are health associations such as the American Heart Association or the Amyothropic Lateral Sclerosis Association (ALS - Lou Gehrig's disease) considered covered entities under HIPAA?

    This question can not be answered without additional facts. It is certainly possible that an association might engage in activities (i.e., operating a pharmacy) that would make them or a part of their activities a covered entities, and therefore subject to HIPAA, but in the absence of such activities the answer is generally no the association would not have to comply with HIPAA.

  17. What is permissible protected health information (PHI) information that can be used for fundraising purposes? Has there been a change in the type of information that can be used in fundraising by the covered entity, or disclosed to a foundation or business associate with the HHS proposal of March 27?

    There have been NO changes proposed by HHS as to what is permissible PHI for fundraising. Demographic information that can be used for fundraising purposes without obtaining a patient's authorization includes:

    Name
    Address
    Other contact information (phone numbers, e-mail, etc.)
    Age
    Gender
    Insurance Status
    Date of Service

    Patient data concerning the patient's diagnosis, nature of services, or treatment cannot be used in connection with fundraising unless the
    patient signs an authorization permitting such use. This appears to also prohibit using the place within the hospital where the patient received
    treatment if it would identify the treatment, such as the Department of Psychiatry, Department of Obstetrics or Department of Radiation
    Oncology. AHP is pursuing HHS to allow AHP members to use patient department of service (PDS) information to enable targeted fundraising
    to grateful patients. This will be particularly helpful to providers that conduct appeals to grateful patients by department.

  18. What is the difference between the "Notice of Privacy Practices" and the "Opt-Out Clause?" What are examples of each?

    Your Notice of Privacy Practices is basically a statement that outlines how medical record information will be used and the limitations upon its use. Relative to philanthropy, the Notice of Privacy Practices should contain a sentence about contacting individuals to raise funds. The Notice of Privacy Practices must be available to former and current patients. You can post your Notice of Privacy Practices on your Web site, include it in newsletters or publish it in other communication vehicles. It is not required that you mail the Notice of Privacy Practices to grateful patients prior to soliciting them. This is a common misunderstanding. While many of your compliance officers or others in this position may suggest or even recommend that you mail the Notice of Privacy Practices before soliciting patients, this is not required or necessary. You only need to make it available.

    Additionally, grateful patients who are listed on a provider's donor database prior to the compliance date need not receive individual copies of the Notice of Privacy Practices until their next encounter with the provider as a patient. At such time, the Notice of Privacy Practices should be a part of the admissions process.

    Model language relative to philanthropy is a sentence in the complete Notice of Privacy Practices, which may read: "We may use certain information (name, address, telephone number, dates of service, age, and gender) to contact you in the future to raise money for (name of institution). We may also provide this name to our institutionally related foundation only, for the same purpose. The money raised will be used to expand and improve the services and programs we provide the community."

    The opt-out clause requires that the health care entity in its fundraising efforts include an opt-out provision when fundraising material is sent to former patients. An opt-out clause relating to fundraising materials is necessary to satisfy the regulations. The sample version of the opt-out language we suggested, and our legal counsel reviewed in the "Special Analysis," states: "Please write to us at our address if you wish to have your name removed from the list to receive fundraising requests supporting the (name of entity) in the future." This is a direct and simple statement that satisfies the "opt-out" requirement in the regulations.

  19. Does the signed acknowledgement only apply to patients as they enter the hospital for treatment? What about former grateful patients? Would the foundation have to mail the Notice of Privacy Practices to a database established before the compliance date?

    Only a covered entity with a direct relationship with patients has to use good faith efforts to obtain an acknowledgement, but virtually all hospitals would be within that category and subject to the requirement. The obligation arises upon the first in-person encounter after the effective date of the Privacy Rule — April 14, 2003.

    The requirement to make a copy of the Notice of Privacy Practices available (Web site, office posting, newsletter, etc.) prior to using even limited protected health information to identify recipients applies on the effective date, even if there is no direct opportunity or obligation to obtain an acknowledgement.

    A covered entity can continue to use and disclose protected health information for fundraising purposes after the effective date. Such use can only be for treatment, payment and operations (fundraising is part of operations under the regulation), as long as the use is consistent with documents provided to patients.

    Patient information that is in the possession of a covered entity prior to the effective date — such as lists of former grateful patients — can continue to be used without obtaining an acknowledgement of receipt of the Notice of Privacy Practices, or authorization from the former patient (at least until the patient returns to the provider for services, at which time the provider would have to use a good faith effort to obtain an acknowledgement and deliver a Notice of Privacy Practices.) An example follows:

    • Patient A is treated one or more times prior to April 14, 2003, signs the entity' release and consent forms, is added to the solicitation list and receives fundraising materials. Patient A does not return to the entity for additional care.

      • In June 2003, the entity initiates a fundraising effort. It can use its existing lists, compiled prior to the effective date. The solicitation would have to contain the opt-out language.

      • In September 2003, Patient A comes to the entity for care. This is the first patient encounter after the effective date. The entity must use a good faith effort to obtain a written acknowledgement and deliver a Notice of Privacy Practices at this time, even if it has already published the Notice of Privacy Practices earlier (Web site, posting in facility, newsletter, etc.).

      Note: The written acknowledgement only needs to be obtained one time — the first direct encounter after April 14, 2003.

    As noted, there are multiple methods of disseminating the Notice of Privacy Practices. The fundraiser should ensure that some method of mass communication (i.e. newsletter) is used, in addition to posting the Notice of Privacy Practices physically in the hospital and on the Web site.

  20. If an individual has decided to opt-out from receiving information pertaining to fundraising, could the fundraising entity continue to send that individual information about events if those events will have active or passive fundraising?

    An opt-out provision must be included when fundraising material is sent to former patients. An opt-out clause relating to all "further fundraising materials" is necessary to satisfy the regulations.

    A fundraiser is able to continue to send an individual who has opted out from receiving fundraising communications information about educational and other events that it sponsors, even if those events will contain active or passive fundraising.

    Newsletters and other types of fundraising and marketing communications intended for a general audience do not have to include an opt-out clause, and therefore should not be mentioned in any opt-out language.

  21. Can a hospital filter patient information demographically when determining to which prior patients they will send fundraising communications? What would constitute permitted demographic filtration?

    A covered entity can only use and disclose dates of treatment and demographic information to raise funds. Demographic information includes the patient's "name, address and other contact information, age, gender, and insurance status." Information about a patient's illness, treatment, or services provided cannot be used for fundraising purposes without a prior authorization. Use of filters to exclude or target fundraising efforts that are based on the prohibited factors — illness, treatment or services provided — is not explicitly prohibited, but would present risk. The overriding intent of the regulations is to generally prohibit the release of patient information without patient choice — either or both specific consent and authorization — neither of which is required for fundraising. The quid pro quo is that usable information for fundraising purposes is limited in nature. Therefore, the use of filters that do not identify a prohibited factor are permissible.

  22. Can a physician, nurse or technician give a patient's name to the foundation/development office for fundraising purposes without a signed authorization?

    YES. The Privacy Rule permits certain limited information, including the name of a patient or former patient, to be used by the covered entity (in the case of an in-house effort) or disclosed to an affiliated foundation as part of the covered entity's operations, without a patient's authorization. Authorizations are written, signed documents that permit the express and described release or use of patient information for any purpose other than treatment, payment or operations. Therefore, employees of the covered entities, such as physicians and nurses, can provide such information. However, and this is a BIG HOWEVER, as the regulations are now written and we believe an unintended consequence of the regulation regarding physicians, only physicians employed by the provider can provide information about patients to the fundraising department or foundation. Physicians "on staff" (i.e. have privileges at the provider) cannot. AHP is asking HHS for clarification regarding employed and staff physicians.

  23. If the covered entity, development office or foundation uses volunteers (trustees or others) to assist in the fundraising enterprise and shares permissible patient information for fundraising purposes, does the covered entity need to initiate a "business associate contact" between the entity and the volunteer?

    NO. Volunteers working with the development office or foundation are defined as "part of the workforce" under the regulations and no business associate agreement is required. Volunteers working under the supervision of the entity are considered part of the workforce, that is, "employed" as a volunteer.

 

 

Previous Page

 
Copyright © 2008 Association for Healthcare Philanthropy. All Rights Reserved. Privacy Policy