US Fundraising Under HIPAA

US Fundraising Under HIPAA
Clarification from the Department of Health and
Human Services (HHS) on the Final Privacy Rule

April 8, 2003

In December of 2002, AHP requested clarification and additional consideration of three key issues from HHS Secretary Tommy Thompson regarding the Department's Health Information Privacy Rule: 1) the use of Patient Department of Service information for fundraising; 2) clarification on the need for business associate agreements; 3) and clarification on medical independent referrals to institutionally related foundations or development offices. Below are the three questions and the responses received from HHS on April 2, 2003.

The use of Patient Department of Service information for fundraising

AHP Request for Clarification: The Privacy Rule recognizes that philanthropic fundraising is a part of health care operations. However, the final rule limits protected health care information to be used or disclosed for fundraising to demographic information and the date of treatment. AHP believes that the Privacy Rule would be strengthened by allowing development office employees of not-for-profit hospitals and their institutionally related foundations to have access to one additional piece of information that in the health care world is essentially demographic in nature: their patients' department of service (PDS).

HHS Response: As stated in the December 2000 preamble to the Rule, demographic information "will generally include, in this context, name, address and other contact information, age, gender, and insurance status. The term does not include any information about the [patients'] illness or treatment." See 65 FR 82718. Thus, your request that the Department issue guidance that would allow greater use of protected health information relating to the generic area of treatment (e.g., cancer clinic), would be inconsistent with how the Department has interpreted the term "demographic information." We will, however, take your concern into consideration as we continue to evaluate the impact of the Rule and how, in practice, it appropriately balances protection of patient privacy with the need to permit the continued delivery of quality health care. [In other words: HHS will continue to work with AHP on this issue.]
Business Associate Agreements

AHP Request for Clarification: The development offices of and foundations that own not-for-profit hospitals fall under the definition of health care operations. However, out of an abundance of caution, a very few health care institutions are interpreting the Privacy Rule as possibly requiring Business Associate Agreements with their own development offices or foundations. The rule itself does not explicitly exclude these entities from its purview. It is AHP's view that such agreements are not required.

HHS Response: You are, ... , correct that the Rule permits disclosures of patient information for fundraising purposes to institutionally related foundations without a business associate agreement. Health care institutions may use a variety of mechanisms or business arrangements for the conduct of their fundraising activities. If information is being used within a single legal entity for fundraising purposes, the Privacy Rule does not require a business associate contract. Thus, if the records management office of a hospital shares the names of patients with the hospital's development office, a business associate agreement is not needed. Of course, any such communication is limited to demographic information and dates of service. The Rule also permits patient information to be disclosed form one legal entity covered by the Privacy Rule, such as a health care institution, to different legal entity, if the entity receiving the information is a business associate of the covered entity or an institutionally related foundation.
Medical Independent Contractor Referrals

AHP Request for Clarification:Currently, physicians and nurses and other employees of the covered entity may refer the names of grateful patients to the health care institution's development office or institutionally related foundation. However, physicians and other personnel are often contractors (on staff) to the institution rather than its employees. As written, it is unclear whether the Privacy Rule allows a physician or other health care provider who is not an employee to make such a referral.

HHS Response: The answer will depend on the particular facts and circumstances presented. If the provider is not a covered entity, the Rule does not restrict its use or disclosure of protected health information. Also, if the covered entity and the health care provider, who is not a member of the covered entity's workforce, participate in an organized health care arrangement (OHCA), the provider may disclose protected health information for any health care operations activities of the OHCA. See 45 CFR 164.506(c)(5). We emphasize, however, that where the purpose for sharing the information is fundraising, this is limited to demographic information and date of treatment as discussed above.