US Fundraising Under HIPAA

Response from the Department of Health and Human Services,
Office of the Secretary, Office of Civil Rights Regarding AHP's Request for Clarification Regarding the Final Privacy Rule

April 2, 2003

William C. McGinly, Ph.D., CAE
President, Chief Executive Officer
Association for Healthcare Philanthropy
313 Park Avenue, Suite 400
Falls Church, VA 22046

Dear Dr. McGinly:

Thank you for your letter to Secretary Thompson, providing the views of the Association for Healthcare Philanthropy (AHP) regarding the Department's Health Information Privacy Rule. Secretary Thompson has asked me to respond on his behalf. As you may know, the Office for Civil Rights has responsibility within the Department for implementing the Privacy Rule.

We have given careful consideration to your letter, which requests our views with respect to three issues: Patient's Department of Service Information, Business Associate Agreements, and Medical Independent Contractor Referrals, and I will comment on them in turn.

As you know, the Privacy Rule at 45 CFR 164.51(f) permits a covered entity to use protected health information without individual authorization for fundraising on its own behalf, provided that it limits the information that it uses to demographic information about the individual and the dates that it has provided services to the individual. In drafting this aspect of the Rule, the Department balanced the interest of limiting access to patients' protected health information, with the need of a covered entity to engage in fundraising. This issue was addressed in the Final Rule on December 28, 2000, and was not modified by the August 14, 2002 Rule.

As stated in the December 2000 preamble to the Rule, demographic information "will generally include, in this context, name, address and other contact information, age, gender, and insurance status. The term does not include any information about the [patients'] illness or treatment." See 65 FR 82718. Thus, your request that the Department issue guidance that would allow greater use of protected health information relating to the generic area of treatment (e.g., cancer clinic), would be inconsistent with how the Department has interpreted the term "demographic information." We will, however, take your concern into consideration as we continue to evaluate the impact of the Rule and how, in practice, it appropriately balances protection of patient privacy with the need to permit the continued delivery of quality health care.

Your letter further requests that the Department confirm that health care institutions are not required by the Privacy Rule to execute business associate contracts with their own development offices or foundations. As you point out, at 45 CFR 164.514(f)(1), the Privacy Rule states, "A covered entity may use, or disclose to a business associate or to an institutionally related foundation..." certain protected health information for fundraising purposes. Health care institutions may use a variety of mechanisms or business arrangements for the conduct of their fundraising activities. If information is being used within a single legal entity for fundraising purposes, the Privacy Rule does not require a business associate contract. Thus, if the records management office of a hospital shares the names of patients with the hospital's development office, a business associate agreement is not needed. Of course, any such communication is limited to demographic information and dates of service. The Rule also permits patient information to be disclosed form one legal entity covered by the Privacy Rule, such as a health care institution, to different legal entity, if the entity receiving the information is a business associate of the covered entity or an institutionally related foundation. You are, therefore, correct that the Rule permits disclosures of patient information for fundraising purposes to institutionally related foundations without a business associate agreement.

The last issue raised in your letter is whether the Privacy Rule allows a health care provider who is not a member of the covered entity's workforce (e.g., an independent contractor or a provider with staff privileges) to disclose protected health information to refer patients to the development office of the covered entity. The answer will depend on the particular facts and circumstances presented. If the provider is not a covered entity, the Rule does not restrict its use or disclosure of protected health information. Also, if the covered entity and the health care provider, who is not a member of the covered entity's workforce, participate in an organized health care arrangement (OHCA), the provider may disclose protected health information for any health care operations activities of the OHCA. See 45 CFR 164.506(c)(5). We emphasize, however, that where the purpose for sharing the information is fundraising, this is limited to demographic information and date of treatment as discussed above.

Of course, the Rule always permits disclosures of information with adequate patient authorization. An individual physician or the health care institution may use department of service information or other non-demographic information in deciding which patients to approach to ask if they would be willing to authorize the use or disclosure of their information for fundraising purposes. The authorization itself must be in writing and meet the requirements of the Rule at 45 CFR 164.508.

Thank you for sharing information about the perspectives of AHP with us. We recognize the importance of philanthropic fundraising to the healthcare industry, and hope our response is helpful to AHP.

Please do not hesitate to contact me if you have any further questions or concerns.

Director, Officer of Civil Rights