Fundraising Under HIPAA —The Privacy Rule—
AHP's Special Analysis

From Stuart R. Smith, FAHP - Chair
William C. McGinly, Ph.D., CAE - President, Chief Executive Officer
Reviewed and Presented by AHP Legal Counsel - Peter Parvis, Esq., Venable,
Washington, D.C.

Long Answer
Detailed Discussion Provided by AHP Legal Counsel:
See also: Short Answer

The final privacy regulations include fundraising “for the benefit of the covered entity” as a “health care operation.” 45 CFR § 164.501.[6] Covered entities do not have to obtain an authorization from the patient to use or disclose a limited subset of otherwise protected health information for the purpose of raising funds. That is to say that the use of demographic information for fundraising purposes is permissible under the regulations. 45 CFR § 164.502(a)(1)(vi). The relevant section states that:

(f)(1) Standards: uses and disclosures for fundraising. A covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting requirements of §164.508:

1. Demographic information relating to an individual; and
2. Dates of health care provided to an individual.

(2) Implementation specifications: fundraising requirements.

1. The covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by 164.520(b)(1)(iii)(B) [the Notice of Privacy Practices] is included in the covered entity's notice;
2. The covered entity must include in any fundraising materials it sends to an individual under this paragraph a description of how the individual may opt out of receiving any further fundraising communications.
3. The covered entity must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications. 45 CFR § 164.514(f).

A health care provider that intends to contact a patient to raise funds must include in its “Notice of Privacy Practices” a separate statement that it “may contact the individual to raise funds for the covered entity...” 45 CFR § 164.520(b)(1)(iii). From and after April 14, 2003, health care providers or other covered entities with direct patient contact must use a good faith effort to obtain a signed Acknowledgment of receipt of the Notice from patients at the time of the first encounter with the patient. The patient's authorization is required to use any protected health information (PHI) other than dates of service or demographic information in fundraising (See Question 3).

Additionally, grateful patients who are listed on a provider's donor database prior to the compliance date need not receive individual copies of the Notice of Privacy Practices until their next encounter with the provider as a patient. At such time, the Notice of Privacy Practices must be a part of the admissions process.

You must include a fundraising sentence in the Notice of Privacy Practices, which may read:

“We may use certain information (name, address, telephone number, dates of service, age, and gender) to contact you in the future to raise money for (name of institution). We may also provide this name to our institutionally related foundation, for the same purpose. The money raised will be used to expand and improve the services and programs we provide the community.”

It is not necessary nor should an opt-out reference be included in the Notice of Privacy Practices.

Previous Page