Fundraising Under HIPAA -The Privacy Rule- AHP's Special Analysis

Fundraising Under HIPAA —The Privacy Rule—
AHP's Special Analysis

From Stuart R. Smith, FAHP - Chair
William C. McGinly, Ph.D., CAE - President, Chief Executive Officer
Reviewed and Presented by AHP Legal Counsel - Peter Parvis, Esq., Venable,
Washington, D.C.

Question 1 - Authorization, Notice of Privacy Practices
Is the health care provider required to obtain authorization of former and current patients prior to sending them fundraising materials?

Short Answer
Response/Conclusion:
See also: Long Answer

Authorization is not required when the fundraising entity is using only the demographic piece of the protected health information (PHI) or the dates of service. According to the regulations, permissible PHI does not require authorization for fundraising purposes. The patient's authorization is required to use any PHI other than dates of service or demographic information in fundraising (See Question 3). Of course, a fundraising initiative that does not require the use of PHI (i.e., using a mailing list that is obtained without use of any patient data) does not raise HIPAA issues.

HHS states that “[d]emographic information[3] is not defined in the rule, but will generally include [for the purpose of fundraising] name, address and other contact information, age, gender, and insurance status.” Preamble 45 CFR § 164.514(f). In the following exchange, HHSs further clarifies the meaning of “demographic information” and the use of non-demographic information in fundraising:

Comment: Several commentators asked us to address the content of fundraising letters. They pointed out that disease or condition-specific letters requesting contributions, if opened by the wrong person, could reveal personal information about the intended recipient.
Response: We agree that such communications raise privacy concerns. In the final rule, we limit the information that can be used or disclosed for fundraising, and exclude information about diagnosis, nature of services, or treatment. Id. (emphasis added). [4]

Permissible Information [5] Note: There is no regulatory source for this advice, other than the Preamble to the 2000 Final Rule.

Protected health information that can be utilized for fundraising purposes without obtaining a patient's authorization includes:

Date of Service [45 CFR § 164.514(f)(1)]

Demographic Information 45 CFR § 164.514(f)(1) [all of the above are discussed as demographic information” in the Preamble to the 2000 Final Rule]

Name

Address

Other contact information (phone numbers, e-mail, etc.)

Age

Gender

Insurance status

Impermissible Use and Disclosure

PHI that cannot be used without a patient first signing an authorization includes:

Diagnosis

Nature of services

Treatment

Place within health care provider where patient receives treatment that identifies the treatment, such as:

Department of Psychiatry

Department of Obstetrics

Department of Radiation Oncology

The Notice of Privacy Practices (Notice) is the primary privacy tool. A health care provider that intends to use protected health information to contact a patient to raise funds, must give the patient a “Notice of Privacy Practices”, which contains a separate statement that “[t]he covered entity may contact the individual to raise funds for the covered entity...” 45 CFR § 164.520(b)(1)(iii). From and after April 14, 2003, health care providers or other covered entities with direct patient contact must use a good faith effort to obtain a signed Acknowledgment of receipt of the Notice from patients at the time of the first encounter with the patient.

Additionally, grateful patients who are listed on a provider's donor database prior to the compliance date need not receive individual copies of the Notice of Privacy Practices until their next encounter with the provider as a patient. At such time, the Notice of Privacy Practices must be a part of the admissions process.

You must include a fundraising sentence in the Notice of Privacy Practices, which may read:

“We may use certain information (name, address, telephone number, dates of service, age, and gender) to contact you in the future to raise money for (name of institution). We may also provide this name to our institutionally related foundation, for the same purpose. The money raised will be used to expand and improve the services and programs we provide the community.”

It is not necessary nor should an opt-out reference be included in the Notice of Privacy Practices.



3	We note that the dictionary definition of "demographic" would not support HHS' statement in the Preamble, but an administrative agency's contemporaneous pronouncement of what it intended its regulations to mean is generally afforded substantial weight. The statement in the Preamble is the only definition available.

4	Of course, such information could be used with the patient's authorization. This Memo assumes that authorization will not be sought in the great majority of cases. We note again that this list of impermissible e items is found only in the Preamble, and is not found in the regulation itself.

5	The Privacy Rule was proposed in 1999 and initially adopted as a final rule in December 2000 at 65 Fed. Reg. 82461-82829 (12-28-2000)("the 2000 Final Rule"). Substantial amendments were proposed in March, 2002, and an amended final Privacy Rule was adopted in August 2002 (the "2002 Final Rule"). the fundraising provisions were not amended in the 2002 Final Rule, and there is no discussion of the fundraising issue in the Preamble to the 2002 Final Rule. Therefore, guidance on fundraising is found primarily in the Preamble o the 2000 Final Rule, pertinent parts of which are appended to this document.