|
Fundraising Under HIPAA —The Privacy Rule— From Stuart R. Smith, FAHP - Chair
Long Answer HHS gives little guidance on what must be included in the opt-out provision. The regulations state that the covered entity must include a “description” of how the patient can opt out and the covered entity “must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications.” § 164.514(f)(2). The Preamble section on fundraising states that “we require fundraising materials to explain how the individual may opt out of any further fundraising communications, and covered entities are required to honor such requests.” Preamble 45 CFR § 164.514(f). The opt-out clause should refer to all future materials relating to fundraising. Besides this brief statement, the regulations, including the Preamble and comment and response sections, do not describe what this opt-out explanation should contain, where it should be located on the fundraising materials, or how it should be presented on this material. A statement in the Preamble to the 2000 Final Rule has created confusion about whether some description of the opt-out is required in the Notice of Privacy Practices. The discussion in the Preamble states that “As part of the notice and in any fundraising materials, covered entities must provide information explaining how individuals may opt out of fundraising communications”. See appendices. However, the regulations themselves in 45 CFR § 164.514(f)(2)(ii) only require the covered entity to include the opt-out explanation “in any fundraising materials it sends to an individual”. The regulations also require the covered entity to include the statement in the Notice required by § 164.520(b)(1)(iii)(B), which states only that “The covered entity may contact the individual to raise funds for the covered entity.” The regulations do not require a description of the opt-out in the Notice, as long as the opt out is contained in fundraising materials sent to an individual. Each covered entity'should make its own decision about whether it includes a reference to the ability of opt-out in the Notice based on its total approach to the amount of specificity it desires in its Notice. This is the recommended way of conducting fundraising activities. Plain Language Although the regulations do not discuss plain language requirements in this context, the use of plain language is mandated for the Notice of Privacy Practices provisions of the regulations. 45 CFR § 164.520(b). HHS has stated that a covered entity will satisfy the plain language requirements if they “make a reasonable effort to: organize material to serve the needs of the reader; write short sentences in the active voice, using you and other pronouns; use common, everyday words in sentences; and divide material into short sections. Preamble 45 CFR § 164.520(b). It would be prudent to comply with the plain language provisions when drafting opt-out clauses. Sample Clauses Two versions of opt-out provisions are provided as examples.
Please note that whether or not the second sentence in this second version is included, the requirement to use all reasonable efforts is imposed by HIPAA. Languages The provisions in the regulations concerning opt-out clauses do not discuss the necessity of having these clauses communicated in a variety of languages. The language requirements should not apply to the opt-out provisions, unless of course the solicitation is multi-lingual. [7] Fundraising Events In the event that an individual opts out under the broad version of the opt-out provision, the regulations do not discuss whether a covered entity can continue to send that individual information concerning health care provider events that may include active or passive fundraising. See the discussion on Question 5 for a more complete discussion of restrictions on marketing contained in the 2002 Final Rule.
|
||||||||