Fundraising Under HIPAA -The Privacy Rule- AHP's Special Analysis

Fundraising Under HIPAA —The Privacy Rule—
AHP's Special Analysis

From Stuart R. Smith, FAHP - Chair
William C. McGinly, Ph.D., CAE - President, Chief Executive Officer
Reviewed and Presented by AHP Legal Counsel - Peter Parvis, Esq., Venable,
Washington, D.C.

Question 3 - Filtering Data
Can a health care provider filter patient information when determining to which prior patients they will send fundraising communications? for example, can the fundraiser request a list from the health care provider that excludes psychiatric or pediatric patients? What would constitute permitted filters?

Long Answer
Detailed Discussion Provided By AHP Legal Counsel:
See also: Short Answer

Fundraising for its own benefit is defined to be part of a covered entity's health care operations. 45 CFR § 164.501. Uses and disclosures of PHI for all health care operations is subject to the requirement to use reasonable efforts to limit disclosure to the minimum necessary to accomplish the intended purpose for which the PHI will be used. 45 CFR § 164.502(b). This general rule applies to all health care operations, but the regulations go on to expressly limit the PHI that can be used for fundraising to “demographic information relating to the individual” and “dates of health care provided to an individual”. 45 CFR § 164.514(f)(1). The regulations do not define “demographic information relating to the individual”, but the discussion in the Preamble to the Final Rule provides a definitional framework.

HHS states that “[d]emographic information[9] is not defined in the rule, but will generally include [for the purpose of fundraising] name, address and other contact information, age, gender, and insurance status.” Preamble 45 CFR § 164.514(f). In the following exchange, HHS further clarifies the meaning of “demographic information” and the use of non-demographic information in fundraising:

Comment: Several commentators asked us to address the content of fundraising letters. They pointed out that disease or condition-specific letters requesting contributions, if opened by the wrong person, could reveal personal information about the intended recipient.
Response: We agree that such communications raise privacy concerns. In the final rule, we limit the information that can be used or disclosed for fundraising, and exclude information about diagnosis, nature of services, or treatment. Id. (emphasis added). [10]

Permissible Information [11] Note: There is no regulatory source for this advice, other than the Preamble to the 2000 Final Rule.

Protected health information that can be utilized for fundraising purposes without obtaining a patient's authorization includes:

Date of Service [45 CFR § 164.514(f)(1)]

Demographic Information 45 CFR § 164.514(f)(1) [all of the above are discussed as “demographic information” in the Preamble] to the 2000 Final Rule

Name

Address

Other contact information (phone numbers, e-mail, etc.)

Age

Gender

Insurance status

Impermissible Use and Disclosure

PHI that cannot be used without a patient first signing an authorization includes:

Diagnosis

Nature of services

Treatment

Place within health care provider where patient receives treatment that identifies the treatment, such as:

Department of Psychiatry

Department of Obstetrics

Department of Radiation Oncology

Questionable Use and Disclosure

Although not discussed in the regulations or any of the lengthy Preambles to any of the proposed or adopted regulations, a covered entity may be able to use information about the department in which the patient was treated to filter patient names for fundraising purposes if the department name does not identify the type or nature of treatment. For example, when a patient is treated by the medical/surgery or another type of general department, using or disclosing this information for fundraising filtration purposes would not appear to reveal the diagnosis or nature of the services or treatment received by the affected individuals, and would appear to fit within the minimum necessary information to accomplish the goal — fundraising.

A covered entity'should adopt policies that address by job title the types of PHI that can, or can not be used in connection with the day-to-day performance of various job functions. Adoption of such policies and procedures eliminates the need to make case specific decisions of whether and how much PHI can be used or disclosed in normal, day-to-day operations. A policy could be structured to ensure that fundraisers received only limited PHI as described in this Memorandum, while giving them the right to request some other department of the health care provider to review patient PHI to ensure that data received fit within the limitation. The use of appropriate filtering by individuals whose job entailed access to a broader spectrum of PHI in order to ensure that the fundraiser did not receive inappropriate information would appear to be consistent with the general duty of the health care provider to use reasonable efforts to limit use of PHI to the minimum necessary to accomplish the task.

As we understand it, the purpose of such limited filtering would generally be to avoid sending fundraising materials to recipients who could reasonably be anticipated not to be interested in receiving them (e.g., psychiatric patients). This type of filtering would further the purpose of disclosing only the minimum necessary health information to accomplish the desired goal — in this case, contacting patients for fundraising. Filtering should never be done in such a way that impermissible PHI is disclosed — i.e., successive filtering that resulted in a patient list limited to, for instance, obstetrics patients.

Caution: We also must caution that the adopted privacy rules do not preempt state laws that are more restrictive than the federal rules, or other federal laws. For instance, HIPAA permits limited, traditional disclosure of health care provider directory information, but other federal law prohibits a health care provider from even responding to an inquiry about a patient receiving treatment for substance abuse, and the particular state law on the privacy of medical records must be considered by the fundraising entity. However, the most essential information — name, age, gender, date of treatment, and address — can be used safely for fundraising efforts.

Remember the Notice

The final rule requires providers with a direct treatment relationship such as a health care provider to offer a Notice to each patient upon the first direct encounter following the effective date of the Privacy Rule, April 14, 2003, and to use reasonable efforts to obtain a written acknowledgment from the patient that the Notice was offered. The Health care provider must develop and maintain a system to identify patients who have received the Notice of Privacy Practices.



9		We note that the dictionary definition of "demographic" would not support HHS' statement in the Preamble, but an administrative agency's contemporaneous pronouncement of what it intended its regulations to mean is generally afforded substantial weight. The statement in the Preamble is the only definition available.

10		Of course, such information could be used with the patient's authorization. This Memo assumes that authorization will not be sought in the great majority of cases. We note again that this list of impermissible e items is found only in the Preamble, and is not found in the regulation itself.

11		The Privacy Rule was proposed in 1999 and initially adopted as a final rule in December 2000 at 65 Fed. Reg. 82461-82829 (12-28-2000)("the 2000 Final Rule"). Substantial amendments were proposed in March, 2002, and an amended final Privacy Rule was adopted in August 2002 (the "2002 Final Rule"). the fundraising provisions were not amended in the 2002 Final Rule, and there is no discussion of the fundraising issue in the Preamble to the 2002 Final Rule. Therefore, guidance on fundraising is found primarily in the Preamble o the 2000 Final Rule, pertinent parts of which are appended to this document.