Fundraising Under HIPAA -The Privacy Rule- AHP's Special Analysis

Fundraising Under HIPAA —The Privacy Rule—
AHP's Special Analysis

From Stuart R. Smith, FAHP - Chair
William C. McGinly, Ph.D., CAE - President, Chief Executive Officer
Reviewed and Presented by AHP Legal Counsel - Peter Parvis, Esq., Venable,
Washington, D.C.

Question 3 - Filtering Data
Can a health care provider filter patient information when determining to which prior patients they will send fundraising communications? for example, can the fundraiser request a list from the health care provider that excludes psychiatric or pediatric patients? What would constitute permitted filters?

Short Answer
Response/Conclusion:
See also: Long Answer

The Privacy Rule starts with the concept that the patient's authorization is required for use or disclosure of their own PHI unless the use or disclosure is specifically permitted by the Privacy Rule, as described in the Covered Entity's Notice of Privacy Practices. The fundamental permitted uses and disclosures include treatment, payment for treatment, and some operations of covered entities (including fundraising); some disclosures incidental to or related to those uses; or as required or permitted by other law or a compelling public purpose. The PHI that can be used or disclosed is generally limited to that which is the minimum necessary to accomplish the task [8]. 45 CFR § 164.502(b) The minimum necessary requirement applies to the use or disclosure of PHI for any health care operation, including fundraising, but an additional limit is imposed in the regulations specifically to define the minimum necessary information for fundraising purposes.

The limited information a covered entity can use and disclose includes dates of treatment and “demographic information” to raise funds. Demographic information is not defined in the Privacy Rule, but includes the patient's “name, address and other contact information, age, gender, and insurance status.” HHS says that information about a patient's illness, treatment, or services provided cannot be used for fundraising purposes without the patient's authorization. Use of filters to exclude or target fundraising efforts that are based on the prohibited factors — illness, treatment or services provided —would present risk. The use of filters that do not identify a prohibited factor should be permissible within reason. For instance, the fundraiser might want to send fundraising material, but desire that the mailing list exclude all psychiatric and pediatric patients. The Health care provider should be able to filter out contact information to avoid unintended solicitation, as long as the filtering was not done in concert with other efforts which in fact produce mailing lists based on the patient's illness, treatment or services received.



8	The only exception to the requirement to use or disclose only the minimum necessary information are for treatment of the individual and for defined disclosures required by law. The rule does not impose the minimally necessary requirement on disclosures to the individual themselves and pursuant to an authorization, but in both of those situations the individual is directly controlling his or her own heath information.