Fundraising Under HIPAA -The Privacy Rule- AHP's Special Analysis

Fundraising Under HIPAA —The Privacy Rule—
AHP's Special Analysis

From Stuart R. Smith, FAHP - Chair
William C. McGinly, Ph.D., CAE - President, Chief Executive Officer
Reviewed and Presented by AHP Legal Counsel - Peter Parvis, Esq., Venable,
Washington, D.C.

Question 4 - Institutionally Related Foundation, Business Associates
Do the regulations require that a covered entity have a formal "business associate" type contract with an institutionally related foundation?

Long Answer
Detailed Discussion Provided By AHP Legal Counsel:
See also: Short Answer

We do not believe that a business associate agreement between a health care provider and its institutionally related foundation is required. That belief is founded in statements in the Preamble to the 2000 Privacy Rule, and the regulations themselves are not as clear as they could be.

In the general discussion in the Federal Register when the 2000 Final Rule was adopted, HHS stated that:

As provided in §164.514(f) and described in detail in the corresponding Preamble, authorization is not required when a covered entity uses or discloses demographic information and information about dates of health care provided to an individual for the purpose of raising funds for its own benefit, nor when it discloses such information to an institutionally related foundation to raise funds for the covered entity. (emphasis added) [Preamble to the 2000 Final Rule.]
In its specific discussion on the newly added §164.514(f), HHS added further clarification:
We permit a covered entity to disclose the limited protected health information to a business associate for fundraising on its own behalf. We also permit a covered entity to disclose the information to an institutionally related foundation. (emphasis added)

This distinction between a business associate and a foundation is repeated in the regulation itself. Section 45 CFR 164.514(f)(1) states that:

“Standard: uses and disclosures for fundraising. A covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508:

Demographic information relating to an individual; and

Dates of health care provided to an individual.” (emphasis added)

There would be no reason to differentiate in both the Preamble and in the regulation if the institutionally related foundation were merely a business associate, because the regulations describing the business associate relationship would have simply applied to the foundation. HHS differentiated between a business associate and a foundation, leading to the clear inference that a covered entity would not be required to treat a foundation as a business associate. The Preamble discussion goes on to discuss both the meaning of and some of the reasoning for differentiation between foundation and business associate, and makes clear that the distinction was not accidental:

We agree with commentators that our proposal could have adversely effected charitable giving, and accordingly make several modifications to the proposal. First, the final rule allows a covered entity to use or disclose to a business associate protected health information without authorization to identify individuals for fundraising for its own benefit.
Second, the final rule allows a covered entity to disclose protected health information without authorization to an institutionally related foundation that has as its mission to benefit the covered entity. This special provision is necessary to accommodate tax code provisions which may not allow such foundations to be business associates of their associated covered entity. (emphasis added)

The Preamble also discusses what kinds of entities may qualify as foundations. Unfortunately, although the regulations themselves expressly permit disclosure of protected health information (PHI) to such foundations, they neither define foundations nor specifically exclude them from the definition of “business associate.” As noted, there is no further discussion on the status of foundation or on fundraising in general in any of the subsequent Federal Register issuances, or in the “FAQ” that HHS released in December, 2002 on the Privacy Rule.

Therefore, those who read the regulations without the benefit of the language in the Preamble to the 2000 Final Rule would be likely to reach the conclusion that a business associate agreement is required, because in almost any other circumstance a covered entity could not disclose PHI to an independent entity in the absence of such an agreement. We believe the language in the Preamble is clear enough to justify the disclosure of PHI to a foundation without having a business associate contract in place, although the foundation, as a sort of alter ego to the covered entity, should certainly comply with the confidentiality provisions of the Privacy Rule. The Preamble language, published at the time HHS adopted the regulation for the first time, is entitled to great weight in interpreting the regulations. The covered entity could also elect to simply include the affiliated foundation in its Notice of Privacy Practices to bring it clearly within the covered entity. This could be accomplished by defining it as part of the “we” in the Notice of Privacy Practices. This would have the practical effect of treating the foundation as if it were part of the covered entity for purposes of HIPAA compliance.