Fundraising Under HIPAA -The Privacy Rule- AHP's Special Analysis

Fundraising Under HIPAA —The Privacy Rule—
AHP's Special Analysis

From Stuart R. Smith, FAHP - Chair
William C. McGinly, Ph.D., CAE - President, Chief Executive Officer
Reviewed and Presented by AHP Legal Counsel - Peter Parvis, Esq., Venable,
Washington, D.C.

Question 4 - Institutionally Related Foundation, Business Associates
Do the regulations require that a covered entity have a formal "business associate" type contract with an institutionally related foundation?

Short Answer
Response/Conclusion:
See also: Long Answer

A business associate agreement is not required with an institutionally related foundation. Because in the regulations, the institutionally related foundation is a part of health care operations. As a part of health care operations, a business associate agreement is not required.

The Preamble discussion indicates that a health care provider can disclose patient information from a health care provider to an institutionally related foundation without a business associate agreement. A health care provider could either 1) include the foundation in its Notice of Privacy Practices and not use a business associate agreement; 2) use a business associate agreement; or 3) rely on the Preamble language discussed below while avoiding either 1 or 2.

The regulations do not expressly require that a covered entity have a formal “business associate” type contract with an institutionally related foundation. [12] In fact AHP's successful educational efforts with HHS resulted in the inclusion of the institutionally related fundraiser as a part of health care operations. Therefore, no business associate agreement is needed. It is necessary that the entity performing fundraising duties meet the definition of an institutionally related foundation, described by HHS as:

[A] foundation that qualifies as a nonprofit charitable foundation under sec. 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to the covered entity. An institutionally related foundation may, as explicitly stated in its charter, support the covered entity as well as other covered entities or health care providers in its community. Preamble to the 2000 Final Rule 45 CFR § 164.514(f)

This definition would appear to cover almost all traditional nonprofit fundraising entities affiliated with a health care provider, which are generally formed as supporting organizations under §509(a)(3) of the Code, or as public charities under § 509(a)(1), even if the supporting health care provider was not the only recipient of its support. [13]

HHS has concluded that “[t]he term does not include an organization with a general charitable purpose, such as to support research about or to provide treatment for certain diseases, that may give money to a covered entity, because its charitable purpose is not specific to the covered entity.” Id. This distinction is critical, but would generally not impact traditional health care provider foundations. [14]

Fundraising by a Business Associate

If the fundraising entity (a firm or fundraising services provider) is not part of the health care provider, or its institutionally related foundation, it must enter into a business associate contract with the health care provider that meets regulatory standards, if any patient information will be released to the entity. Similarly, an institutionally related foundation should insist on a business associate contract with any consultant it retains if the consultant is provided access to patient information. [15] Through this contract, the business associate becomes subject to some of the obligations mandated by the Privacy Rule. The covered entity (i.e., the Health care provider) is not liable under HIPAA should the business associate fail to comply with the Privacy Rule, but it must take reasonable action if it learns that the business associate is not in compliance. HHS provided a sample business associate addendum when it published the final rule which can be used as a starting point in preparing any business associate agreement a covered entity may wish to use. [See sample agreement or visit http://www.hhs.gov/ocr/hipaa/contractprov.htm].



12	Unlike the obligations imposed on a business associate, there is no express requirement that the covered entity must have a contract with an institutionally related foundation, which would impose the privacy regulations on the foundation. However, it would be problematic for a covered entity if an institutionally related foundation failed to comply with the privacy regulations. Therefore, the operating imperative should be that institutionally related foundations comply with the privacy regulations.

13	The Preamble gives examples of entities that would qualify as institutionally related foundations, to include "a nonprofit foundation established for the specific purpose of raising funds for "[a] health care provider and a foundation that has as its mission the support of the members of a particular health care provider chain that includes the covered health care provider." The providers named in its charter is an institutionally related foundation. Preamble 45 CFR § 164.514(f).

14	The American Cancer Society and the United Way, for example, are not institutionally related foundations. Presumably, a foundation dedicated to raising funds to support the childre's health care provider of a major teaching health care provider would be.

15	A business associate contract must: "[e]stablish the permitted and required uses and disclosures of [protected health information] by the business associate." § 164.504(e) (2) (i). "[a]uthroize termination of the contract by the covered entity, if the covered entity determines that the business assoiciate has biolated a material term of the contract § 164.504(e) (2) (iii) and require the business associate to comply with the HIPAA requirements.