Although many compliance officials are fretting about some of the new privacy and security provisions that made it into the American Recovery and Reinvestment
Act (ARRA), which contains the HITECH Act, fundraising officials are giving thanks for what was left out.
Fundraising dodged a bullet at the last minute when Congress removed from the final bill a House-approved provision that would have struck fundraising from the
definition of “health care operations,” where it has been since the privacy rule went into effect in 2003.
But Congress made it clear that it wants covered entities (CEs) to give patients a stronger reminder that they can opt-out of fundraising communications (a right
already provided under HIPAA), and that if they do, this action must be treated with the same importance as if the opt-out were a revocation of an authorization.
Congress also ordered the secretary of HHS to develop a rule clarifying opt-out language, although it did not give a deadline for when the rule must be issued.
The law states the following regarding fundraising: “Opportunity to Opt Out of Fundraising — The Secretary shall by rule provide that any written fundraising
communication that is a healthcare operation as defined under section 164.501 of title 45, Code of Federal Regulations, shall, in a clear and conspicuous manner, provide an opportunity for the recipient of the communications to elect not to receive any further such communication. When an individual elects not to receive any further such communication, such election shall be treated as a revocation
of authorization under section 164.508 of title 45, Code of Federal Regulations.”
Edward Shay, a partner in the health care practice of the Philadelphia-based Post Schell PC who specializes in HIPAA compliance, says it is unusual for a law to
have such specific implementation details, typically left up to rules issued by federal agencies, and that Congress wanted to send a message that CEs need to take the optout requirements more seriously.
“It seems to me that this is more enforcement-oriented than policy-oriented,” Shay says, as the new provision essentially repeats requirements in the privacy rule.
“When you write into a statute, ‘There must be clear and conspicuous opt-out language’ that is tantamount to [Congress] saying, ‘We know some of you were using small print,’” Shay adds. “I would suggest to people that they review their current fundraising practices, and to the extent that they don’t conform with what this provision says, think about what sort of changes they need to make.”
Fundraising Already Restricted
Before the privacy rule went into effect, hospitals were able to solicit donations from specific patients who had life-saving cancer treatments or who were brought
back from the brink of death by gifted trauma specialists. Philanthropy experts call these individuals “grateful patients,” and they are historically the highest givers.
But the 2003 rule clamped down on mailing to just cancer or heart or trauma patients, for example, limiting the information that could be used to generate lists of patients to target for bequests to simply demographic data.
Without prior authorization, hospitals and other CEs may use only patients’ demographic information from fundraising activities. Such information includes name, age, address, gender, dates of service and insurance status. HIPAA also requires that a CE’s notice of privacy practices (NPP) contain a provision related to fundraising if the CE undertakes such activities.
The Healthcare Philanthropy Association recommended the inclusion of this language in NPPs to be compliant: “We may use certain information (name, address, telephone number, dates of service, age, and gender) to contact you in the future to raise money for (name of institution). We may also provide this name to our institutionally related foundation only, for the same purpose. The money raised will be used to expand and improve the services and programs we provide the community.”
In addition, the privacy rule that took effect in 2003 states that CEs “must include in any fundraising materials it sends to an individual…a description of how the individual may opt out of receiving any further fundraising communications” and “must make reasonable efforts to ensure that individuals who decide to opt out of receiving future fundraising communications are not sent such communications.”
The new law passed in February clarifies that the opt-out language in all solicitations “shall, in a clear and conspicuous manner, provide an opportunity for the recipient of the communications to elect not to receive any further such communication.” It would make sense for hospitals and other CEs to adopt whatever language HHS comes up with, say Shay and William McGinly president of the philanthropy association.
McGinly says hospitals should already have systems in place to track opt-outs and to ensure they honor such requests. As penalities for HIPAA violations have
increased, now would be a good time to review all such policies and procedures, the experts say.
Some foundations purchase lists from marketing vendors that can categorize them by ZIP code or household income, but using these can be tricky because they may contain individuals who have already asked to optout of fundraising campaigns.
Organizations may “merge and purge” their commercial opt-out lists, throwing out names of people who don’t want mailings. Although this isn’t legally required and can be expensive, it can prevent problems, McGinly says.
He adds that patients may authorize a hospital foundation to send disease-specific solicitations to them, such as fundraising materials for a cancer center after they have received oncology services. Here again, patients may “opt out once receiving a written solicitation, or call the development department or foundation. Their request must be honored, and it would cancel the authorization granted earlier by the patient,” he says.
“Additionally, our members must make a good-faith effort not to include these individuals in future solicitations. In other words, the donor can opt out at any point
in the process,” McGinly says.
No Repercussions for Opting Out
In addition, CEs must go beyond the “reasonable efforts” to thwart unwanted solicitations and step this assurance up a notch. ARRA says that CEs must act as if the decision to opt out is akin to revoking an authorization, “which gives patients certain protections,” Shay notes.
Specifically, the privacy rule prohibits CEs from placing any conditions on individuals who withdraw authorizations, and these would now apply to people who opt-out of fundraising communications.
Under the privacy rule, CEs cannot “condition… treatment, payment, enrollment in the health plan or eligibility for benefits” on whether there is an authorization. So if an individual opts out from fundraising solicitations, the hospital can’t deny care or in other ways act against that person.
The new rule may provide more guidance on this issue, Shay says. It isn’t clear when HHS will release such a rule because Congress didn’t give it a deadline. But McGinly isn’t expecting it to have much impact.
“On the plus side,” he says, in contrast to how bills are often written, “these will be regulations, and that allows for comment and [ensures the process] is organized
and reasonable.”
He notes that the expected rule on opt-out and the prohibition on retribution for taking such action are considered minor compliance issues compared to what CEs thought they were facing while ARRA was being drafted.
Fears of Future Requirements
Prior to final passage of ARRA, there was a pitched battle between ardent patient privacy advocates and those representing health care providers and employers
about the extent to which the existing protections should be strengthened (RPP 1/09, p. 1).
Some wanted Congress to require an authorization for use of protected health information for all uses other than treatment or payment; that would have meant
any activity that wasn’t in those categories would require authorization, which would have applied to all activities, including fundraising, now termed “healthcare
operations.”
As a compromise, there were moves to strictly limit what qualified as health care operations. Advocates convinced House members to toss the word “fundraising”
out of operations and redefine what sort of marketing activities are considered operations when they approved the bill on Jan. 28.
McGinly’s association and other organizations launched a lobbying effort, saying the Office for Civil Rights had told them that in six years it had received no complaints of privacy violations related to fundraising. The groups were victorious, and the House- Senate conference committee removed the sentence dealing with fundraising but retained the restrictions on marketing.
“We all breathed a huge sigh of relief because it meant we could continue to fundraise as we had,” Lisa Hillman, chief development officer and senior vice
president of the health system that includes 300-bed Ann Arundel Medical Center in Maryland, tells RPP. “But there are many worries, because if that language could get it in there once, it could happen again.”
After the privacy rule went into effect, some hospitals on razor-thin margins likely simply stopped fundraising altogether because they could not justify the increased expense, McGinly says. From tracking patients who opt out to having to use more generic lists, for some the process just became too inefficient to maintain, he says. Nowadays the economic pressures on hospitals are likely to force more to decide whether fundraising pays off, he says.
Ideally, organizations would like to have back the ability to segregate mailings by “place of service,” McGinly says. And that would take an act of Congress.
McGinly adds that the recent battle “wasn’t about fixes. We were just trying to keep what we had.”
But McGinly knows that the tide in Congress, and the nation, is moving forward toward tighter privacy controls on all kinds of information sharing. “We are in a
bigger battle,” he says.
Contact Shay at eshay@postschell.com and McGinly at bill@ahp.org.