The HIPAA Privacy Rule: What Fundraisers Need to Know
Friday, September 11, 2015
By Cedric A. Richner III, Founder and Principal, and Jill Schrems Penate, Client Relations Assistant, Richner & Richner
A wealthy corporate executive underwent a life-saving procedure at the hospital where you work as a major gift officer… The heir to the great soap company fortune just moved into the retirement community where you are the director of development… You recognize a successful local entrepreneur exiting the examination room at the clinic where you are executive director…
All of these situations represent a potential bonanza for fundraisers who would like to leverage the “grateful patient” dynamic for fundraising gain, right? Maybe. Besides the obvious importance of exercising good judgement and discretion, there are laws protecting patients’ right to privacy.
Fundraisers need to be aware of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
HIPAA aims to protect the confidentiality and security of healthcare information. The Privacy Rule component of the law establishes national standards to protect individuals’ medical records and other personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization, including uses for fundraising. Updated HIPAA regulations released in 2013 clarify the rules fundraisers must follow to comply with the statute, and it is important for fundraisers to revisit these modifications to ensure proper adherence.
What Information is Available to Fundraisers?
Since 2013, health care providers, including certain kinds of retirement communities, have had a greater ability to use protected health information (“PHI”) for fundraising purposes. Health care organizations now have opportunities to target their fundraising based on the nature of the services a patient received or the identity of his or her physician. They may also further engage physicians in the process of making personal appeals to patients.
Health care organizations may use the following PHI without a patient’s authorization for fundraising purposes:
- Patient demographic data (name, address, phone/email, date of birth, age, gender, etc.)
- Health insurance status
- Dates of patient services
- General type of department in which a patient is serviced
- Treating physician information
- Outcome information
PHI requiring written patient authorization prior to fundraising use may include:
- Nature of services
How Does the Rule Apply to Supporting Foundations?
If fundraising activity is conducted by an institutionally-related foundation, a business associate agreement (“BAA”) with its health care provider for the use of patient information is not required due to its explicit supporting relationship. Retained consultants or other external fundraising vendors who will be given access to patient information must have a BAA with the health care provider (not the foundation) on file.
What Notification Practices Must Organizations Follow?
Prior to using allowed PHI for fundraising purposes, a HIPAA-covered entity’s Notice of Privacy Practices must state that the patient may be contacted for fundraising efforts and that the patient has the right to opt out of receiving any fundraising communications. This Notice must be provided to the patient in advance of receiving care.
Patients have the right to opt out, and health care providers and supporting foundations legally must include a provision in all fundraising communications (including telephone and face-to-face solicitations) indicating that the patient has the right to opt out of future solicitations. The opt-out must:
- Be a clear and conspicuous part of the materials sent to the patient.
- Describe how PHI may be used.
- Be written in clear, plain language.
- Contain a simple, not unduly burdensome means to opt out from receiving further fundraising communications.
The patient may elect to opt out of campaign-specific or all future fundraising communications. The opt-out does not lapse. If a patient who has opted out makes a donation, this does not serve to automatically add the individual back into the list for fundraising communications. The patient must explicitly elect to opt back in.
Where Do I Find More Information?
Non-profit organizations fundraising in direct or allied health care settings are wise to consult qualified legal counsel regarding how HIPPA may or may not affect a specific situation.
For more information about HIPPA and its applicability, refer to the Association for Healthcare Philanthropy or the Department of Health and Human Services. For sample policy language that fundraising operations can adapt for their use, contact Jill Penate at Jill@RichnerRichner.com.