2/5/2020 CITI - Collaborative Institutional Training Initiative

Vanessa Zuleta Quintero

ID 9011046

Health Privacy Issues for Fundraisers

Universidad de Antioquia - Researchers - IPS

Health Privacy Issues for

Fundraisers
Content Author

Reid Cushman, PhD

CITI Program

This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.

Introduction

As discussed in the CITI Program’s Basics of Health Privacy module, protections for
health information are required by federal laws and their associated regulations,
principally those that derive from the Health Insurance Portability and
Accountability Act (HIPAA).

This module focuses on the HIPAA privacy rules related to fundraising activities.

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 1/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

Learning Objectives

By the end of this module, you should be able to:

Summarize HIPAA’s privacy requirements for individually identi able health data
that are used for fundraising purposes.
Describe situations where authorizations for fundraising uses are required and
the exceptions to that authorization requirement.
Explain the responsibilities of persons engaged in fundraising activities in relation
to the use of health information.

Notice, Authorization, and Opt-Out

Under HIPAA regulations, a covered entity is generally required to indicate in its

privacy notice that fundraising is a planned function and that patient information
may be used for this purpose. This requirement is the same for activities other than
fundraising that involve protected health information (PHI). The notice should
indicate the kinds of fundraising that may be done with and without authorization,
and must also indicate that a patient has the right to opt-out of any fundraising
communications.

The regulations require that covered entities obtain prior written authorization for
use or disclosure of PHI for fundraising purposes beyond certain exceptions that are
discussed below. All fundraising communications should have an opt-out, which is
“clear and conspicuous" and generally easy to exercise. Exercise of an opt-out by
someone who has previously authorized a communication is equivalent to a
revocation of that authorization. Covered entities must make reasonable e orts to
ensure that opt-out requests are promptly honored.

Authorization and Exceptions

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 2/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

There are exceptions to the authorization requirement. Previously, HIPAA provided

only two categories of information exempt from the authorization requirement (basic
demographic information and date(s) on which healthcare services were provided).
However, it is now easier for covered entities to target their fundraising
communications, as Health Information Technology for Economic and Clinical Health
(HITECH) amendments to HIPAA allow for six categories of exempt information:

The HIPAA regulations do not o er a de nition, but according to HHS (2000, 82718)
commentary on the earlier version of the rules, demographic information generally
includes “name, address and other contact information, age, gender, and insurance
status" (the last of these is now an explicitly permitted element). It reasonably
includes phone and email address as part of “contact information.”

Even under the more relaxed rules, information about the speci c diagnosis of an
illness or condition, or speci c nature of services or treatment provided, would still
require an authorization to be used for fundraising purposes. Granted, one might
deduce likely diagnosis or treatment categories from the involved physicians’
specialties or organizational unit (under the third and fourth categories of exemption
above) and use that to target a fundraising communication. However, the
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 3/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

information about diagnosis and treatment itself, or other elements of a patient’s PHI
record, could only be used directly with authorization.

PHI category exemptions apply to past encounters. It is generally not permitted to

use (without authorization) information derived from scheduled appointments
(future services), nor information related to services currently being provided. Some
organizations reach out to particularly grateful patients even when they are still in a
facility. This type of activity is generally permitted with an authorization. Given the
vulnerability of persons still sick enough to be in a care facility, such contacts should
be made with considerable circumspection.

Characteristics of Authorizations

When the circumstances require them, authorizations must:

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 4/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

It is generally not permissible to ask for broad, open-ended authorizations for a

range of unspeci ed future fundraising disclosures, as this violates the “speci city”
requirement. Authorizations have many other format and content requirements, and
it is strongly advised to use an organization’s approved standard forms when one is
needed.

What is fundraising?

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 5/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

HIPAA regulations do not explicitly de ne fundraising itself as they do terms like

“marketing” or “treatment.” (See de nitions of these at 45 CFR 164.501.) However,
based on earlier HHS commentary (2000, 82546), it can be considered to include
activities “for the speci c purpose of raising funds" for the organization, rather than a
general charitable purpose.

Obviously, any fundraising activity should not be a means of selling products or

services, as that would be marketing. Many state statutes do address fundraising,
including by healthcare organizations, and may do so more speci cally than HIPAA's
regulations. It is essential to determine (consult with organizational authorities) if a
state-level requirement, stricter than the federal one, exists.

Internal Versus External Uses

HIPAA's fundraising limitations apply equally to internal uses (solely within the
covered entity, or performed for it by a business associate), as well as those of
institutionally-related foundations that raise funds on the covered entity's behalf.

Institutionally-related foundations are those that have an "explicit linkage" to the

covered entity. HHS commentary has noted that explicit linkage does not include an
organization with a general charitable purpose (such as to support research about or
provide treatment for certain diseases) even if some of its resources may be given to
the covered entity. Such an organization would have to be treated as a "third party."

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 6/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

Disclosures to a third party for the purposes of the third party's fundraising e orts
always require an authorization. There are no exceptions. The authorization should
state if the fundraising arrangement involves any direct or indirect remuneration to
the covered entity from that third party. In all such matters, covered entities are well
advised to be as transparent as possible about their fundraising practices and
objectives.

Whether internal or external, if a covered entity uses any outside organization to

support its fundraising activities an appropriate business associate agreement must
be in place.

Mixing Marketing and Fundraising

Before HIPAA, it had been common to mix marketing and fundraising

communications -- for example, to include solicitations for donations in a targeted

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 7/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

newsletter that otherwise contained information aiming at promoting an

organization’s healthcare services. Under HIPAA, communications that mix types of
information are subject to those of the most restrictive category. Therefore, it may
not make sense to mix, even if there are savings on production. Mixing also
potentially complicates the issue of managing opt-outs by category of information
use.

Summary

Federal regulations under HIPAA require prior authorization for use of PHI for
fundraising -- unless that use is con ned to six narrow PHI categories. Planned
fundraising uses of any kind must be included in the organization's privacy notice.
Fundraising communications must always have an opt-out (unless they were
explicitly authorized, but even then it is a good idea to include an opt-out). Be careful
about mixing fundraising with other types of communications, and be aware of
constraints beyond HIPAA that a ect fundraising activities.

Acknowledgements

Content for the CITI Program’s Information Privacy and Security (IPS) modules was
originally developed with support from the University of Miami Ethics Programs. It
has bene ted greatly from the editorial input of numerous CITI Program sta , and
the feedback of CITI Program learners.

Reference

U.S. Department of Health and Human Services (HHS). 2000. “Standards for
Privacy of Individually Identi able Health Information; Final Rule.” Federal Register
65(250):82718.

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 8/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

Additional Resources

Association of American Medical Colleges (AAMC). 2014. “When Federal Privacy

Rules and Fundraising Desires Meet: An Advisory on the Use of Protected
Health Information in Fundraising Communications.” Accessed January 4, 2017.
U.S. Department of Health and Human Services (HHS). 2013a. “Combined
Regulation Text of All Rules.” Accessed January 4, 2017.
U.S. Department of Health and Human Services (HHS). 2013b. “Modifications to
the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under
the Health Information Technology for Economic and Clinical Health Act and
the Genetic Information Nondiscrimination Act; Other Modifications to the
HIPAA Rules; Final Rule.” Federal Register 78(17):5566-702.

Original Release: May 2006

Last Update: December 2017

Este módulo tiene un cuestionario.

Volver al libro de calificaciones Tomar la prueba

SUPPORT LEGAL

888.529.5929 Accesibilidad del Sitio

8:30 a.m. – 7:30 p.m. ET Derechos Autorales

Lunes – Viernes Política de Privacidad y Cookies

Contáctenos Condiciones de Uso

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 9/10
2/5/2020 CITI - Collaborative Institutional Training Initiative

https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 10/10