Professional Documents
Culture Documents
This module is for educational purposes only. It is not designed to provide legal advice or
legal guidance. You should consult with your organization's attorneys if you have
questions or concerns about the relevant laws and regulations discussed in this module.
Introduction
As discussed in the CITI Program’s Basics of Health Privacy module, protections for
health information are required by federal laws and their associated regulations,
principally those that derive from the Health Insurance Portability and
Accountability Act (HIPAA).
This module focuses on the HIPAA privacy rules related to fundraising activities.
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 1/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
Learning Objectives
Summarize HIPAA’s privacy requirements for individually identi able health data
that are used for fundraising purposes.
Describe situations where authorizations for fundraising uses are required and
the exceptions to that authorization requirement.
Explain the responsibilities of persons engaged in fundraising activities in relation
to the use of health information.
The regulations require that covered entities obtain prior written authorization for
use or disclosure of PHI for fundraising purposes beyond certain exceptions that are
discussed below. All fundraising communications should have an opt-out, which is
“clear and conspicuous" and generally easy to exercise. Exercise of an opt-out by
someone who has previously authorized a communication is equivalent to a
revocation of that authorization. Covered entities must make reasonable e orts to
ensure that opt-out requests are promptly honored.
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 2/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
The HIPAA regulations do not o er a de nition, but according to HHS (2000, 82718)
commentary on the earlier version of the rules, demographic information generally
includes “name, address and other contact information, age, gender, and insurance
status" (the last of these is now an explicitly permitted element). It reasonably
includes phone and email address as part of “contact information.”
Even under the more relaxed rules, information about the speci c diagnosis of an
illness or condition, or speci c nature of services or treatment provided, would still
require an authorization to be used for fundraising purposes. Granted, one might
deduce likely diagnosis or treatment categories from the involved physicians’
specialties or organizational unit (under the third and fourth categories of exemption
above) and use that to target a fundraising communication. However, the
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 3/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
information about diagnosis and treatment itself, or other elements of a patient’s PHI
record, could only be used directly with authorization.
Characteristics of Authorizations
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 4/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
What is fundraising?
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 5/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
HIPAA's fundraising limitations apply equally to internal uses (solely within the
covered entity, or performed for it by a business associate), as well as those of
institutionally-related foundations that raise funds on the covered entity's behalf.
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 6/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
Disclosures to a third party for the purposes of the third party's fundraising e orts
always require an authorization. There are no exceptions. The authorization should
state if the fundraising arrangement involves any direct or indirect remuneration to
the covered entity from that third party. In all such matters, covered entities are well
advised to be as transparent as possible about their fundraising practices and
objectives.
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 7/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
Summary
Federal regulations under HIPAA require prior authorization for use of PHI for
fundraising -- unless that use is con ned to six narrow PHI categories. Planned
fundraising uses of any kind must be included in the organization's privacy notice.
Fundraising communications must always have an opt-out (unless they were
explicitly authorized, but even then it is a good idea to include an opt-out). Be careful
about mixing fundraising with other types of communications, and be aware of
constraints beyond HIPAA that a ect fundraising activities.
Acknowledgements
Content for the CITI Program’s Information Privacy and Security (IPS) modules was
originally developed with support from the University of Miami Ethics Programs. It
has bene ted greatly from the editorial input of numerous CITI Program sta , and
the feedback of CITI Program learners.
Reference
U.S. Department of Health and Human Services (HHS). 2000. “Standards for
Privacy of Individually Identi able Health Information; Final Rule.” Federal Register
65(250):82718.
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 8/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
Additional Resources
SUPPORT LEGAL
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 9/10
2/5/2020 CITI - Collaborative Institutional Training Initiative
https://www.citiprogram.org/members/index.cfm?pageID=125&intStageID=194193#view 10/10