| fundraising
(HIPAA)
For fundraising
purposes, HIPAA permits covered
entities to themselves use -- or disclose to a business
associate or institution-related foundation -- only two
types of protected
health information (PHI) without specific permission:
- basic demographic
information relating to an individual, and
- dates of health
care provided to an individual.
Use of any other
kind of PHI for fundraising requires that an individual opt
in via a specific authorization.
The regulations
themselves do not specify what constitutes demographic information,
but DHHS has indicated that it "generally include[s]
in this context name, address and other contact information,
age, gender and insurance status." It specifically excludes
"any information about the illness or treatment"
including any information about "diagnosis [or] nature
of services."
DHHS has also been
clear that the limitations apply to internal uses (solely
within the covered entity) as well as "external"
disclosures to business associates or institutionally related
foundations. "Broad access to [PHI] is unnecessary for
fundraising and unnecessarily intrudes on the privacy of the
patient."
An entity that
wishes to engage in fundraising activities of any
kind -- including just using the two types of information
above -- must include that planned information use in its
Notice of Privacy
Practices.
Note that while
fundraising is now included in the list of definitions for
healthcare operations,
it does not receive the blanket waiver afforded to most items
in that category. Only the two kinds of information above
may be used or disclosed for fundraising, absent authorization.
All
fundraising communications must include a description of how
the individual may opt out
of receiving additional messages or materials. Covered entities
must make reasonable efforts to ensure that such opt out requests
are promptly honored.
Unlike with marketing,
HIPAA regulations offer no explicit definition of fundraising.
One is left with commonsense dictionary definitions, and the
DHHS's commentary that it is activity "for the specific
purpose of raising funds" for the institution, rather
than a general charitable purpose. Obviously, it shouldn't
look to a reasonable person like a backdoor means of selling
an covered entity's services (that would be marketing).
Note that "institutionally
related foundation" is defined as one qualified under
the tax code (e.g., 501(c)3) that has an "explicit linkage"
to the covered entity, or to a group of organizations of which
the covered entity is one. "The term does not include
an organization with a general charitable purpose, such as
to support research about or to provide treatment for certain
diseases" even if some of its resources may be given
to the covered entity.
The provision for
institutionally-related foundations was included because of
tax code provisions that may not allow such foundations to
be considered business associates. Note that the tax status
of the covered entity -- viz., for-profit vs. not-for-profit
-- does not affect the application of any of these rules.
See also:
Last modified:
14-May-2005
[RC]
|
