|
HIPS
Series >
Privacy
Issues for Fundraisers
How to
take this course
 Hyperlinks
to supplemental content are provided, should you wish
to read more about a particular topic. This
extra material is optional. It is not covered on
the associated course quiz. The supplemental content
will usually be presented in a new browser window, which you
may close at any time.
For the recommended reading sequence for these materials,
see the HIPS Series Overview.
Approximate reading time for this course is 11 minutes (exclusive
of linked content). The quiz for this course is here.
• • • •
•
1. Why are you, as a fundraiser, here?
We know your time is valuable. We want you to understand
why you have been directed to spend time on these additional
privacy-related materials.
As discussed at length in the introductory
privacy course, protections for health information are
required by Federal laws, such as HIPAA.
Every state also has its own
requirements. So do private certification organizations,
such as JCAHO.
If you have access to health information, it is required
that you know how to protect it. And if you use health
information for fundraising, you need to know the specific
legal limitations that apply to that activity.
2. Authorizations for fundraising
Federal regulations (under HIPAA) generally require that
covered
entities obtain prior written authorization
for use or disclosure of protected
health information (PHI) for fundraising purposes.
For marketing, the exceptions to the authorization requirement
are many and complex. For fundraising, there are only
two kinds of data that may be used without an authorization:
- basic demographic information about an individual, and
- dates of health care provided to that individual.
3. What is basic demographic information?
The HIPAA regulations don't offer a definition, but according
to the US Department of Health and Human Services (DHHS) commentary,
demographic information "generally includes name, address
and other contact information, age, gender and insurance status."
It specifically excludes "any information about the illness
or treatment" including any information about "diagnosis or
nature of service." In the DHHS view, any "broad[er]
access to health information is unnecessary for fundraising
and unnecessarily intrudes on the privacy of the patient."
4. What about those service dates?
The other exemption of the pair, for dates of service provided,
applies solely to past encounters.
You cannot use information deriving from scheduled appointments
(that's future service), nor that related to services currently
being provided.
As regards the last of these, it has been the practice
in some organizations to reach out to particularly grateful
patients when they are still in a facility. That's permitted,
but only with an authorization.
Given the vulnerability of persons still sick enough to be
in a care facility, such contacts should be made with considerable
circumspection. However legal it may be, the ethics
of the practice are highly questionable.
5. What is fundraising?
You might be wondering how the HIPAA regulations define fundraising
itself. They don't. One is left with dictionary
definitions and DHHS commentary that it is activity "for the
specific purpose of raising funds" for the institution, rather
than a "general charitable purpose." 
Obviously any "fundraising" activity shouldn't look to a
reasonable person like a back-door means of selling a covered
entity's services. That would be marketing.
Some states' statutes do address fundraising by health care
organizations, and more specifically than HIPAA's regulations.
But not all. For now, where the state statutory guidance
is unclear, it is assumed that the federal regulations control
the issue.
It is essential to determine if a state-level requirement,
stricter than the federal one, exists where your
organization operates.
6. Internal uses, external disclosures
HIPAA's fundraising limitations apply equally to internal
uses (solely within the covered entity) as well as to "external"
disclosures to business
associates or institutionally-related foundations that
are being used to raise funds on the covered entity's behalf.
Note that "institutionally-related foundations" are those
that have an "explicit linkage" to the covered entity.
"The term does not include an organization with a general
charitable purpose, such as to support research about or to
provide treatment for certain diseases," DHHS notes, even
if some of its resources may be given to the covered entity.
Such an organization would have to be treated as a "third
party."
7. Disclosures to benefit third parties
Disclosures to a third party for the purposes of the third
party's fundraising efforts always require a specific
authorization from the patient. There are no exceptions.
If the fundraising arrangement involves any direct or indirect
remuneration to the covered entity from that third party,
the authorization should so state.
In all such matters, covered entities are well advised to
be as transparent as possible about their fundraising practices
and objectives.
8. Characteristics of authorizations
When the circumstances require them, authorizations must
be executed in writing -- oral agreement is not sufficient --
"in plain language so that individuals can understand the
information contained in the form, and thus be able to make
an informed decision."
The authorization must include a specific description of
the purposes of the disclosure, and a specific expiration
date. It is not permissible to ask for generalized,
open-ended authorizations for a range of unspecified future
fundraising disclosures.
(Authorizations have many other format and content requirements.
Read about them here.)
9. Mixing marketing and fundraising
It has been common to mix marketing and fundraising communications --
for example, to include solicitations for donations in a targeted
newsletter that otherwise contains information qualifying
as "not marketing" under the exemptions for that activity.
Communications that mix types of information are subject
to the most restrictive rules -- so it may not make sense
to mix, even if you save considerably on production and postage.
(For more information on marketing limitations, see the Privacy
Issues for Marketers course.)
10. Notices and Opt-outs
An entity that wishes to engage in fundraising activities
of any kind -- including efforts that just use the two
kinds of exempted information -- must include that planned
activity in its privacy
notice.
All fundraising communications must include a description
of how the individual may opt
out of receiving additional messages or materials.
(Strictly speaking, communications that the patient has explicitly
permitted with an authorization don't need an opt-out, but
it is usually a good idea to include one anyway.)
Covered entities must make reasonable efforts to ensure that
opt-out requests are promptly honored.
11. If you remember nothing else
Here are the key points:
(1) Federal regulations require prior authorization for use
of health information for fundraising -- unless that
use is confined to demographic information and dates of past
service.
(2) Planned fundraising uses of any kind must be included
in the organization's privacy notice.
(3) Fundraising communications must always have an opt-out
(unless they were explicitly authorized).
(3) Be careful about mixing fundraising with other types
of communications.
•
• • • •
Help us make
this course better -- take the online
course evaluation.
The quiz for this course is here.
•
• • • •
More
information
|
