HIPS Series > Privacy Issues for Fundraisers > Quiz + Answers

•  •  •  •  •

1. At Better Samaritan Hospital, physicians have an informal practice of notifying the Development Office of particularly "grateful" patients, sometimes when those patients are still in the hospital. This allows the Development Office to establish contact to discuss donation options right way.

A. It is not a HIPAA violation to get to patients as soon as possible, when their "gratitude" is still at a high level, if you are reasonably sure they are mentally competent and interested in making a donation.

B. It is not a HIPAA violation if the Development Office learns about the diagnosis or treatment with the patient's oral agreement to allow such a use or disclosure.

C. It is not a HIPAA violation if the patient provides a written authorization for the use or disclosure of protected health information for fundraising.

D. HIPAA allows each institution to decide on the appropriate procedures for their internal uses, though external disclosures require authorization.

C is correct. Written authorization is required, even in the face of clear oral expressions of gratitude. Institutions do not get to decide for themselves.

2. Like many hospitals, Better Samaritan has a VIP program for its big donors -- and for persons considered likely prospects for future large donations. As part of that program, the Development Office monitors the hospitals' computerized scheduling system, flagging VIPs' upcoming appointments. Development provides an "escort" to make sure each VIP gets seen without a wait, by the hospitals' best clinicians.

A. It can't be illegal to try to secure the best care for your big donors, and this sort of program only benefits them.

B. HIPAA rules allow use or disclosure of dates of service, so this kind of information use would be permitted without an authorization.

C. Access to the appointments schedule tells the Development Office about patients' treatments (and possibly diagnoses too), so it requires written authorization.

D. HIPAA allows each institution to decide on the appropriate procedures for such internal uses, though external disclosures require authorization.

C is again correct. Written authorization is required, even to "benefit" the patient. The dates of service exemption is for past services. Institutions do not get to decide for themselves.

•  •  •  •  •

3. Friends of Better Samaritan Foundation (FBSF) is the hospital's affiliated non-profit fundraising organization. The Development Office regularly sends over lists of VIP patients to FBSF. Since this is an "internal" transfer, what kinds of protected health

A. No information of any kind can be sent without an authorization.

B. Development can send basic demographic information and dates of past service, just as it would for a business associate doing fundraising on their behalf.

C. Since it is an "internal" transfer, FBSF can receive some basic information about diagnoses and treatments, but no more than that.

D. There are no limits on transfers to an affiliated foundation, because it is an "internal" transfer.

B is correct. Whether to an "internal" fundraiser or a business associate doing fundraising on the institution's behalf, only demographic information and dates of past service can be sent without a written authorization.

•  •  •  •  •

4. Better Samaritan is planning a capital campaign, focusing on raising funds for its two new specialty clinics for cancer and heart disease. It wants to target a mailing to patients who have been seen in its facility for those conditions in the last five years.

A. It is permissible to target the hospital's former cancer and heart patients as long as the fundraising communication includes an "opt out" from future mailings.

B. It is permissible to target former cancer and heart patients, but by using the patient lists of physicians in those specialties rather than the hospital's patient lists, as long as there is an opt out.

C. It is a HIPAA violation to do a targeted mailing unless the hospital has a written authorization for such a fundraising use. Absent an authorization, the only alternative is a general mailing to all patients.

D. HIPAA allows each institution to decide on the appropriate procedures for their internal uses of this kind, though external disclosures require authorization.

C is correct. Any targeting by diagnosis requires use of information beyond "basic demographics" and so requires a written authorization. We hope you're still not tempted by the "each institution can decide for themselves" option.

•  •  •  •  •

5. Better Samaritan's Marketing Department is interested in filling the beds of those specialty clinics with paying patients. It wants to join forces with the Development Office and send marketing materials along with the fundraising literature. Is this OK?

A. Why not. It'll save on postage if the target audience is the same.

B. It may be OK, depending on what information was used to target the information; separate authorizations might be required.

C. It is OK as long as there are separate opt-outs for future marketing and fundraising mailings.

D. This sort of mixing is expressly prohibited by HIPAA.

B is correct. While HIPAA does not ban "mixed" communications, it treats fundraising and marketing as separate activites, and a mixed communication will be subject to the more restrictive rules. An opt-out may be necessary (for marketing); but having an opt-out doesn't, by itself, mean everything is ok.