Because there are so many rules and regulations when it comes to patient data, it’s crucial that you plan intentionally and have a secure system in place for managing it. The last thing you want to do is violate a patient’s privacy.
Make sure you use HIPAA-compliant software and invite your compliance officer to weigh in right from the start. It is recommended that any new data extraction from an EHR for fundraising purposes be reviewed and approved by the entity’s Compliance or Privacy Office.
Conversations with individuals (including patients) about possible "areas of giving interest" are permissible without an authorization, provided that their medical information is not used for a fundraising purpose.
For example, a development officer may speak with a grateful patient to explore areas of giving interest (e.g., support for the new hospital, for technology, for research, or for general departments of care), as long as only Limited Protected Health Information (PHI) is used. Diagnosis and other PHI cannot be used for fundraising, absent written patient authorization.
Limited PHI for Fundraising Purposes
Federal and state laws permit limited PHI to be used for fundraising purposes with appropriate notice in the Notice of Privacy Practices, but without patient authorization.
[§164.514(f)(1) A covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following PHI for the purpose of raising funds for its own benefit, without authorization.]
The PHI must be the minimum necessary for the specific purpose. The “minimum necessary” standard of HIPAA applies to using these data elements for fundraising.
Allowable PHI
Six categories of patient health information may be disclosed or used for fundraising purposes without a patient’s written authorization:
Patient demographic data
Name
Address and other contact information
Age or date of birth
Gender
Occupation
Education Level
Health insurance status
Dates of patient health care services
Indication of the appointments inpatient/outpatient status
General department of service information
Location of service: emergency department, clinic, outpatient, etc.
Department of service: cardiology, pediatrics, general medicine, etc.
Treating physician name
Outcome information (including death or sub-optimal treatment - used to screen)
The entity should not document treatment, diagnosis, or information other than Limited PHI without a patient authorization.
For example, Jane Doe self-identifies an interest in giving in the area of breast cancer, and mentions her personal experience with the disease (for which she may have received treatment anywhere) to development staff. Development staff should document that Ms. Doe expressed an interest in giving in the area of breast cancer treatment and research, or that she said she may want to support breast cancer work at the entity.
Opt-Outs
Patients have the right to opt-out, and health care providers legally must include a provision in all fundraising communications indicating that the patient has the right to opt-out of future solicitations. The opt-out must:
Be a clear and conspicuous part of the materials sent to the patient.
Describe how PHI may be used.
Be written in clear, plain language.
Contain a simple, not unduly burdensome means to opt out from receiving further fundraising communications (a specific email address would suffice).
The patient may elect to opt-out of campaign-specific or all future fundraising communications. The opt-out does not lapse. If a patient who has opted out makes a donation, this does not serve to automatically add the individual back into the list for fundraising communications. The patient must explicitly elect to opt back in.
Resources
Note that this advice does not replace that above a legal or compliance export, or your organization’s interpretations of HIPAA.
Comments