Any grateful patient fundraising program is based on one key thing data: PI (Personal Information) and PHI (Protected Health Information) received from an EHR.  A challenge is that using patient information is complicated and comes with intense, but critically important, oversight.  Not only do you need to maintain tight security on how the data is moved, you also have to be scrupulously diligent on how it’s stored and who has access. Hygiene standards are critical to maintaining best practice.

With the legalities defined by HIPAA, it’s not surprising that organizations are specific when it comes to approving the use of PI and/or PHI for fundraising purposes.  Generally, HIPAA approves the following information for fundraiser’s use:

1. Patient demographic data 

   1. Name

   2. Address and other contact information

   3. Age or date of birth

   4. Gender

   5. Occupation

   6. Education Level

2. Health insurance status 

3. Dates of patient health care services  

   1. Indication of the appointments inpatient/outpatient status

4. General department of service information 

   1. Location of service: emergency department, clinic, outpatient, etc.

   2. Department of service: cardiology, pediatrics, general medicine, etc.

5. Treating physician name

It’s important to note that there is a difference between identified PHI and de-identified PHI.  A set of data that’s identifiable includes basic demographic information attached to patient information, essentially making health information available to see.  

A set that is de-identifiable would be health data that doesn’t link to any personal information like demographics to connect to the individual, masking someone’s identity.  The visit information can be used to calculate summarized data without compromising patient security. 

Now, what are the important factors to consider in maintaining the health and safety of the PHI you receive?

Storing Data

• Minimum necessary: Keep the least amount of identifiable PHI.  If there are details of visits or patients you don’t use, then don’t get or store it

• Limit access: Utilize functionality of your system, where possible, to limit the types of PHI users can see.

• Mask the data: In some cases, it might be necessary to create coding that can only be interpreted by the end-users, so if there were to be a data breach, the information would be encoded.  An example of this might be to title a Patient Visit action as - ENC - or something with a standard length that can be reported on more easily.

Data Security

• Train staff: Hold regular HIPAA trainings with users and incorporate ways to communicate about HIPAA rules and best practices throughout your work.

• Access audits:  Keep track of who has access to the PHI.  When staff leave the organization, ensure to remove their access immediately.

• Audit trail: Define everywhere you keep your PHI (i.e. CRM, spreadsheets, 3rd party wealth screening software). Combine this with who has access to create a trail of all security standards and vulnerabilities.  Communicate this with IT and compliance staff.

• Data breach plan: Even with organizations taking every security precaution to protect against data breaches, hacks are a common occurrence. Create a plan with your IT, Compliance, Fundraising and Communications teams to draft a plan on what you need to do and who you need to inform.  There are timelines and standards that dictate minimum standards.

• Remove old PHI: Regularly review PHI and remove anything outdated (i.e. no visits in the last 5 years) or incorrect.  The less PHI you keep, the better. 

It’s incumbent upon fundraisers who are entrusted with patient data to not only use it legally, but to handle it with the utmost care.  It’s every bit as important as keeping patient data safe in health systems, but sometimes more vulnerable.  Take care to put in safeguards that protect the data and your organization.