HIPAA Times news | Concise, reliable news and insights on HIPAA compliance and regulations

Does HIPAA apply to fundraising?

Written by Kirsten Peremore | Sep 26, 2024 5:27:05 PM

HIPAA applies to fundraising activities if patient data is used in communications meant for acquiring potential donors.

 

How HIPAA applies to fundraising

Fundraising is a necessary part of the development and success of a healthcare organization. For this reason, Section 164.514 (f) (1) provides that a covered entity, “...may use, or disclose to a business associate or an institutionally related foundation, the following protected health information to raise funds for its benefit…” 

The information that can be shared without authorization includes: 

  • Demographic information
  • Dates of healthcare 
  • Department of service 
  • Treating physician 
  • Outcome information
  • Health insurance status

When using methods like HIPAA compliant email, the provider must also provide a method of opting out of further fundraising outreach. The provider also cannot force patients to receive fundraising emails to access treatment. 

 

Does HIPAA apply to all fundraising communications?

HIPAA does not apply to all fundraising communications. According to an AAMC guidance, “The Final Rule provisions apply to the use or disclosure of PHI for fundraising communications. Fundraising communications by a Covered Entity based solely on non-PHI sources of information, such as a purchased mailing list, alumnus or employee information, or direct contact initiated by a potential donor, are not subject to the Final Rule provisions.” Thus, when participating in fundraising activities that do not involve PHI, the requirements below would not apply. 

 

Requirements for fundraising emails

  • Only the limited PHI mentioned above can be used. 
  • The organizations must include a statement regarding fundraising in its Notice of Privacy Practices. 
  • Patients must have a clear, simple, and cost effective method to opt out of fundraising communications. 
  • Communications about fundraising that contain PHI must use secure communication like HIPAA compliant email. 
  • Healthcare providers cannot base treatment or payment on whether a patient agrees to receive fundraising communication. 
  • If a patient opts out, all fundraising communication must cease. 

 

Why is HIPAA compliant email the best way to fundraise?

Unlike phone calls or physical mail, email offers the immediate delivery of fundraising communications, making it easy to engage potential donors. This means that organizations can reach a wider audience in a cost-effective and personalized manner. 

Additionally when considering the existing requirement for healthcare organizations to use HIPAA compliant communications systems like HIPAA compliant email, the limited PHI in fundraising communications can remain secure throughout the transmission and storage process. 

 

FAQs

What are the authorization requirements according to Section 164.508?

It requires a written statement from the patient that clearly describes the information being disclosed

 

What is a Notice of Privacy Practices? 

A document informing patients about their rights regarding their PHI and how it may be used or disclosed. 

 

Is an opt-in necessary?

It is beneficial to communications beyond treatment, payment, or operations.

View full post