Health Information Management

Q&A: Contacting patients by mail

HIM-HIPAA Insider, August 31, 2009

Q. Our facility is taking steps to implement a “Grateful Patient Program” to help raise money. What measures must we take when contacting patients by mail to ensure that we stay within HIPAA guidelines?

A
. Covered entities may use or disclose limited PHI to a business associate or institutionally related foundation for fundraising. Patient authorization is not required to use PHI for fundraising, but covered entities must tell patients about this use in their Notice of Privacy Practices. Covered entities may use or disclose the following PHI for fundraising without patient authorization:

  • Demographic information relating to an individual, such as name, address, telephone number, and date of birth
  • Dates of healthcare provided to an individual

Covered entities are not permitted to use diagnostic information to target their fundraising appeals to certain groups. For example, you may not use PHI to determine which individuals have been treated for breast cancer in the past five years when you send a special appeal to raise money for a new breast cancer treatment center.

Editor’s note: Mary D. Brandt, MBA, RHIA, CHE, CHPS, answered this question. This is not legal advice. Consult your attorney regarding legal matters.

Most Popular