What patient information is available to hospital development departments and support foundations for fundraising?
HIPAA Weekly Advisor, January 24, 2003
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Q: Can you clarify what patient information is available to hospital development departments and support foundations for fundraising purposes? Is the demographic data limited to ZIP code? Can the hospital continue to use mailing lists that include former patients? Must we send out our privacy notice in that case?
A: Under certain limited conditions fundraising is treated as a special exception to the requirement for patient authorization as follows:
When the hospital or its business associate or fundraising foundation is doing the fundraising, PHI may be used and disclosed without authorization if it is limited to demographic data-not just ZIP code-and dates of service and there is an opt-out statement in the communication. That means the letter must include information explaining how patients can request that they not receive further fundraising communications from your organization. The statement can be as simple as, "If you prefer not to receive fundraising letters from us, please let us know by contacting our privacy officer at .." Your organization must have procedures in place to comply with these opt-out requests.
This opt-out notice within the communication is specific to fundraising and is not the same as the hospital's privacy notice. However, simply sending a fundraising letter does not require distribution of the privacy notice since it is not an instance of providing care to a patient.
If your development department maintains a mailing list derived from previous donors, that list should be "patient-blind." It must not indicate whether the donor is or was a patient to be considered non-PHI and not subject to HIPAA.
If information in a mailing list was not obtained as a result of a patient seeking care, it is not PHI and its use is outside the scope of the privacy rule. The same is true of marketing lists purchased from third parties. HIPAA does not prohibit or restrict fundraising and marketing when there is no PHI involved.
Editor's note: Answered by Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA, and excerpted from the February 2003 issue of Briefings on HIPAA. This is not legal advice. Be sure to consult with your facility's legal counsel for legal matters.
Want to receive articles like this one in your inbox? Subscribe to HIPAA Weekly Advisor!
Related Products
Most Popular
- Articles
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- Catch up on what's new with injections and infusions
- Identify potential Medicaid RAC target areas
- HIPAA Q&A: Level of encryption needed for email
- Topic: CMS, OESS post new security compliance review information, checklist
- Capturing all necessary codes for IUD insertion and removal can be challenging
- What does case-mix index mean to you?
- QA:Coding multiple initial infusions
- OB services: Coding inside and outside of the package
- E-mailed
-
- Q/A: Volume requirement for reporting hydration services
- Featured blog post: Nurses face felony charges after reporting physician to the Texas Medical Board
- HIPAA Q&A: Level of encryption needed for email
- Q&A: Follow CMS' coding guidelines when using modifier -25
- What does case-mix index mean to you?
- Catch up on what's new with injections and infusions
- CMS has reformulated payments for some bilateral procedures
- New conflicts of interest create new challenges
- Q/A. One injection code or two?
- ED-to-inpatient transfers are flawed with safety gaps
- Searched