DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.
The HIPAA Privacy Rule regulates fundraising communications made by a covered entity. This article discusses these regulations.
A “fundraising communication” is a “communication to an individual by a covered entity (or the entity’s business associate or institutionally related foundation) for the purposes of raising funds for the covered entity. Fundraising communications include, but are not limited to, solicitations for donations or gifts, sponsorship of events, and communications for events or activities held to raise funds for the covered entity.”
Fundraising activities are typically conducted by hospitals (including not-for-profit and charitable hospitals) and larger medical facilities that rely in part or in whole on donor contributions for financial support. If a covered entity intends to engage in fundraising activities, it must include certain language about fundraising in its Notice of Privacy Practices. This language must state that (1) The covered entity may contact patients to raise funds for the covered entity; (2) patients have the right to opt out of receiving such communications.
What PHI May a Covered Entity Use or Disclose?
A covered entity, when fundraising for its own benefit, may use or disclose, without written individual authorization, the following PHI to a business associate or to an institutionally related foundation (such as a nonprofit charitable foundation):
1. Demographic information related to an individual including name, contact information, gender, date of birth, and age;
2. Dates of health care provided to an individual;
3. The department (if any) where services were received;
4. The name of the treating physician;
5. Outcome information; and
6. Health insurance status.
What Opt-Out Measures Must a Covered Entity Take?
Any fundraising that a covered entity sends to an individual must describe how the individual may opt out of receiving any further fundraising communications, and must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for opting out may not cause the individual to incur an undue burden or more than a nominal cost.
What are the Rules When an Individual Opts Out?
If an individual elects to opt-out, the covered entity may not make additional fundraising communications to the individual. The covered entity may provide an individual with a means to opt back in to fundraising communications at the individual’s request.
Additional measures include:
If an individual has given written authorization to receive fundraising communications, that individual has the right to revoke the authorization and may do so in writing.
The covered entity's fundraising department, institutionally related foundation, or business associate should maintain a log of all individuals and others who have either revoked a fundraising authorization or opted out of receiving future fundraising communications.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article