With the HITECH Act Final Rule’s required revisions to business associate agreements, notices of privacy practices, and breach notification policies, it is easy to miss the Final Rule’s changes to the requirements for the use or disclosure of protected health information (PHI) for fundraising purposes. The new fundraising requirements under HIPAA and the HITECH Act are a mixed bag for covered entities. Some of the changes increase the ability for covered entities to use PHI for fundraising, while other changes impose more restrictions on covered entities.
One of the benefits of the Final Rule for covered entities is the expansion of the types of PHI that can be disclosed to a business associate or institutionally-related foundation for fundraising purposes. This list now includes:
1. Demographic information, including name, address, other contact information, age, gender, and date of birth;
2. Dates of healthcare provided to an individual;
3. Department of service information (e.g., cardiology, oncology, pediatrics, etc.);
4. Treating physician;
5. Outcome information (including death or sub-optimal treatment); and
6. Health insurance status.
Additionally, although a covered entity may not send fundraising communications to patients who have opted out of receiving such communications (as explained below), a covered entity may give patients the opportunity to opt back in to receiving such communications. For example, a covered entity could include, as a part of a routine newsletter sent to all patients, a phone number that patients can call to be put on a fundraising list.
While these changes could be beneficial for covered entities, the Final Rule also has a number of increased requirements relating to fundraising communications, including:
1. Notice of Privacy Practices: The Final Rule requires a covered entity to have an explicit statement in its notice of privacy practices that an individual can opt out of receiving fundraising communications.
2. Opt Out Notice: With each fundraising communication made to patient, a covered entity must include a “clear and conspicuous” opportunity for the patient to opt out of receiving future fundraising materials. The opt out method must not cause the individual to incur an “undue burden or more than nominal cost”. Examples of a valid opt out methods include a toll-free number, or the provision of pre-paid, pre-printed postcards. If an individual opts out of fundraising communications, it is a HIPAA violation for a covered entity to send such a communication to the individual in the future (unless the individual later opts back in to receiving fundraising communications).
3. Conditioning Payment or Treatment: The Final Rule makes it clear that covered entities may not condition treatment or payment on a patient’s decision to receive fundraising communications.
Please contact Casey Moriarty if you have any questions about the use of PHI for fundraising purposes under the HITECH Act Final Rule.