HIPAA's Privacy Rule allows the use of PHI for fundraising purposes, but there are regulations and guidelines that healthcare organizations must adhere to.
The Association of American Medical Colleges (AAMC) says, "If a Covered Entity's Notice of Privacy Practices provides that the entity may contact the patient for fundraising and the patient has a right to opt-out of fundraising communications, then Permitted Fundraising PHI may be used for fundraising communications."
How is fundraising defined?
According to the AAMC, fundraising is "A communication by or on behalf of a Covered Entity for the purpose of raising funds for a Covered Entity, including, donations, appeals, or sponsorship of events, but not royalties or remittances for sale of products."
Fundraising activities may include:
- Solicitations: This can involve sending letters, emails, or phone calls to patients, former patients, or their families to request donations or contributions to support the healthcare organization's mission or specific projects.
- Events: Healthcare organizations may host events, such as galas, auctions, or charity runs, to raise funds. These events might involve the collection of funds or donor information.
- Grant applications: Hospitals and healthcare institutions might use patient data when applying for grants or donations from government agencies, foundations, or philanthropic organizations.
HIPAA's Privacy Rule sets regulations and guidelines for covered entities to follow when using protected health information (PHI) in fundraising efforts.
Learn more: HIPAA compliant email marketing: What you need to know
Fundraising communication
Healthcare organizations can adopt an opt-out strategy for fundraising emails, even though HIPAA generally requires that all marketing communications be opt-in. HIPAA recognizes an exception for fundraising emails based on a patient's condition or current course of treatment without permission.
Related: Do you need opt-in for fundraising emails?
Regulations and guidelines related to the use of PHI for fundraising
- Patient authorization: Even though not required, hospitals should obtain consent from patients before using their PHI for fundraising purposes.
- Notice of privacy practices: Hospitals must provide patients with a notice of privacy practices (NPP) that explains their policies and procedures for using and disclosing PHI, including fundraising activities.
- Opt-out option: Hospitals must offer patients an opportunity to opt out of receiving fundraising communications without penalty.
- Transparency: Hospitals should inform patients about their fundraising practices and how their PHI might be used. This information should be included in the Notice of Privacy Practices.
- Right to restrict: Patients have the right to restrict the use of their PHI for fundraising.
- Data security: Hospitals must maintain the security and confidentiality of patient information used for fundraising to protect against unauthorized disclosures.
See also: Why HIPAA compliance requires opt-out mechanisms
Tshedimoso Makhene
