Did you know you could use PHI for fundraising?
The Department of Health and Human Services considers fundraising part of healthcare operations.
The Association of American Medical Colleges (AAMC) says, "If a Covered Entity's Notice of Privacy Practices provides that the entity may contact the patient for fundraising and the patient has a right to opt-out of fundraising communications, then Permitted Fundraising PHI may be used for fundraising communications."
Is authorization needed for fundraising emails?
No, authorization is not needed for fundraising emails, but it's still a best practice to ask for consent.
The Minnesota Supreme Court recently ruled that healthcare entities can utilize patient data for fundraising without explicit consent, citing an exemption under HIPAA, which allows such use. The MN court ruled that HIPAA preempted (i.e., overruled) state privacy laws that might have disallowed the use of PHI without explicit consent.
All the same, The American Medical Association's Code of Ethics states, "Obtain permission from the patient before releasing information for purposes of fundraising when the nature of the physician's practice could make it possible to identify the medical services provided or the patient's diagnosis."
That's the right thing to do - just because you can, doesn't mean you should. We recommend getting authorization from patients to send fundraising emails that may include their PHI.
Fundraising emails are allowed under HIPAA
Interestingly enough, fundraising falls under HIPAA's Permitted Uses and Disclosures in which a "covered entity is permitted, but not required, to use and disclose protected health information, without an individual's authorization..." for the purposes of "...Treatment, Payment, and Health Care Operations."
The HHS considers fundraising to fall under Health Care Operations if raising money for the benefit of the covered entity. Under 45 CFR § 164.514(f) HIPAA states that "a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of § 164.508..."
However, HIPAA regulations still suggest including a specific fundraising line in one's Notice of Privacy Practices, saying covered entities "must include a separate statement informing the individual of such activities."
Rules for HIPAA compliant fundraising emails
- Include fundraising in the Notice of Privacy Practices as a minimum.
- The PHI used for fundraising must be limited. It can include demographic information, dates of health care provided, department of service information, treating physician, outcome information, and health insurance status. But don't include detailed medical information like a patient's diagnosis.
- Patients must be given a clear option to opt out of receiving fundraising communications. A decision to opt out of fundraising communications must not affect treatment or payment for services.
- Fundraising emails should still comply with other laws like CAN-SPAM.
Why would fundraising emails even need to include PHI?
Fundraising is, at heart, an emotional appeal. With PHI like department of service or treating physician, fundraisers can customize their fundraising messages to be more relevant and personal to each recipient. A patient who previously had received care from the cardiology department might be inclined to contribute to a fundraiser for cardiac research or equipment.
Leveraging PHI in fundraising allows the marketer to reach out to those with a personal connection or experience with the appeal. A targeted approach often leads to more effective fundraising for specific projects or initiatives. It also allows for more compelling stories within the outreach.
What makes a healthcare fundraising email effective?
Fundraising appeals should be backed by a story to be most impactful. That's why targeted emails are so effective. They allow the smart marketer to tailor the story to people who have differing relationships with the organization and the story.
Survivors have different experiences from people currently undergoing treatment. People who overcame other challenges understand the pain but not the journey. Use your data and send a few versions depending on the story and recipient.
A fundraising email's next most crucial aspect is the call to action. If you're soliciting donations, state that in the top third of the email and add a big, bright button that takes readers to a landing page where they can enter their payment details. Every extra step lowers the conversion rate and decreases the amount raised.
The landing page absolutely must reflect the email's appeal. It's a pet peeve of mine when the appeal references a specific story and a plea to donate to a specific cause, like funding a new machine or paying for a particular person's treatment, only for the landing page and donation form to be generalized to the cause as a whole. I'm never certain my money will go where I want it to, and it drastically lowers trust and motivation.
Speaking of trust and motivation, any outreach should include trust signals. Make the organization clear. Send from a "live" email address and not a donotreply@org.com. If it's tax-deductible, state that outright.
Lastly, don't fudge the subject line. No one likes being played for a fool, so be honest, straightforward, and direct in the subject line. The subject line should always match the content, and that goes for all emails, not just fundraising emails.
Regarding the number of fundraising emails or frequency, the answer lies somewhere between more than you think, and don't abuse people's patience. You're asking for money and putting it to a good cause - don't be bashful. The best approach is to set your (reasonable) goal and send the number of emails it takes to reach that goal. Remove from the recipient list those who already donated and test out different stories, subject lines, and even images.
Dean Levitt
