Final Health Information Privacy Rules: Implications For Hospital Fundraising Activities
May 16, 2001
On December 28, 2000, the Department of Health and Human Services (DHHS) published final regulations under the Health Insurance Portability and Accountability Act (HIPAA) governing the use and disclosure of personal health information by Covered Entities (Final Rules). Covered Entities include health care providers, health care insurers and health care clearinghouses. Despite some initial uncertainty as to whether the Bush Administration would delay implementation of the Final Rules, on April 12, 2001, the Bush Administration announced that the Final Rules would take effect on schedule. This means that Covered Entities must comply with the Final Rules by February 2003.
McDermott Will & Emery’s January 5, 2001 Health Law Update that summarizes the Final Rules
General Rule
Generally, the Final Rules require that Covered Entities obtain a written consent or authorization from a patient prior to using or disclosing such patient’s personal health information. However, the Final Rules provide several exceptions to the authorization requirement. One of these exceptions provides that Covered Entities may use certain types of personal health information for fundraising activities without the prior written authorization of the patient.
Exception for Fundraising Activities
The exception made for fundraising activities in the Final Rules is a significant departure from the proposed HIPAA regulations. The proposed regulations would have required that the Covered Entity obtain the patient’s authorization prior to using or disclosing any personal health information for fundraising purposes. DHHS decided to change the proposed regulations in response to industry comments arguing that an authorization requirement with respect to fundraising would be time consuming and costly for Covered Entities and would lead to a decrease in charitable donations. The Final Rules addressed this concern by permitting Covered Entities to use or disclose certain personal health information for fundraising purposes without the written authorization of the patient.
Specifically, the Final Rules state that a Covered Entity may use, or disclose to a "business associate" or to an institutionally related foundation, certain specific types of personal health information without first obtaining patient authorization for the purpose of raising funds for the Covered Entity. The preamble to the Final Rules defines an "institutionally related foundation" as a foundation that qualifies as a charitable corporation under Section 501(c)(3) of the Internal Revenue Code and that expressly includes a provision in its corporate charter that links the foundation to the Covered Entity, i.e., is a "supporting organization" under Section 509(a)(3) of the Internal Revenue Code. For example, a Covered Entity that is a hospital may disclose personal health information to a foundation that has been established for the specific purpose of raising funds for the hospital, or to a foundation that has as its mission the support of the members of a particular hospital chain that includes the covered hospital, provided that such fundraising activities are for the benefit of the covered hospital and meet the requirements described below. The term "institutionally related foundation" does not include an organization that has a general charitable purpose of supporting medical research or treatment of disease because such a charitable purpose would not be considered specific to a particular covered hospital.
Limitations on Fundraising Exception
The Final Rules impose certain limitations on the fundraising exception. Personal health information that may be used or disclosed by a Covered Entity for fundraising purposes without the written authorization of the patient is limited to demographic data (i.e. name and address but not diagnostic or treatment data) and dates of health care services provided to an individual. The use or disclosure of any other type of personal health information would require the patient’s written authorization. Further, the Covered Entity’s "Notice of Information Practices," which must be made available to all of its patients in accordance with the Final Rules, must include a statement that the Covered Entity may use demographic data and dates of service for fundraising purposes without obtaining prior written authorization. The Covered Entity must also include in any fundraising materials it sends to an individual a description of how the individual may "opt out" of receiving future fundraising communications. The Covered Entity must take reasonable measures to ensure that individuals who have chosen to opt out of receiving future fundraising communications are not sent such communications.
Conclusion
Although it is clear that the Final Rules will require hospitals to exercise vigilance to ensure the privacy of patients’ personal health information, the fundraising exception to the Final Rules will permit hospitals to use certain basic personal health information when conducting fundraising activities without obtaining patient authorization. We look forward to helping our hospital clients analyze the Final Rules and their impact on fundraising activities.
