January 31, 2013
By Vickie Ahlers and Michael Chase*
The U.S. Department of Health & Human Services (HHS), Office for Civil Rights' Modifications to the HIPAA Privacy, Security, Enforcement and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules (Final Rules) contain new provisions concerning the use or disclosure of protected health information (PHI) for fundraising communications. In the past, a covered entity was permitted to use, or disclose to an institutionally related foundation or business associate, limited PHI for fundraising purposes, including demographic information and date(s) of service. Many covered entities commented that the Final Rules needed to be more flexible to allow a covered entity to target specific individuals and avoid others—for example, those patients experiencing bad treatment outcomes. The Final Rules permit additional PHI to be used or disclosed for fundraising communications and provide several enhanced implementation specifications concerning an individual's right to opt out.
Under the Final Rules,1 a covered entity may use or disclose the following PHI, without an authorization, to an institutionally related foundation or business associate for the purpose of making fundraising communications:
- Demographic information (now defined to include name, address, other contact information, age, gender, and date of birth);
- Dates of healthcare provided to an individual;
- Department of service information (general department of treatment—e.g., cardiology, pediatrics, etc.);
- Treating physician;
- Outcome information (including death or sub-optimal treatment); and
- Health insurance status.
The covered entity's notice of privacy practices must state the intent to make fundraising communications and describe the individual's right to opt out of receiving communications. The actual opportunity to opt out is not required to be provided pre-solicitation.
All fundraising communications, including phone calls, must include a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications. The opt-out mechanism must not cause the individual undue burden or impose more than a nominal cost. HHS suggests use of a toll-free telephone number, email address, or other simple method to opt out. HHS indicated that requiring an individual to write a letter to opt out imposes an undue burden, but that mailing a pre-printed and pre-paid post card does not impose an undue burden. A covered entity has discretion to structure the opt out to apply to a specific fundraising campaign or extend the opt out to cover all future fundraising communications, but it must encompass all forms of fundraising communications (email, phone, and mail).
A covered entity may not condition treatment or payment on the individual's choice concerning future receipt of fundraising communications. In addition, a covered entity may not make fundraising communications to an individual who has elected not to receive communications. This prohibition implements the Health Information Technology for Economic and Clinical Health Act provision that covered entities must treat an opt out like a revocation of authorization and replaces the existing requirement that the covered entity make "reasonable efforts" to ensure that communications are not sent to an individual who has opted out. Covered entities will need to have adequate data management systems to track individuals who have opted out of receiving fundraising communications.
Finally, a covered entity must provide an individual who has opted out of receiving fundraising communications the opportunity to opt back in. HHS gives covered entities discretion in implementing this requirement, but it notes that an opt out should not automatically lapse. Individuals must take some affirmative step to opt back in for receipt of future fundraising communications.
Covered entities that use or disclose PHI for fundraising communications should review their notices of privacy practices, develop strategies for their organizations' methods of opt out and opting back in, and begin to implement data management systems to properly track the opt-out status of individuals who may receive fundraising communications.
*We would like to thank Vickie B. Ahlers, Esquire, and Michael W. Chase, Esquire (Baird Holm LLP, Omaha, NE), for authoring this email alert. We would also like to thank the Health Information and Technology Practice Group leadership for sharing this alert with the other Practice Groups.
1 45 C.F.R. § 164.514(f).