In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections apply over and above the new Federal privacy standards.
Applies to all members of the UW HCC.
The HIPAA Privacy Rule and HITECH regulations permit limited uses and disclosures of protected health information for fundraising activities on behalf of a covered entity without patient authorization. UW–Madison follows HIPAA and HITECH regulations regarding when patients must provide written authorization for the use and disclosure of their protected health information for fundraising activities and when no authorization is required for such activities.
Mailing Lists
The UW HCC may use protected health information, including disease or condition information, without a patient's authorization, to develop mailing lists for purposes of identifying individuals to whom an authorization for use of protected health information for fundraising should be sent.
Minimum Necessary
The UW HCC must identify and use or disclose only the minimum set of protected health information necessary when using or disclosing protected health information for fundraising.
Fundraising Databases Prior to April 14, 2003
Any database in existence as of April 14, 2003, used for fundraising purposes must be purged of any health-related information about the individual. Only the information described above in II.2.B. along with donation history may be maintained in such databases for use for fundraising purposes.
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.
06-13-2014: Effective date of the revised policy: 06-13-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.