Uses and Disclosures of Protected Health Information for Fundraising

Layout for printing
Policy Number:
UW-108
Old Policy Number:
3.7
Responsible Office:
Office of Compliance

University Policy

Rationale/​Purpose:

In enacting HIPAA, Congress mandated the establishment of Federal standards for the privacy of individually identifiable health information. Under the patchwork of laws existing prior to adoption of HIPAA and the Privacy Rule, personal health information could be distributed—without either notice or authorization—for reasons that had nothing to do with a patient's medical treatment or health care reimbursement. For example, unless otherwise forbidden by State or local law, without the Privacy Rule patient information held by a health plan could, without the patient’s permission, be passed on to a lender who could then deny the patient's application for a home mortgage or a credit card, or to an employer who could use it in personnel decisions. The Privacy Rule establishes a Federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections apply over and above the new Federal privacy standards. 

Definitions:
Business associate
A person or entity that performs functions or activities on behalf of, or certain services for, a covered entity, which involve the use of protected health information (PHI).
Covered entity
A health plan, health care clearinghouse, or health care provider that transmits any health information in electronic form in connection with a transaction covered by HIPAA.
Demographic information
Name, address, and other contact information; age; gender; and date of birth. The term does not include any information about the illness or treatment.
Disclosure
The release, transfer, provision of access to, or divulging in any manner of protected health information by an individual within the health care component (HCC) or affiliated covered entity (ACE) with a person or entity outside the HCC or ACE.
Fundraising
Appeals for money, sponsorship of events, etc. Fundraising does not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales, etc.).
HITECH
The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009, to promote the adoption and meaningful use of health information technology.
Institutionally related foundation
A foundation that qualifies as a nonprofit charitable foundation under section 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to the covered entity. The University of Wisconsin Foundation is the institutionally related fundraising foundation for the UW–Madison health care component.
Protected health information (PHI)
Health information or health care payment information, including demographic information, which identifies the patient or can be used to identify the patient. Protected health information does not include student records held by educational institutions or employment records held by employers.
University of Wisconsin Foundation (UWF)
The institutionally related foundation that performs fundraising activities for UW–Madison.
Use
The sharing, employment, application, utilization, examination, or analysis of protected health information by an individual within the UW HCC or the UW ACE.
UWMadison health care component (UW HCC)
Those units of UW–Madison that have been designated by the university as part of its health care component under HIPAA. See UW-100 Designation of UW-Madison Health Care Component for a listing of these units.
Scope:

Applies to all members of the UW HCC. 

Policy:

Policy Summary

The HIPAA Privacy Rule and HITECH regulations permit limited uses and disclosures of protected health information for fundraising activities on behalf of a covered entity without patient authorization. UW–Madison follows HIPAA and HITECH regulations regarding when patients must provide written authorization for the use and disclosure of their protected health information for fundraising activities and when no authorization is required for such activities.

Policy Detail

  1. All fundraising for the UW HCC that involves the use of protected health information and requires patient authorization must be done through the University of Wisconsin Foundation, which is both an institutionally related foundation and a business associate of UW–Madison.
  2. Requirements of the Privacy Rule of HIPAA and HITECH for Use and/or Disclosure of PHI for Fundraising by the UW HCC 
    1. Fundraising Requiring Patient Written Authorization. If the UW HCC desires to use or disclose any protected health information of a patient other than as described below in B.2. for fundraising purposes, this may be done only after the patient has authorized this use/disclosure by completing a Marketing/Fundraising Authorization for Use/Disclosure of Medical Information form. All such fundraising must be done in coordination with the University of Wisconsin Foundation. The foundation will assist in obtaining the needed patient authorization for this type of fundraising and retain the authorizations as required under the HIPAA Privacy Rule.
    2. Fundraising that Does Not Require Patient Written Authorization. Fundraising that does not involve the use or disclosure of protected health information by the UW HCC or that involves the use or disclosure by the UW HCC of only that information described below in B. does not require a patient's authorization.
      1. Fundraising Not Involving the Use or Disclosure of PHI by the UW HCC. If an individual (patient, family, or friend) approaches a UW staff member and requests information about how to donate, this information may be provided and/or the donation accepted without any authorization. When individuals spontaneously donate, not in response to a fundraising solicitation, this donation is not covered by the Privacy Rule.
      2. Fundraising Involving the Use or Disclosure of Demographic Information and Other Limited Information as Described Below to an Institutionally Related Foundation or Business Associate.
        1. Without the patient’s written authorization, the UW HCC may use internally or disclose outside of the UW HCC to an institutionally related foundation or business associate (i.e., the University of Wisconson Foundation, for fundraising on its behalf:
          1. Demographic information (as defined above).
          2. Dates of health care provided to the patient.
          3. Department of service (e.g., cardiology, pediatrics).
          4. Treating physician.
          5. Outcome information (including death or sub-optimal treatment).
          6. Health insurance status.
        2. The relevant Notice of Privacy Practices (see UW-102 Notice of Privacy Practices (NPP) Distribution and Acknowledgement) must contain a statement that the UW HCC may contact the patient to raise funds for the UW HCC and describe the individual’s right to opt out of receiving communications. The actual opportunity to opt out is not required to be provided pre-solicitation.
        3. Each fundraising communication must provide the individual with a clear and conspicuous opportunity to opt out of receiving any further fundraising communications. The method for opt out must not require the individual to incur an undue burden or more than a nominal cost.
        4. The UW HCC may not condition treatment or payment on the individual’s choice concerning the receipt of further communications related to fundraising.
        5. The UW HCC may not make fundraising communications to an individual who has opted out of receiving such communications.
        6. Individuals who have opted out of receiving fundraising communications may be given the opportunity to opt back in, but only through an affirmative step to opt back in (e.g., an opt out may not lapse after a period of time).

  3. Mailing Lists

    The UW HCC may use protected health information, including disease or condition information, without a patient's authorization, to develop mailing lists for purposes of identifying individuals to whom an authorization for use of protected health information for fundraising should be sent.

  4. Minimum Necessary

    The UW HCC must identify and use or disclose only the minimum set of protected health information necessary when using or disclosing protected health information for fundraising.

  5. Fundraising Databases Prior to April 14, 2003

    Any database in existence as of April 14, 2003, used for fundraising purposes must be purged of any health-related information about the individual. Only the information described above in II.2.B. along with donation history may be maintained in such databases for use for fundraising purposes.

Consequences for Noncompliance

Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.

Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.

Related UW-Madison Policies:
Related UW–Madison Documents, Web Pages, or Other Resources:
External References:

45 C.F.R. § 164.514(f)

Policy Administration

Approval Authority:
Vice Chancellor for Legal Affairs
Policy Manager:
HIPAA Privacy Officer
Contact:
HIPAA Privacy Officer -- Jack Talaska, JACK.TALASKA@WISC.EDU, (608) 265-4077
Effective Date:
04-14-2003
Revised Dates:

06-13-2014: Effective date of the revised policy: 06-13-2014.
03-26-2020: Effective date of the revised policy: 03-26-2020.

Retrieved:
04-23-2024 06:00:09