Essential HIPAA Rules Changing Fundraising Practices

The Department of Health and Human Services issued its pre-publication release of the HIPAA rules modifications. The 563-page PDF is available at the Federal Register website and via web link at the BWF website. We have identified issues which we see to be significant for fundraising. There will be continuing interpretation and refinement of these rules. This advisory should serve to alert you to key components, not serve as the final word for compliance. However, BWF sees these modifications favorably supporting even more sophisticated and appropriate grateful patient and family programs.

The rules modifications include five major provisions effecting how every development professional will practice fundraising going forward:

  • Compliance of Vendors: Section 160.103 requires fundraising consultants (and their subcontractors) with access to any HIPAA Protected Health Information (PHI) will be held in strict compliance – the same as the covered entity (your hospital). This means you need a Business Associate Agreement (BAA) executed and in place for every consultant you work with. Your compliance department should already have BAAs drafted for your IT Services – you just need to begin using them as well. This will be particularly relevant for vendors screening data and direct mail houses.
  • Date of Birth: The new rule modifications (section 164.514(f)(1)) clarify what information can be used for fundraising purposes – all previous demographic and insurance status information remains available; and specifically, it is permissible to track date of birth as opposed to the previous standard of a static age. This should clarify most gray areas and remove any compliance concerns over what can be used – allowing you to collect more census data and better populate your database for effective fundraising.
  • Opt-out Expectations: Section 164.514(f)(2) requires you to include an opt-out mechanism with all fundraising communications. This does not apply to general news for the hospital, only to specific fundraising activities where there is an ask for a gift or invitation to attend an event. The opt-out process “should not cause the individual to incur an undue burden or more than a nominal cost.”  Generally, providing a phone number, email address and/or website where someone can opt-out is acceptable. This has been a point of disagreement in the past, and professionally this should be a positive thing for your fundraising efforts. Anyone who does not want to receive fundraising communications is unlikely to make a gift – they are self-identifying their propensity to support the hospital or at least their communication preferences and simplifying your prospecting efforts, which saves you time and money.
  • Fundraising Disclosure: The privacy rules also address disclosures in section 164.514(f)(2). If your hospital uses PHI for fundraising, then you must disclose this in your Notice of Privacy Practices (NPP). For most, this should be a non-issue since it should already be included in your current NPP.
  • Available Data: Section 164.514(f)(2) includes a nice surprise, and win, for fundraisers as well. You are now explicitly allowed to obtain and use department of service, treating physician, and treatment outcome (essentially – “successful” or “other”) information for fundraising purposes. The impact of this expansion of the permitted use of PHI will focus your fundraising strategies. You will be able to screen census data and automatically assign prospects to gift officers based on area of treatment. The gift officers will have contact information to begin working with the patient’s physician. This eliminates many of the barriers to efficient prospect assignment and allows you to sensitively yet quickly develop approaches for selected prospects.

These rule modifications were just shared with the public. You have some time to address the changes they will make to your fundraising efforts. The rules will not go into effect until March 26, 2013, and will not be enforced until September 23, 2013.

These changes represent a continued recognition of the importance of philanthropy in strengthening the health of our community. BWF can be a partner as your organization adjusts your processes to this new ruling or seeks to build an effective program. You can learn more here.


4 thoughts on “Essential HIPAA Rules Changing Fundraising Practices

  1. Pingback: Essential HIPAA Rules Changing Fundraising Practices « marshallartoffundraising

  2. Pingback: Essential HIPAA Rules Changing Fundraising Practices « fundraisingoperations

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s