Health Insurance Portability and Accountability Act (HIPAA) aims to protect the confidentiality and security of information. The Privacy Rule component of the law establishes national standards to protect individuals’ records and other personal health information—setting limits and conditions on how organizations will use the information without a person’s authorization, including usage for fundraising.
Updated HIPAA regulations were released in 2013, clarifying the rules fundraisers must follow to comply with the statute. Fundraisers need to revisit these modifications to ensure proper adherence.
HIPAA requirements apply to different situations, and without the proper knowledge and approach, it’s easy to make common mistakes. Here is a review of the HIPAA regulations as it relates to the dos and don’ts fundraising.
Information Available to Fundraisers
Organizations can target their fundraising based on the nature of the services a person received or their physician’s identity. The personal health information that can be used for fundraising purposes includes:
- patient demographic data (name, address, phone/email, date of birth, age, gender, etc.).
- health insurance status;
- dates of patient services;
- general type of department in which a patient is serviced;
- treating physician information;
Information requiring written authorization before fundraising use may include:
- nature of services; and
The Rule for Supporting Foundations
If an institutionally related foundation conducts fundraising activity, a business associate agreement with its health care provider for the use of patient information is not required due to its direct supporting relationship.
Consultants on a retainer or other external fundraising vendors who will be granted access to patient information must agree with the health care provider on file.
Before using information for fundraising purposes, a HIPAA-covered entity’s Notice of Privacy Practices must state organizations may contact the patient for fundraising efforts. The patient can opt-out of receiving any fundraising communications.
You must provide this Notice to the patient in advance of receiving care.
It is important to remember that patients have the right to opt out. Health care providers and supporting foundations legally must include a provision in all fundraising communications (including telephone and face-to-face solicitations). The provision must state the patient has the right to opt-out of future solicitations and must:
- identify any conspicuous part of the materials sent to the patient;
- describe how your organization may use information;
- be written clearly, in plain language; and
- include a simple, not burdensome means to opt-out from receiving further fundraising communications.
Segment your opt-out options so patients can elect to opt-out of campaign-specific or all future fundraising communications. It’s important to note that the opt-out does not lapse.
Here are some dos and don’ts of fundraising when it comes to HIPPA compliance.
Do: Conduct a Thorough Risk Analysis
Some of the most significant HIPAA penalties are because of failure to conduct a thorough risk assessment. Violations related to inadequate risk assessments fall under the most severe Willful Neglect tier of penalties. Every organization that creates, receives, maintains, or transmits private health information must conduct an accurate and thorough HIPAA risk assessment to comply with the HIPAA Security Rule.
Don’t: Ignore Social Media Usage.
Most people (if not all) are active on social media in some capacity. People use social media differently, especially regarding HIPAA’s primary objectives. Too often, social media encourages the careless sharing of data. HIPAA regulations strive to keep personal health information as confidential as possible.
Do: Perform Regular Self-Audits
Conduct periodic self-audits as recommended by the National Institute of Standards and Technology (NIST)—it’s proven to be one of the most effective HIPAA compliance tools.
Self-audits tend to focus on HIPAA Security Rule compliance—covering technical, administrative, and physical safeguards related to personal health information. Audits can include issues within the Privacy Rule.
Don’t: Forget Your Employees.
Internal issues related to HIPAA compliance are a common mistake when it comes to not-compliance. Often, employees fail to ensure that all third-party vendors, contractors, and business associates handle sensitive information appropriately. Third-party HIPAA compliance was a focus of the 2013 HIPAA Omnibus Rule. Entities should work with vendors to ensure that private health information is secure.
Do: Have a Training Plan
The HIPAA Privacy Rule and the HIPAA Security Rule have training requirements, including the mandate that both covered entities and business associates provide regular training to their workforce members who handle private health information.
HIPAA doesn’t specify the length and topics required, but the Privacy Rule states that training must be as necessary and appropriate for the workforce members to carry out their functions.
These functions can vary, especially regarding fundraising. Create a targeted training plan to ensure your organization remains HIPAA compliant.
Do: Have a Contingency Plan
Organizations and covered entities must ensure they have a current HIPAA contingency plan to prepare for adverse events that could affect private health information. Events could include a physical burglary, natural disaster, or cybersecurity attack.
Your contingency plan will depend on your risk assessment and analysis—addressing the most prominent threats to your private health information. Establish specific guidelines and procedures to follow, including things like systems and data recovery.
Don’t: Tackle Compliance Alone
You can’t achieve HIPAA compliance single-handily. If necessary, work with an outside expert or consultant to develop a comprehensive risk assessment, create an effective training plan, and identify potential cyber vulnerabilities.
At the very least, enlist a compliance partner at the beginning stages of the preparation for HIPAA compliance.