Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Electrical Engineering
  3. Telecommunications

Fundraising Policy Doc

advertisement 
DRAFT
Version 2: FINAL 4/6/14
Based on Final Privacy Rule, HITECH, and Omnibus Rule (9/23/13)
______________________________________________________________________________
HIPAA COW
PRIVACY NETWORKING GROUP
FUNDRAISING AND THE USE OF PROTECTED HEALTH INFORMATION
Disclaimer:
This Fundraising Policy is Copyright  by the HIPAA Collaborative of Wisconsin (“HIPAA COW”). It
may be freely redistributed in its entirety provided that this copyright notice is not removed. When
information from this document is used, HIPAA COW shall be referenced as a resource. It may not be
sold for profit or used in commercial documents without the written permission of the copyright holder.
This policy is provided “as is” without any express or implied warranty. This Fundraising Policy is for
educational purposes only and does not constitute legal advice. If you require legal advice, you should
consult with an attorney. Unless otherwise noted, HIPAA COW has not addressed all state pre-emption
issues related to this Fundraising Policy. Therefore, this document may need to be modified in order to
comply with Wisconsin/State law.
State Preemption Issues:
Preemption should not be an issue for fundraising given that it is a subcategory of "health care
operations" such that the HIPAA regulation is incorporated by reference into Wis. Stat. §
146.82. The limited use of PHI for fundraising is permissible under both state and federal law.
Purpose:
The purpose of this policy is to provide guidance for the use of protected health information
(PHI) for the fundraising activities of [insert organization’s name] and [insert foundation’s
name if applicable] 1 (collectively, the “Organization”) in compliance with federal and state
privacy laws. For the purpose of this policy, “fundraising” encompasses the activities specified
in 45 CFR § 164.514(f)(1).2 The Organization will include in any fundraising materials it sends
to individuals a description of how to opt out of receiving further fundraising communications.
Policy Statements:
1. The Organization will use PHI for fundraising in compliance with all federal and state
privacy and security laws. The Organization will not condition patient treatment or
payment on whether the individual has opted out of receiving fundraising
communications.
2. If the Organization is using PHI for fundraising activities, the Organization’s Notice of
Privacy Practices must include the following information with regard to fundraising
activities:
A.
That the Organization may use PHI for fundraising activities; and,
B.
The fact that the individual may opt-out of fundraising activities and
communications.
A nonprofit charitable foundation under the tax code (e.g., IRC § 501(c)(3)) that has an “explicit linkage” to the
covered entity, or to a group of organizations of which the covered entity is one.
2
45 CFR Parts 160 and 164, HIPAA HITECH Omnibus Rule Preamble
1
______________________________________________________________________________
 Copyright HIPAA COW
Page 1
DRAFT
Version 2: FINAL 4/6/14
Based on Final Privacy Rule, HITECH, and Omnibus Rule (9/23/13)
______________________________________________________________________________
3. The Organization’s fundraising communications, regardless of the medium used (e.g.,
direct mail, e-mail, phone), must include specific instructions for the individual to opt out
of receiving further fundraising communications. The opt-out must:
A.
Be a clear and conspicuous on every fundraising communication sent to the
individual;
B.
Be written in clear, plain language; and
C.
Specifically describe the mechanism specified in the following section for
opting out of receiving fundraising communications, all of which are designed
to be simple and not unduly burdensome.
4. Individuals will be informed that they have the following options for opting out of
receiving fundraising communications [Include specific options that Organization will
use] include:
A.
Toll-free and/or local telephone number.
B.
E-mail address.
C.
Pre-printed, pre-paid postcard.
D.
Similar opt-out mechanism that is simple, quick, inexpensive and nonburdensome for the individual.
5. Sample opt-out language recommended by the Association for Healthcare Philanthropy is
as follows:
“If you do not wish to receive future fundraising requests supporting [Name of
Organization and/or name of specific campaign], you can call our telephone number
[list], and/or e-mail address [list if provided] and leave a message identifying yourself
and stating that you do not want to receive fundraising requests. There is no requirement
that you agree to accept fundraising communications from us, and we will honor your
request not to receive any [more altogether or more with respect to the identified
campaign] fundraising communications from us after the date we receive your decision.”
6. The Organization shall make reasonable efforts to ensure that individuals who have
chosen to opt-out of receiving fundraising communications do not receive future
fundraising communications (e.g., removal from mailing lists).
7. The individual’s decision to opt-out does not lapse or expire. If an individual who has
opted-out of fundraising communications makes a donation, this will not constitute a
revocation or waiver of the decision to opt out. The only circumstance in which an
individual who has opted out will receive fundraising communications is where the
individual makes a separate documented election to opt back in.
8. If the Organization uses information from a public directory to mail fundraising
communications to individuals in a particular service area without using any PHI, the optout provisions do not apply. The following is sample language to include in this type of
communication. “You are being sent this communication using an available public
______________________________________________________________________________
 Copyright HIPAA COW
Page 2
DRAFT
Version 2: FINAL 4/6/14
Based on Final Privacy Rule, HITECH, and Omnibus Rule (9/23/13)
______________________________________________________________________________
directory of names. Protected Health Information (PHI) was not used to direct this
communication.”
9. The Organization may utilize the following individual demographic information for
fundraising activities without authorization:
A.
Name.
B.
Address.
C.
Other Contact Information.
D.
Age.
E.
Gender.
F.
Date of Birth.
G.
Health Insurance Status.
H.
Dates of Healthcare Services.
I.
Department of Healthcare Services (e.g., neurology, orthopedics, cardiology).
J.
Treating provider.
K.
Outcome Information (e.g., death of a patient, or any sub-optimal result of
treatment or services).
NOTE: The use of all other forms of PHI (e.g., diagnosis, nature of services, treatment)
requires authorization.3
10. The Organization may utilize a business associate (e.g., consultant, printer, and mailing
services) to carry out fundraising activities on its behalf which involves the use of the
Organization’s PHI. A “Business Associate Agreement” must be obtained prior to
disclosing PHI to the business associate to carry out the Organization’s fundraising
activities. (Please see HIPAA COW’s template Business Associate Agreement for more
information.)
11. The Organization will not share or sell PHI to other external organizations or entities for
their fundraising purposes.4
Applicable Regulations/Standards:
 45 CFR §164.501, Section 6(v) of the Definition
 45 CFR § 164.508 – Uses & Disclosures for Which an Authorization is Required
 45 CFR § 164.514(f)(1)(2) – Uses & Disclosures for Fundraising Purposes
 Wisconsin Statute. § 146.82(2)(a)
Resources:
 “Fundraising Under HIPAA – The Basics,” Association for Healthcare Philanthropy
3
45 CFR 164.506 - Uses and Disclosures for Treatment, Payment, and Healthcare Operations; 45 CFR 164.508 Uses & Disclosures for Which an Authorization is Required
4
45 CFR 164.508; ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13405(d)(2), 123 Stat. 264-68 (2009).
______________________________________________________________________________
 Copyright HIPAA COW
Page 3
DRAFT
Version 2: FINAL 4/6/14
Based on Final Privacy Rule, HITECH, and Omnibus Rule (9/23/13)
______________________________________________________________________________
Version History:
Current Version: 4/6/14
Prepared by:
Reviewed by:
Content Changed:
Catherine M. Boerner, JD,
HIPAA COW Privacy
HIPAA/HITECH Omnibus
CHC
Networking Group
Rule expended provisions of
Boerner Consulting, LLC
fundraising for “opt-out” and
expanded PHI available for
Sarah Coyne, JD
fundraising activities.
Quarles & Brady, LLP
Nancy Davis, MS, RHIA,
CHPS, Ministry Health Care
**You may request a copy of
the all the changes made in
this current version by
contacting administration at
admin2@hipaacow.org.
Laura Galloy, J.D., LL.M.
Compliance Program Manager
Meriter Health Services, Inc.
M. Scott LeBlanc, JD
Godfrey & Kahn, S.C.
Chrisann Lemery, MSE,
RHIA, CHPS, FAHIMA
Meghan O’Connor, JD, von
Briesen & Roper, s.c.
Sue Sullivan, RN, BSN, MSN
Vernon Memorial Healthcare
Original Version: 11/30/06
Prepared by:
 Sarah Coyne, JD
 Susan Manning, JD, RHIA
Reviewed by:
 Nancy Davis, MS, RHIA
______________________________________________________________________________
 Copyright HIPAA COW
Page 4
Related documents
Najia Bagi - Jazz Promotion Network
Najia Bagi - Jazz Promotion Network
INTERSOS is an independent non-profit humanitarian organization
INTERSOS is an independent non-profit humanitarian organization
Athletic Training Student Organizations and Student Engagement
Athletic Training Student Organizations and Student Engagement
Introducing The Resource Alliance
Introducing The Resource Alliance
MobileMonday China application template
MobileMonday China application template
Program Director Job Description
Program Director Job Description
Download
advertisement