Overview:
§164.514(f)
Fundraising communications
(1) Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of § 164.508:
(i) Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth;
(ii) Dates of health care provided to an individual;
(iii) Department of service information;
(iv) Treating physician;
(v) Outcome information; and
(vi) Health insurance status.
(2) Implementation specifications: Fundraising requirements.
(i) A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity’s notice of privacy practices.
(ii) With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost.
(iii) A covered entity may not condition treatment or payment on the individual’s choice with respect to the receipt of fundraising communications.
(iv) A covered entity may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (f)(2)(ii) of this section.
(v) A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications.
Action Items:
1) Obtain and review policies and procedures and notice of privacy practices and evaluate the content relative to the established performance criterion.
2) Obtain and review a sample of communications for fundraising purposes to determine if it contains a clear and conspicuous opportunity to opt-out of further fundraising communications or reference to a mechanism for opting out.
3) Obtain and review documentation that the policies and procedures are conveyed to the workforce.
Related Documents:
1) Policies and procedures and notice of privacy practices
2) Sample of communications for fundraising purposes
3) Documentation that the policies and procedures are conveyed to the workforce.
Additional Guidance:
Health care operations are any of the following activities: (a) quality assessment and improvement activities, including case management and care coordination; (b) competency assurance activities, including provider or health plan performance evaluation, credentialing, and accreditation; (c) conducting or arranging for medical reviews, audits, or legal services, including fraud and abuse detection and compliance programs; (d) specified insurance functions, such as underwriting, risk rating, and reinsuring risk; (e) business planning, development, management, and administration; and (f) business management and general administrative activities of the entity, including but not limited to: de-identifying protected health information, creating a limited data set, and certain fundraising for the benefit of the covered entity.
Article ID: 550
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/hipaa-privacy-uses-and-disclosures-for-fundraising-164-514-f-550.html