HIPAA Use and Disclosure of Protected Health Information for Fundraising
REG12.60.23 Current Version
History: Effective: April 14, 2003; September 19, 2013
Revised: January 8, 2004; October 11, 2010; September 18, 2013
Transitioned from Interim to Permanent: July 17, 2014.
Related Policies: Authorization to Use/Disclose Protected Health Information
Additional Resources: 45 CFR 164 Subpart E - Privacy of Individually Identifiable Health Information
"Modification to the HIPAA Privacy, Security, Enforcement, and Breach Notification Rules Under the Health Information Technology for Economic and Clinical Health Act and the Genetic Information Nondiscrimination Act; Other Modifications to the HIPAA Rules; Final Rule," 78 Federal Register 17 (25 January 2013), pp. 5566-5702
ECU Healthcare Components
Contact Information: ECU HIPAA Privacy Office, 252-744-5200
1.1. This regulation applies to East Carolina University Health Care Components ("ECU Health Care Components") that create or maintain protected health information ("PHI"). This regulation covers interactions involving uses and disclosures between an ECU Health Care Component and other areas of ECU that may receive PHI. The purpose of this regulation is to describe the manner in which ECU's Health Care Components can use or disclose PHI for Fundraising Communications with individuals with whom a treatment relationship exists.
2.1. Department of Service Information means information about the department where a treatment relationship with an ECU Health Care Component has been established, such as Cardiovascular Sciences, Radiation Oncology, or Pediatrics.
2.2. Fundraising Communications means communication that is made by an ECU Health Care Component to an individual with whom a treatment relationship exists, or to an institutionally related foundation, or to a Business Associate on behalf of an ECU Health Care Component for the purpose of raising funds for the ECU Health Care Component regardless of how the funds are to be used.
2.3. Outcome Information means information regarding the death of the patient or any sub-optimal result of treatment or services which is used to screen and eliminate PHI concerning such individuals from use in fundraising solicitations.
3.1. ECU Health Care Components will comply with HIPAA regulations regarding the use and disclosure of PHI for Fundraising Communications. Specifically, PHI will not be used or disclosed for fundraising activities unless it meets the standard provided in the HIPAA regulations. PHI that does not meet the standard may only be used pursuant to a specific authorization from the individual granting more expansive use of their PHI.
4.1. ECU Health Care Components may use or disclose to a Business Associate or to an institutionally related foundation, the following PHI for the purpose of raising funds for its own benefit, without a written authorization from an individual:
4.1.1. Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth;
4.1.2. Dates of health care provided to an individual;
4.1.3. Department of Service Information;
4.1.4. Treating physician;
4.1.5. Outcome Information; and
4.1.6. Health insurance status.
4.2. ECU Health Care Components must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications.
4.2.1. The method for an individual to elect not to receive further Fundraising Communications may not cause the individual to incur an undue burden or more than a nominal cost.
220.127.116.11. Examples of acceptable opt-out options include, but are not limited to, the use of a toll-free phone number, an e-mail address, or mailing a pre-printed, pre-paid postcard.
18.104.22.168. An example of an unacceptable opt-out option includes, but is not limited to, requiring individuals to write and send a letter to the ECU Health Care Component asking not to receive further Fundraising Communications.
4.2.2. An ECU Health Care Component may provide individuals with the choice of opting out of all future Fundraising Communications or just campaign specific communications.
22.214.171.124. Whatever opt-out method is employed should clearly inform individuals of their options and any consequences of electing to opt out of further Fundraising Communications.
4.2.3. There is no time limit to the ability of an individual to opt out of receiving further Fundraising Communication. Once an individual has opted out, it will continue indefinitely unless the individual opts back in.
4.3. ECU Health Care Components may not condition treatment or payment on the individual's choice with respect to receipt of Fundraising Communications.
4.4. ECU Health Care Components may not make Fundraising Communications to an individual who has elected not to receive such communications.
4.4.1. ECU Health Care Components must have data management systems and processes in place to timely track and flag those individuals who have opted out of receiving Fundraising Communication to ensure that they are not sent additional Fundraising Communications.
4.5. ECU Health Care Components may provide an individual who has elected not to receive further Fundraising Communications with a method to opt back in to receive such communications.
4.5.1. The method chosen must provide the individual with an active decision to opt back in.
126.96.36.199. For example, an ECU Health Care Component may include, as part of a routine newsletter, a phone number for individuals to call so that they can be put on a fundraising list.
188.8.131.52. The act of making a donation, absent a separate election to opt back in, does not suffice to automatically add the individual back onto a fundraising communication list.