HIPAA Fundraising Policy
About This Policy
- Effective Date:
- Date of Last Review/Update:
- Responsible University Office:
- HIPAA Privacy and Security Compliance Office
- Responsible University Administrator:
- Vice President for University Clinical Affairs
Use and Disclosure of PHI for Fundraising (Without Authorization)
IU Fundraising Personnel, as a business associate to Beneficiary Covered Entities, may receive, use and disclose the following PHI without obtaining an individual’s authorization for the purpose of raising funds for the joint benefit of the IU Foundation and the Beneficiary Covered Entity:
- Basic demographic information relating to a patient (e.g. patient name, address and other contact information, age, gender, and date of birth);
- Dates of health care services provided to the patient;
- Department of service information;
- Treating physician;
- Outcome information (e.g. which may include information regarding the death of the patient or any sub-optimal result of treatment or services; and
- Health insurance status.
Use and Disclosure of PHI for Fundraising (With Authorization)
Use of any other PHI for fundraising purposes shall require a prior written authorization from the patient. This includes clinical information relating to the patient's illness, diagnosis or treatment, as well as the patient medical record number.
In addition, an authorization shall be required prior to using PHI obtained from a Beneficiary Covered Entity for the fundraising activities of any other party.
The IU Fundraising Personnel shall obtain a patient’s authorization where required by this policy and may rely on a Beneficiary Covered Entity’s assertion that they obtained the patient’s authorization.
IU Fundraising Personnel shall provide the Beneficiary Covered Entity and the individual with a copy of signed patient authorization forms that are obtained by IU Fundraising Personnel. The Beneficiary Covered Entity shall retain a copy of the signed authorization for a minimum of seven years following the date the authorization was signed.
IU HIPAA Affected Areas may not conduct their own fundraising activities. Fundraising activities must be facilitated through an IU office, authorized to conduct fundraising at IU.
An executive from the Beneficiary Covered Entity must approve the request before any PHI may be released to IU Fundraising Personnel for fundraising purposes.
IU shall include a statement in the IU Notice of Privacy Practices that indicates that PHI may be used or disclosed for fundraising purposes.
IU Fundraising Personnel shall:
- Provide individuals with simple, quick, and inexpensive ways to opt out of receiving further fundraising communications (e.g. a toll-free number, e-mail, pre-printed, pre-paid postcard response card, etc.)
- Make the opt out instructions clear so that an individual understands whether they are opting out of all or certain types of future fundraising solicitations. This applies to written and phone solicitations.
The solicitation materials must include the following opt out language:
- Language for opting out of all future solicitations: “Please check here if you no longer wish to receive any future solicitations regarding fundraising opportunities for the IU Foundation.”
- Language for opting out of certain types of solicitations: “Please check here if you no longer wish to receive future solicitations for [Specify the Fundraising Campaign].”
- Ensure that individuals who opt out of receiving future fundraising material are not sent such communications in the future.
- Set up the fundraising campaign account name to reflect the parties who benefit from the campaign.
IU Fundraising Personnel shall not:
- require individuals to write letters to discontinue receiving fundraising communications or any other mechanism that places undue burden on the individual; or
- condition of treatment or payment on an individual’s choice with respect to the receipt of fundraising communications.
IU Fundraising personnel may provide individuals with a mechanism to opt back in and receive fundraising communications.
Safeguarding and Secure Disposal of PHI
PHI, including demographic and other information received from a Beneficiary Covered Entity for fundraising purposes shall be appropriately safeguarded. In addition such PHI shall be securely disposed of or returned to the Beneficiary Covered Entity once the fundraising campaign has concluded. PHI, such as patient lists obtained from a Beneficiary Covered Entity, may not be:
- Retained by IU Fundraising Personnel once the fundraising campaign has concluded;
- Used for future solicitations, even if the campaign is for the same faculty member or Department; or
- Used for other fundraising purposes.
Reason for Policy
The Health Insurance Portability and Accountability Act (HIPAA) limits the use and disclosure of Protected Health Information (PHI) for fundraising purposes.
The Indiana University (IU) Foundation is an institutionally-related foundation with an explicit linkage to support fundraising where such fundraising jointly benefits the IU Foundation and the Covered Entity (“Beneficiary Covered Entity”.) Fundraising for the IU Foundation benefits both IU and the Beneficiary Covered Entity by supporting physician research. The Beneficiary Covered Entity, benefits from fundraising and the research it supports since the Beneficiary Covered Entity employs Faculty members. HIPAA permits the shared benefit of fundraising.
IU Fundraising Personnel assist faculty members who are also part of a Beneficiary Covered Entity with fundraising activities involving the use or disclosure of Protected Health Information (PHI). In this capacity, the IU Foundation and related IU Fundraising Personnel function as a Business Associate to the Beneficiary Covered Entity.
This policy establishes how the IU Foundation and IU Fundraising Personnel may use and disclose PHI in accordance with HIPAA for fundraising purposes.