HIPAA Handbooks

  • Privacy and security training for new and seasoned staff
  • 11 staff/setting focus areas
  • Education on protecting PHI
  • New HITECH Act changes
  • Discounts on bulk purchases



  • Role-based training using real-life case scenarios
  • Test-your-knowledge exercises with remediation
  • Post-course test to document staff participation


Other HIPAA Resources

  • Hot-topic audio conferences
  • Books on privacy and security
  • Newsletters
  • e-Newsletter
  • Videos



HIPAA Q&A: Soliciting donations

Email This Post Print This Post

questionbubblesSubmit your HIPAA questions to Editor Jaclyn Fitzgerald at jfitzgerald@hcpro.com, and we will work with our experts to provide the information you need.

Q: The nonprofit organization where I work owns specialized nursing facilities and has many other programs. We would like to reach out to nursing facility residents about our fundraisers in hope of soliciting donations from them. Is using some of their personal information (e.g., financial data, demographics, family contacts) to solicit donations a HIPAA violation?

A: It’s not necessarily a HIPAA violation as long as the HIPAA Privacy Rule fundraising requirements are met. A CE may use certain PHI for fundraising purposes, including:

  • Demographic information about the individual
  • Date(s) healthcare services were provided
  • The department where service was provided
  • The name of the treating physician
  • Outcomes
  • Health insurance status

Residents must be offered the opportunity to opt out of fundraising activity. If a resident opts out, you must honor his or her choice.

There is no provision in HIPAA that permits the use of financial data, demographics, and family contacts to solicit donations. If the intent is to solicit donations from family members, obtain the authorization of residents before contacting family members. However, you may post fundraising material on facility websites or in resources materials available to residents’ families or distributed to the community.

Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.

Categories : HIPAA privacy, HIPAA Q&A

Leave a Reply