Submit your HIPAA questions to Editor Jaclyn Fitzgerald at firstname.lastname@example.org , and we will work with our experts to provide the information you need.
Q: The nonprofit organization where I work owns specialized nursing facilities and has many other programs. We would like to reach out to nursing facility residents about our fundraisers in hope of soliciting donations from them. Is using some of their personal information (e.g., financial data, demographics, family contacts) to solicit donations a HIPAA violation?
A: It’s not necessarily a HIPAA violation as long as the HIPAA Privacy Rule fundraising requirements are met. A CE may use certain PHI for fundraising purposes, including:
- Demographic information about the individual
- Date(s) healthcare services were provided
- The department where service was provided
- The name of the treating physician
- Health insurance status
Residents must be offered the opportunity to opt out of fundraising activity. If a resident opts out, you must honor his or her choice.
There is no provision in HIPAA that permits the use of financial data, demographics, and family contacts to solicit donations. If the intent is to solicit donations from family members, obtain the authorization of residents before contacting family members. However, you may post fundraising material on facility websites or in resources materials available to residents’ families or distributed to the community.
Editor’s note: Chris Apgar, CISSP, president of Apgar & Associates, LLC, in Portland, Oregon, answered this question for HCPro’s Briefings on HIPAA . This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions.