HHS Releases Final Privacy Regulations
(Aug. 23, 2002) WASHINGTON (AFP eWire) - The Department of Health and Human Services has released the final version of its regulations regarding the privacy of patient medical records that will go into effect on April 14, 2003. While no major changes affecting fundraising were incorporated into the final version, the regulations will require health-related institutions to take their patient's explicit permission before using certain medical information for fundraising purposes.
AFP worked to get the initial regulations changed so that basic contact and demographic information could be used for fundraising purposes without permission. This type of information includes:
- Full Name
- Contact Information (including address, phone numbers, email and other general means of communicating with an individual)
Information related to health care, especially data related to the type of treatment or services that an individual received, cannot be used for fundraising purposes unless the organization has received the individual's authorization. This type of information includes what programs or services the patient used or received, or in what departments or areas of the institution the patient received services. However, other types of data, such as a donor's interests and past giving history, can be collected as usual.
Disclosure and Opt-Out
These regulations also include two important requirements related to privacy, disclosure and opt-out opportunities. First, an organization must develop a statement about how it gathers and uses personal and medical data. This notice (known as the "Notice of Privacy Practices") must contain the following statement as a header or otherwise prominently displayed: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
The Notice of Privacy Practices must, among other items, list the purposes for which information is being gathered about an individual, including at least one explicit example. Fundraising must be listed as a purpose for which the charity will contact the individual, if applicable. The Notice must also include guidance as how individuals can restrict certain data.
The Notice must be made available to all individuals upon request, and for direct health care providers, must be disclosed no later than the date of service. The Notice must be placed in a clear and prominent location in an organization's office or area of health care delivery. If the organization has a website, it must be posted there, and can be disclosed via email or other communications.
The second major requirement is that a health-related charity must provide an opt-out provision in any and all fundraising materials it distributes to patients. Individuals must be able to clearly understand how they can opt out of receiving future fundraising communications, and the charity must make "reasonable efforts" to ensure that individuals who do opt-out do not receive any such materials. While this requirement would affect only patients or those individuals who received services from the charity, it is a good policy that falls within AFP's Code of Ethical Principles and Standards of Professional Practice.
However, the charity can continue to send information about its programs or events, even if those events contained a passive element of fundraising (i.e. a special event designed to raise funds and increase awareness of the charity). Direct solicitations would be prohibited, however.
For More Information
To ensure their organization is in complete compliance, organizations should seek out qualified legal counsel. For additional information about the regulations, including a copy of the final rules, guidelines, and a list of frequently asked questions, go to the HHS' Office of Civil Rights: http://www.hhs.gov/ocr/hipaa/whatsnew.html.