Category: Privacy

Date: March 2003

Reviewed/Revised: July 2013

Purpose

The purpose of this policy is to comply with HIPAA Rule 164.514 (f). The referenced section of the HIPAA or Privacy law defines the requirements for using and disclosing protected health information for fundraising purposes.

Policy

It is the policy of EVMS Medical Group to limit use and disclosure of an individual’s protected health information for fundraising purposes as set forth below.

Use of protected health information without authorization

  1. Fundraising that a covered entity does on its own behalf is considered a healthcare operation.
  2. The covered entity may use protected health information for fundraising on behalf of itself without individual authorization if it limits the information to demographic information about the individual, a patient’s health insurance status, dates that it has provided service to the individual, department of service and treating physician information as well as outcome information.
  3. Fund raising materials must contain instructions for how the individual may opt-out of any further fundraising communications.
  4. The covered entity must maintain a record of disclosures and a list of individuals who opt-out. Opt-out requests must be honored.
  5. Covered entities may disclose the limited protected health information (demographics, health insurance status, service dates, department and physician providing service and outcome information as described earlier) to a business associate for fundraising on the covered entities own behalf. Opt-out option must be provided.
  6. Covered entities may disclose the limited protected health information previously defined to an institutionally related foundation non profit 501C (3) that has a charitable purpose explicitly linked to the covered entity. The foundation must have as its mission the support of the hospital or hospital chain that includes the covered hospital. Foundations not directly related to the Covered Entity with general charitable purposes, e.g. disease research may not be given the information unless de-identified or specific authorization is given by each individual.

Individual Opt Out: Individuals may opt out of future fundraising communications by written, verbal or electronic notification.

  1. Fundraising opt-out forms should be made available upon request at each clinical department. The patient should be advised by the department representative that it takes approximately four weeks to process their request. Other ways to opt-out include calling the Privacy Line or sending an email through the Contact Us page on the EVMS Website, as set forth on the EVMS Medical Group Opt-Out Form.
  2. Fundraising Opt-out forms/notice should be forwarded upon receipt to the Privacy Office for disposition.
  3. The Privacy Office will enter the patient's opt-out preference into the patient database.