Fund raising for healthcare institutions often depends on tapping the grateful sentiments of former patients. To raise money for a new cardiology floor, for example, one time-tested approach is to target former heart patients who might feel invested in the new initiative. What many healthcare providers don't know is that this system is about to change, with profound effects on their development efforts.
On April 14, the privacy rule portion of the Health Insurance Portability and Accountability Act of 1996 will take effect, limiting fund-raisers' ability to use patient information. Hospital development offices no longer will enjoy open access to physicians' input about grateful patients and possible donors.
Patients and the security of their private medical information always take priority over philanthropy. But the continued success of healthcare fund raising depends on careful planning for these looming changes.
The privacy rule covers individually identifiable health information in any form that is created or received by a "covered entity." Health plans, health clearinghouses or healthcare providers that transmit health information in electronic form that concerns certain financial and administrative transactions, such as claims for payment, fall under the rule's provisions.
Unless a patient signs a special authorization, the HIPAA privacy rule will limit fund-raisers' access to a patient's name, address, age, gender, insurance status and the date the individual was treated. Many analysts interpret the privacy rule to mean that fund-raisers cannot access information about the doctor or practice area where a patient was treated. Additionally, under HIPAA donor prospects must be given the opportunity to opt out of fund-raising activities, a requirement that forces new tracking and record-keeping responsibilities on healthcare fund-raisers. Violations of HIPAA carry civil and criminal penalties.
Many fund-raisers are looking to the signed authorization to lessen the impact of this new regulation. The authorization needed to sidestep some privacy rule restrictions must include a laundry list of components-including the duration and specific purpose of the authorization. It seems unlikely that any development office would be able to cover its entire prospect pool with signed authorizations in order to minimize the operational impact of HIPAA.
For a development office, a good starting point for compliance with the privacy rule is careful identification of those aspects of office practice that traffic in patient health information. Because fund-raisers routinely target grateful patients, HIPAA addresses most written and spoken communication used by a hospital development office, as well as information storage and utilization practices.
Once the routes and repositories of patient information have been traced, new practices can be outlined. Outlines then can be refined into formal action plans using the resources of institutional privacy officers and retained counsel. But because privacy officers may not be knowledgeable about the intricacies of development office operations, it makes sense for development staff to take an active part in identifying the risks and crafting the compliance plan.
The most obvious change likely to take place after April 14 is the simple access, analysis and exchange of prospect information. Letters, e-mails and conversations about hospital patients must become HIPAA-compliant. The changes in office culture will probably be significant. Fund-raisers and doctors will have to acquire a new method of communication on these issues. Development offices will have to take the lead in educating physicians on privacy while emphasizing the theme of mutual dependence in carrying out the institution's mission.
After April 14, incoming hospital patients should receive an institutional notice of privacy practices including an option for the patient to opt out of fund raising. HIPAA will require that many written correspondences sent by the development office also include an opt-out provision. The names of individuals who opt out must be collected and administered in order to ensure that their fund-raising preferences are respected.
In order to track opt-outs effectively the process should be centralized, most likely under the auspices of the development office, which may have increased responsibility within healthcare institutions. Independent fund raising by doctors may be curtailed.
Perhaps the most onerous aspect of HIPAA compliance is the problem of computer and paper archives. Most hospital development office archives contain some amount of patient information because they were created before HIPAA was a concern. Hospital risk managers may be averse to allowing fund-raisers to keep and access old files that contain patient information. Privacy officers may wish to segregate files created before and after April 14 and limit access to the older files that contain identifiable patient health information. With these concerns in mind, and with HIPAA compliance budgets widely available, 2003 may be the year for development offices to explore advanced archive technology and "paperless offices."
While HIPAA compliance presents serious challenges to many development offices, it may also serve to empower fund-raisers. Changes in many institutions will re-establish development as a centralized resource and a standard bearer for the institutionwide compliance plan invoked to meet this new regulation.
Christopher Cloud, a former litigation attorney, served as the Director of Fundraising Programs at the joint development office of New-York Presbyterian Hospital and Weill Cornell Medical College and was instrumental in establishing its fundraising compliance with the Privacy Rule. He has since become Vice President for College Advancement at a New York-area college. He can be reached at chcloud@gmail.com. This article reflects the author's opinions only and is not intended to serve as legal counsel.
Update notes from February 2005: Since this article was published we've seen a complaint-driven enforcement policy pursued by the Office of Civil Rights. Like the aftermath of Y2K, the excitement and press-worthiness of HIPAA died down quickly after April 14, 2003. After reporting on the potential impact of HIPAA in January 2000, The NonProfit Times waited half a decade until January 2005 for a follow up (here's the 1/'05 article by Bob Ford.)
In June, 2004 I was invited by the Greater New York Hospital Association to testify in Washington before the National Committee on Vital and Health Statistics' Subcommittee on Privacy and Confidentiality. The hearings were convened on July 14 and 15 to address issues of fundraising, marketing, and press relations under HIPAA. The NCVHS is the official advisory body to the Department of Health Human Services. It is the NCVHS's role to make recommendations to HHS about changes to the HIPAA privacy regulations. Through the hearings the NCVHS seemed to want to test the water about how institutions had fared in their Privacy Rule compliance efforts. In the event, I declined the invitation to testify. In the present environment, when few people are really sure where enforcement energies will be devoted, our institutional attorneys felt it might not be wise to affirmatively offer an outline of our best efforts at HIPAA compliance.
Here is the letter from John R. Lumpkin, MD, Chair of the National Committee, to Tommy Thompson that followed the hearings. A recommendation in the letter is that DHSS allow healthacare fundraisers to use information related to patients' department of service for fundraising activities without the requirement to secure a patient’s authorization. As of this writing there is no outcome from DHSS, but a relaxation in the rules allowing multi-treatment medical centers to know the medical department where a patient recieved care would help even the impact of the rule. For example, regardless of HIPAA, a cancer care facility knows by virtue of the limited scope of the treatment it offers that all its patients are cancer patients. But a medical center that treats cancer and fifty other kinds of maladies doesn't know for fundraising which percentage of patients are cancer patients.
Unlike Y2K, which came and promptly went, the hearings episode demonstrated to me that HIPAA remains a lingering concern in the minds of institutional lawyers. The enforcement picture hasn't fully taken shape and inequities in how the Privacy Rule impacts different institutions are still being examined. There remains an uneven field of understanding about the Privacy Rule and its intended reach. One typical problem has been a tendency for underinformed medical employees to simply lock up about providing any information because of undifferentiated concern about HIPAA.
Following are some recurring issues I encountered since April of 2003. These are not presented as legal advice, but come from my personal observations and opinions while trying to make a compliance plan work without stripping the effectiveness of our fundraising organization.
The critical importance of Opt Out Language - In the present enforcement environment a complaint sent to the Office of Civil Rights is the most likely impetus to cause healthcare providers trouble, so the importance of keeping vigilant about opt-out language seems to be a cardinal consideration. Development professionals at healthcare organizations are allowed to know patient status and demographic information, but if they send a fundraising letter to a patient without opt-out language, and the recipient perceives that he or she was targeted based on the treatment particulars of a healthcare encounter, then you have a scenario that could generate a complaint to OCR. In this scenario the complaint would likely be premised on the physical evidence of a non-HIPAA-compliant letter, so you could start the investigation process from a bad position.
Adopt a philisophy that allows fundraisiers to use Patient Histories, but not Treatment Histories -To maximize what you can do under the Privacy Rule while avoiding what you cannot do compliance professionals should comprehend the critical distinction between a patient history and a treatment history. By "patient history," I mean the bare demographic fact that a person was a patient at your medical office, whereas by "treatment history" I mean the medical reason why the person was a patient. Under HIPAA fundraisers can know patient history, including demographic attributes, but not treatment history (unless you get a signed authorization first). In order to keep from crippling your fundraising organization you need retain the use of patient history as a resource while keeping treatment history out of the hands of fundraisers (again, absent a signed authorization).
Physicians who are acting as fundraisers should abide by the same restrictions. For instance, a practitioner in a discrete medical area might be able to ask a receptive patient about interest in a general institutional fundraising effort, but (absent a signed authorization) he or she could not ask the patient to support that doctor's medical area or mail an appeal to his or her discrete patient population for the same purpose. To ask a patient to support the institution generally is to do so because he or she is a patient at the institution (meaning "patient" in a generic sense, as opposed to "a patient being treated for neuromuscular disorder"). A general, institutional fundraising approach based on patient status is different than an approach based on treatment status. You don’t want a cardiology specialist asking a cardiology patient to support our cardiology program based on knowledge of a treatment history in cardiology.
There are better alternatives to explore, for instance:
1) The doctor is a physician in a general medical area, like emergency medicine, so the demographic patient roster from that area should not reflect the nature of treatment.
2) The doctor in a discrete medical area asks the Office of Development to provide a list of past donors to that medical area and mails an appeal to those past donors (who have been included based on fundraising, info, not treatment info).
At the end of the day you want to protect against the risk of a complaint to OCR from a patient who has reason to think you asked for money based on knowledge of his or her treatment history. If the patient recieved a fundraising outreach based on fundraising history, or a generic patient history at your institution, you can likely explain that the outreach does not stem from knowledge of treatment particulars.
Keep an eye on year-end appeals: After we weathered initial compliance in April last year, the first HIPAA event that caused heightened concern was near the close of 2003 when there was worry that physicians would resume their time-tested pattern of producing departmentally based mail campaigns targeted to their patients. We had reason to worry that in a large organization some doctors would fail to understand the prohibition against targeted fundraising. Even where doctors understood that all of our fundaising mailings must be based on treatment-neutral criteria, there was concern that through the inertia of their previous mailing practice they would omit opt-out language. There was a further concern that with a miasma of worry about HIPAA in the air doctors would be disinclined to seek the counsel of the Privacy Officers or Development Office because of concerns about inconsistent advice or worry about revealing a departmental fundraising drive that might have become forbidden. Without help from the Privacy Officers the doctors couldn't cross reference their mailing list against our institutional opt out list. Without checking the opt out list, even if they did everything else correctly, the doctors risked sending a fundraising letter to someone who had formally opted out.
We eventually had the President of the Hospital and the Dean of the Medical College write a joint letter to the physicians underscoring the risks and setting out prohibitions. The letter included a requirement that all fundraising outreach be cleared through Development, which in turn worked closely with the Privacy Officers. We established a protocol for that clearance process and painted our operations division as the "bad guys" while allowing the line fundraisers (who required the docs ongoing cooperation) to stay mostly out of the enforcement picture.
Create and distribute clarifying communications - To foster better understanding of HIPAA we also created a special publication to educate doctors and other staff (within the handy and readable format of three panels) about the principal impacts of HIPAA on healthcare fundraising. This was a great help for gifts officers who could often avoid a prosecutorial grilling by handing the interested doctors one of the brochures to study. In order to retain our good relationship with doctors we also created special, point-of-service brochures for departments to use to make up some of the lost departmental funding caused by a HIPAA-driven shift to centralized, institutional fundraising. The brochures, paid for out of the Development Office budget, helped show support for the medical departments. It is a plan that helps communicate our message and encourages constructive self selection by potential philanthropic supporters.
C.Cloud - January 2, 2006.
