Comment: Many comments objected to the requirement that an authorization from the individual be obtained for use and disclosure of protected health information for fundraising purposes. They argued that, in the case of not-for-profit health care providers, having to obtain authorization would be time consuming and costly, and that such a requirement would lead to a decrease in charitable giving. The commenters also urged that fundraising be included within the definition of health care operations. Numerous commenters suggested that they did not need unfettered access to patient information in order to carry out their fundraising campaigns. They stated that a limited data set restricted to name, address, and telephone number would be sufficient to meet their needs. Several commenters suggested that we create a voluntary opt-out provision so people can avoid solicitations.
Response: We agree with commenters that our proposal could have adversely effected charitable giving, and accordingly make several modifications to the proposal. First, the final rule allows a covered entity to use or disclose to a business associate protected health information without authorization to identify individuals for fundraising for its own benefit. Permissible fundraising activities include appeals for money, sponsorship of events, etc. They do not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales, etc).
Second, the final rule allows a covered entity to disclose protected health information without authorization to an institutionally related foundation that has as its mission to benefit the covered entity. This special provision is necessary to accommodate tax code provisions which may not allow such foundations to be business associates of their associated covered entity.
We also agree that broad access to protected health information is unnecessary for fundraising and unnecessarily intrudes on individual privacy. The final rule limits protected health information to be used or disclosed for fundraising to demographic information and the date that treatment occurred. Demographic information is not defined in the rule, but will generally include in this context name, address and other contact information, age, gender, and insurance status. The term does not include any information about the illness or treatment.
We also agree that a voluntary opt-out is an appropriate protection, and require in § 164.520 that covered entities provide information on their fundraising activities in their "Notice of Information Practices." As part of the notice and in any fundraising materials, covered entities must provide information explaining how individuals may opt out of fundraising communications.
Comment: Some commenters stated that use and disclosure of protected health information for fundraising, without authorization should be limited to not-for-profit entities. They suggested that not-for-profit entities were in greater need of charitable contributions and as such, they should be exempt from the authorization requirement while for-profit organizations should have to comply with the requirement.
Response: We do not agree that the profit status of a covered entity should determine its allowable use of protected health information for fundraising. Many for-profit entities provide the same services and have similar missions to not-for-profit entities. Therefore, the final rule does not make this distinction.
Comment: Several commenters suggested that the final rule should allow the internal use of protected health information for fundraising, without authorization, but not disclosure for fundraising. These commenters suggested that by limiting access of protected health information to only internal development offices concerns about misuse would be reduced.
Response: We do not agree. A number of commenters noted that they have related charitable foundations that raise funds for the covered entity, and we permit disclosures to such foundations to ensure that this rule does not interfere with charitable giving.
Comment: Several commenters asked us to address the content of fundraising letters. They pointed out that disease or condition-specific letters requesting contributions, if opened by the wrong person, could reveal personal information about the intended recipient.
Response: We agree that such communications raise privacy concerns. In the final rule, we limit the information that can be used or disclosed for fundraising, and exclude information about diagnosis, nature of services, or treatment.