If required for fundraising purposes, the covered entities can disclose to a business associate or institution-related foundation, only two types of PHI without specific permission. These informations are basic demographic informations relating to an individual, and dates of health care provided to an individual.
Although it has not been clarified in the regulations as to what constitutes demographic information, but DHHS has indicated that it “generally include[s] in this context name, address and other contact information, age, gender and insurance status.” It specifically excludes “any information about the illness or treatment” including any information about “diagnosis [or] nature of services.” DHHS has also been clear that the limitations apply to internal uses (solely within the covered entity) as well as “external” disclosures to business associates or institutionally related foundations. “Broad access to [PHI] is unnecessary for fundraising and unnecessarily intrudes on the privacy of the patient.”
HIPAA, again, does not offer any explicit definition of fundraising. The only reference available is the DHHS’s commentary that it is activity “for the specific purpose of raising funds” for the institution, rather than a general charitable purpose.
Again, the “institutionally related foundation” is defined as one qualified under the tax code (e.g., 501(c)3) that has an “explicit linkage” to the covered entity, or to a group of organizations of which the covered entity is one. “The term does not include an organization with a general charitable purpose, such as to support research about or to provide treatment for certain diseases” even if some of its resources may be given to the covered entity.
The provision for institutionally-related foundations was included because of tax code provisions that may not allow such foundations to be considered business associates. Note that the tax status of the covered entity — viz., for-profit vs. not-for-profit — does not affect the application of any of these rules.