Is UW’s fundraising drive violating HIPAA by misusing PHI?

by | Jun 3, 2010

Though HIPAA takes all efforts to protect PHI, it allows covered entities to use or disclose to a business associate or institution-related foundation two types of protected health information (PHI) without specific permission. These include basic demographic information relating to an individual, and dates of health care provided to an individual. Information about diagnosis or treatment is off-limits, but federal and state laws allow hospitals, in most cases, to use a patient’s name, address, contact information, dates of hospital service, gender, age and insurance status in fundraising efforts.

Despite being legal, the practice, widely used by other nonprofit hospitals here and across the country, has raised eyebrows before mainly because people mistakenly lump health-care fundraising with those annoying commercial telemarketing calls that interrupt dinner, says William McGinly, president and CEO of the Association of Healthcare Philanthropy.

“It is a common misunderstanding,” he said. “Fundraising is a part of health-care operations.”

The UW’s fundraising drive, which began in April and ended early this month, ultimately raised nearly $28,000 but the way it has used PHI has annoyed many. Finn, a 62-year-old retired CPA who lives on Queen Anne Hill, a one-time patient at the UW, was astounded when he got a call and on his unlisted telephone number seeking donation and the caller told him the information had come from patient records.

The callers were primarily students under contract to the UW and trained in HIPAA privacy rules. This year, about 150 former patients of the nearly 6,000 who were solicited opted out of having their names on the fundraising list, but when Finn tried, he found it wasn’t as easy as he thought it should be.

In frustration, he called the UW’s privacy office to complain and finally, when he went to the hospital, he was almost certainly given a 16-page tome entitled “Joint Notice of Privacy practices of UW Medicine and Certain Other Providers.”

The notice explains how a patient’s data may be used, and notes that phone solicitors don’t have access to “diagnosis or treatment information” and must agree to keep the information they do see confidential.

Finn said he was disturbed because HIPAA bars using patient information for commercial purposes.

“Excuse me, but raising millions of dollars to support UW — a commercial enterprise hiding behind a not-for-profit mask — certainly sounds like a bending of the rules to suit a purpose,” he said. “You just feel as though your privacy is being violated. … Just because HIPAA might allow UW to do this does not make it right.”

3-Steps to HIPAA Compliance

Step 1 : Download Checklist.

Step 2 : Review Your Business

Step 3 : Get Compliant!

Our HIPAA compliance checklist will outline everything your organization needs to become fully HIPAA compliant. Fill in the form below to download it now.

View our privacy policy