HIPAA Fundraising Fundamentals For Foundations

HIPAA Fundraising Fundamentalsfor FoundationsWHA’s 2013 Prescription for Success:A Workshop for Hospital FoundationsAugust 13, 2013Presented by:Monica C. Hocum, Esq. and Leia C. Olsen, Esq.

Agenda HIPAA Overview Key Dates under the Omnibus Final Rule Fundraising Fundamentals Other Key Changes under the Final Rule Compliance Strategies and Next Steps

HIPAA Overview Health Insurance Portability and Accountability Act of 1996– HIPAA was amended in 2009 by the Health InformationTechnology and Clinical Health Act (“HITECH”)– In early 2013, the Final Rule implemented HITECH changes HIPAA was enacted due to:– Increase in electronic exchange of information– Perception that health information was insecure

Key Dates Key Dates of Final Rule:– January 25, 2013 – publication date– March 26, 2013 – effective date– September 23, 2013 – compliance date– September 22, 2014 – compliance date for grandfatheredBAAs 301073.pdf

HIPAA and State Law Pre-emption HIPAA establishes a minimum level of privacy for PHI but doesnot interfere with state laws that provide greater protection As such, if a state law is more stringent than HIPAA (i.e., moreprotective of the confidentiality of the individual’s PHI orallows the individual greater control over PHI), the state lawwill apply

Key Terms –Protected Health Information (“PHI”) PHI is information that:– Relates to: The past, present or future physical or mental health orcondition of an individual; The provision of health care to an individual; or The past, present or future payment for the provision ofhealth care to an individual

Key Terms Protected Health Information (“PHI”) (cont'd) PHI is information that (cont’d):– Is created or received by a covered entity or a businessassociate that: Identifies an individual, or Contains enough detail to reasonably identify the individual– Is transmitted or maintained in any form or medium(including oral or written information)

PHI Exceptions PHI does not include:– Education records, including student health records,covered by federal education laws– Employment records held by a covered entity in its role asan employer– Information received from the individual for purposesother than health care (e.g., completion of an informationcard to participate in a fundraising event)– Information from sources outside the covered entity(e.g., commercial mailing lists)

Key Terms - De-identified Information De-identified information is not PHI A health care provider is permitted to use and disclose deidentified information without restriction De-identification requires removing 18 different categories ofidentifiers as they relate to the individual or the individual'srelatives, employers or household members Often necessary when applying for grants or reporting on useof grant funds

Key Terms - Use and Disclosure of PHI Use means the utilization or sharing of PHI within the coveredentity A disclosure is a transfer or sharing of PHI outside a coveredentity

Fundraising Fundamentals

Fundraising – What is it? A communication made to an individual on behalf of a hospital* forthe purpose of raising funds for the Hospital Examples:– Appeals for money– Requests for sponsorships of events Fundraising is NOT:– Royalties– Amounts paid related to sales of products to 3rd parties(except auctions, rummages, etc.)* We use the term “hospital” generically to refer to allcovered entities that may engage in fundraising activities.

Fundraising – Health Care Operations HIPAA allows hospitals to use and disclose PHI without anauthorization for treatment, payment and health careoperations The definition of “health care operations” includes fundraisingfor the benefit of the Hospital HIPAA sets limitations on the Hospital’s use and disclosure ofPHI for fundraising purposes

Fundraising –Minimum Necessary Standard Reasonable efforts must be taken to limit the use of PHI to theminimum necessary Applies to most internal uses of information , includingfundraising

Fundraising - Implementing theMinimum Necessary Standard Requires:– A specific analysis of who needs access to information toperform their job duties Even how information is filtered for fundraising mustcomply with limitations– Identification and implementation of reasonablesafeguards to prevent others from having access to PHI

Fundraising – Foundations Three different foundation structures– Division or department of the Hospital– Institutionally-related foundation Qualifies as a nonprofit charitable foundation under501(c)(3) Has in its charter a statement of charitable purposes and anexplicit linkage to the Hospital for which it is fundraising Can also have linkage to other hospitals in the community,but must limit use of a hospital’s PHI to fundraising for thathospital– Business associate of the Hospital

Fundraising – Use and Disclosure of PHI The Final Rule expanded the categories of PHI that a hospitalmay use, or disclose to an institutionally-related foundation orbusiness associate, for fundraising purposes:– Demographic information (includes name, address, contactinformation, age and gender)– Dates of service– Health insurance status (new)– Date of birth (new)– Department of service (new)– Treating physician (new)– Outcome information (new)

Fundraising – Use and Disclosure of PHI(cont’d) Special considerations:– Health insurance status – insured/not insured versus typeof insurance– Department of service – NOT diagnosis– Outcome information – screening purposes only

Fundraising – Requirements PHI can not be used for fundraising purposes unless specified inthe Notice of Privacy Practices (NPP)– Opt out methods may be, but do not have to be, in the NPP Each fundraising communication must provide a clear andconspicuous opportunity for the individual to opt out of futurefundraising communications– Includes oral fundraising efforts May provide individuals who have opted out with a way to optback in to receiving fundraising communications Can always do more with a valid writtenauthorization

Fundraising – Methods of Opting Out May provide multiple approaches for opting out but methodsmay not impose an undue burden or cost on the individual– Permissible methods: Requiring an individual to call a toll-freenumber, email or mail a pre-printed, postage paid postcard– Impermissible methods: Requiring the individual to send awritten letter Opt out may apply to all fundraising, or by campaign– Consider ability to implement campaign specific opt outs Opt out cannot be form-specific (i.e., cannot opt out oftelephone campaigns but not mail campaigns) Consider need for translation to other languages

Fundraising – Effects of An Opt Out An “opt out” is treated as a revocation of authorization to useor disclose the individual’s PHI for fundraising purposes– Prior standard was “reasonable efforts” to honor opt outs Need to have a reliable method of tracking opt outs Need to have a way for the Hospital and Foundation toregularly communicate regarding fundraising opt outs Can only resume fundraising communications if the individualaffirmatively opts back in to receiving fundraisingcommunications (i.e., opt out cannot automatically lapse aftera given time period)

Fundraising – Disclosure to Business Associates Under the Final Rule, PHI may only be disclosed forfundraising purposes to a business associate or aninstitutionally-related foundation Business associate is defined as a person who, on behalf ofthe Hospital creates, receives, maintains, or transmits PHI– Includes business associate subcontractors Institutionally-related foundations are not consideredbusiness associates

Fundraising – Business Associate Agreements The Hospital must have a valid Business Associate Agreement(BAA) in place before disclosing PHI to a business associate forfundraising purposes If subcontractors are used, the Hospital is not required tohave a direct BAA with the subcontractor – this is the primarybusiness associate’s obligation Both BAAs and subcontractor BAAs must be in writing

Fundraising - Business Associate Liability Business associates (and subcontractors) are now directlyliable for compliance with HIPAA Privacy and Security Rules Violations can result in civil and criminal penalties beingimposed on the business associate Hospitals may remain liable for business associate’s actionsper federal common rule of agency Institutionally-related foundation liability not addressed– Generally considered part of the Hospital forpurposes of HIPAA compliance

Fundraising - BAA Timelines for Compliance BAAs must comply with Final Rule by September 23, 2013 Compliant BAAs in place prior to January 25, 2013 will begrandfathered until September 22, 2014 or until agreement isrenewed or modified, whichever comes earlier– “evergreen” agreements remain eligible for grandfathering

Other Key ChangesUnder the Final Rule

2013 Final Rule Key Changes 5Marketing/Sale of PHIResearch AuthorizationsIndividual Rights to Access and Request RestrictionsDecedents/Immunizations/Genetic InformationNotice of Privacy PracticesBreach Notification

Breach Notification – Definition of “Breach” “Breach” under original Interim Final Rule:– Acquisition, access, use, or disclosure of unsecured PHI notpermitted by the Privacy Rule and poses significant risk offinancial, reputational, or other harm to the individual basedon risk assessment “Breach” under new Final Rule:– Acquisition, access, use, or disclosure of unsecured PHI notpermitted by the Privacy Rule unless there is low probability thePHI has been compromised based on risk assessment– In other words, a Breach is presumed unless demonstratedotherwise

Breach Notification – Exclusions Excluded from the definition of a “Breach”:– Within Scope of Authority– Inadvertent Disclosure– Unable to Retain Encryption still considered a “safe harbor” Limited data sets– Subject to risk assessment

Breach Notification – Risk Assessment Final Rule identifies four factors to consider:1. Nature and extent of PHI involved, including types ofidentifiers and likelihood of re-identification2. Unauthorized person who used PHI or to whomdisclosure was made3. Whether PHI was actually acquired or viewed4. Extent to which risk to PHI has been mitigated Assess and document the four factors noted above and allother relevant factors

Breach Notification - Timing Required notifications must be made without unreasonabledelay, but in no case later than 60 days after discovering thebreach Breaches of unsecured PHI are treated as discovered as of thefirst day on which an employee, officer or other agent of theHospital knew, or should reasonably have known, that abreach occurred

Breach Notification - Methods Methods of breach notification remain the same– Patients– Media ( 500 affected individuals)– HHS/OCR March 1st deadline for reporting to HHS all small breaches( 500 affected individuals) that occur during prior calendaryear Still need to comply with state law obligations

Compliance Strategies and Next Steps Hospitals must review and update NPPs Consider opt out methods allowed by Hospital policy or NPPs Develop process for tracking opt outs and regular communication withHospital– Track source of information (Hospital PHI, patient request, commercial list)– Be aware of perception that source of information is protected Consider need for and/or revise BAAs or Subcontractor BAAs– Make a list of all business associates and subcontractors Update policies – don’t forget about security policies– Make sure consistent with practices, especially if following Hospital policies Train workforce members or participate in Hospital training

Fundraising – General Rule General Rule: If there is an opportunity to make a donation, itis fundraising– Newsletters – including fundraising appeals– Sponsored events with fundraising component– Events with active fundraising