What We Do Services Products About Us Contact Us    
 

Educational Fundraising Whitepapers

HIPAA Summary
January 2007

What: Mandatory compliance with the “Health Insurance Portability and Accountability Act” (HIPAA) law revision of 2002
Who: Every health-related nonprofit organization
When: Action should be taken immediately

For more information, please visit http://www.the-dma.org/privacy/hipaafaqs.shtml.

I. HIPAA COMPLIANCE
“HIPAA” is the abbreviation for the “Health Insurance Portability and Accountability Act.” In August 2002, the U.S. Department of Health and Human Services revised the December 2000 rule that implements the privacy provisions of HIPAA. With limited exceptions, health organizations must receive written, explicit authorization from an individual to use or disclose protected health information for marketing or fundraising.

Under HIPAA, health organizations must obtain written permission from individuals--by way of a signed authorization form--before they use or share health-related information for marketing and certain other purposes. An authorization form documents the patient’s permission to allow use or disclosure of their protected health information for purposes other than treatment, payment or health care operations. Health care operations include (but are not limited to):
• Certain fundraising activities for the covered entity's own benefit
• Quality assessment and improvement activities
• Business planning, development and management activities
• Evaluating health care professionals and plans
• Training health care professionals

Health organizations may not withhold treatment, enrollment in a health plan, benefits eligibility, or payment as a means of obtaining patient authorization. Authorization forms are a specific and comprehensive type of written permission that should be written in plain language.

II. WHAT CAN I DO TO ENSURE MY ORGANIZATION IS COMPLIANT?
Use the following checklist to help in creating an authorization form that is HIPAA compliant. The authorization form is a physical document that must be signed by the patient. The signed authorization form governs both online and offline health care operations. Please make sure your NPO’s legal team approves the authorization form prior to publication.

Authorization Form Checklist:

- A specific description of the information to be used or disclosed
- Who (by name or class of persons) is authorized to make the requested use or disclosure of information
- Who the covered entity is disclosing the information to
- What the purpose is regarding use or disclosure of the information
- An expiration date or event
- How the individual can revoke authorization, including the exceptions and the ability to exercise that right (An individual may revoke authorization at any time, but it must be via a written form—not email)
- A statement that information used or disclosed under the authorization may also be redisclosed and no longer protected by the Final Rule of HIPAA
- A statement that the covered entity will not condition treatment or payment on the individual's authorization
- The form must be physically signed and dated (not electronically) by the individual or by the individual's representative

III. FAQ
Q: Who in my organization should I contact to learn which supporters have signed the HIPAA authorization form?
A: Your organization’s recordkeeping department is a good resource for learning more about which supporters have signed an authorization form.

Q: What should I do if our health-related organization would like to send a fundraising email to supporters?
A: First, check with your organization’s legal counsel regarding HIPAA compliance. Then, check you’re your organization’s recordkeeping department regarding authorization forms on file.

Q: Can I receive patient authorization via email under HIPAA?
A: No, authorization must be provided by the patient via a physical, signed document (not electronically).


While it is ultimately each NPO’s responsibility to comply with all laws, your Papilia Client Services Manager will follow up with you (in your NPO is health-related) regarding your NPO’s compliance with HIPAA. We recommend contacting your NPO’s legal team for further direction. If you have any questions in the meantime, please do not hesitate to contact us.

top^