When Federal Privacy Rules and Fundraising Desires Meet:
An Advisory on the Use of Protected Health Information in Fundraising Communications
©2014 Association of American Medical Colleges. May be reproduced and distributed with attribution. This document does not contain
legal advice. It was developed by the AAMC Compliance Officers’ Forum Privacy Workgroup. Issued April 2014.
6. Health insurance status, which is not defined in the Privacy Rule, but interpreted to mean whether
patient is insured and type of insurance.
In order to use or disclose Permitted Fundraising PHI for fundraising communications, a Covered Entity
must ensure that:
1. The Notice of Privacy Practices (NPP) contains a statement that a Covered Entity may contact
the patient to raise funds and the patient has a right to opt-out of receiving fundraising
communications;
2. Clear and conspicuous instructions are provided in all fundraising communications as to how the
recipient can opt-out. The opt-out method must not cause an undue burden or cost to the patient;
and
3. Processes are implemented to ensure it refrains from conditioning treatment or payment on a
patient’s choice regarding whether or not to receive fundraising communications.
Once these stipulations are met, a Covered Entity may use Permitted Fundraising PHI for fundraising
communications without further authorization from the patient.
PHI requiring Authorization or Specific Consents (sensitive PHI)
Due to additional federal and applicable state privacy/confidentiality statutes and/or regulations that apply to
certain types of services, a Covered Entity must consider potential additional restrictions to the use of Permitted
Fundraising PHI related to such services, i.e., department of service, name of treating physician and date of
service. It’s important to note that many states statutorily restrict release of information related to Mental
Illness or Developmental Disability, HIV/AIDS Testing or Treatment, Communicable Diseases, Sexually
Transmitted Infections, Abuse of an Adult with a Disability, Sexual Assault, Child Abuse and Neglect, Genetic
Testing, or Artificial Insemination without a valid consent signed by the patient in advance of use. Additionally,
psychotherapy notes as defined under the Privacy Rule and certain substance abuse treatment information,
including the fact that a patient received care, are protected under federal law
and require the explicit patient
authorization/consent for most uses. These types of highly sensitive medical information should be excluded
and made unavailable for any fundraising communication. A Covered Entity is advised to review the relevant
state/federal statutes and regulations, determine whether applicable federal and state regulations are more
restrictive and apply the more stringent standards to the Permitted Fundraising PHI prior to use or disclosure for
fundraising communications.
“Opt-out” requirements must be clear and conspicuous and not impose an undue burden
A Covered Entity must provide “clear and conspicuous opportunity” to the patient to opt-out of future
fundraising communications. If the patient opts out, it must be treated as a revocation of any prior
authorization for use or disclosure of PHI for fundraising communications.
The method for a patient to opt-out must not impose an undue burden or more than a nominal cost on the
patient. A Covered Entity should consider offering a toll-free number, an e-mail address, a web page, or
similar opt-out mechanisms that are simple, quick and low or no cost to the patient. Requiring a patient
to send a written letter opting out of fundraising communications would constitute an undue burden,
although including a mailing a pre-printed, pre-paid, business reply postcard or directing a patient to an
opt-out on a web page would be permitted.
42 CFR 2