Industries & Practices

Health Care Industry

    Back

    HIPAA Privacy Regulations: Other Requirements Relating to Uses and Disclosures of PHI: Fundraising - § 164.514(f)

    As Contained in the HHS HIPAA Privacy Rules

     

    HHS Regulations as Amended January 2013
    Other Requirements Relating to Uses and Disclosures of PHI: Fundraising - § 164.514(f)

     

    (f) Fundraising communications—(1) Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of §164.508:

    (i) Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth;

    (ii) Dates of health care provided to an individual;

    (iii) Department of service information;

    (iv) Treating physician;

    (v) Outcome information; and

    (vi) Health insurance status.

    (2) Implementation specifications: Fundraising requirements. (i) A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity's notice of privacy practices.

    (ii) With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost.

    (iii) A covered entity may not condition treatment or payment on the individual's choice with respect to the receipt of fundraising communications.

    (iv) A covered entity may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (f)(2)(ii) of this section.

    (v) A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications.

     

    HHS Description and Commentary From the January 2013 Amendments
    Other Requirements Relating to Uses and Disclosures of PHI: Fundraising

     

    Proposed Rule

    Section 164.514(f)(1) of the Privacy Rule permits a covered entity to use, or disclose to a business associate or an institutionally related foundation, the following protected health information about an individual for the covered entity’s fundraising from that individual without the individual’s authorization: (1) demographic information relating to an individual; and (2) the dates of health care provided to an individual.

    Section 164.514(f)(2) of the Privacy Rule requires a covered entity that plans to use or disclose protected health information for fundraising under this paragraph to inform individuals in its notice of privacy practices that it may contact them to raise funds for the covered entity. In addition, § 164.514(f)(2) requires that a covered entity include in any fundraising materials it sends to an individual a description of how the individual may opt out of receiving future fundraising communications and that a covered entity must make reasonable efforts to ensure that individuals who do opt out are not sent future fundraising communications.

    Section 13406(b) of the HITECH Act requires the Secretary to provide by rule that a covered entity provide the recipient of any fundraising communication with a clear and conspicuous opportunity to opt out of receiving any further fundraising communications. Additionally, section 13406(b) states that if an individual does opt out of receiving further fundraising communications, the individual’s choice to opt out must be treated as a revocation of authorization under § 164.508 of the Privacy Rule.

    In the NPRM, we proposed a number of changes to the Privacy Rule’s fundraising requirements to implement the statutory provisions. First, we proposed to strengthen the opt out by requiring that a covered entity provide, with each fundraising communication sent to an individual under these provisions, a clear and conspicuous opportunity for the individual to elect not to receive further fundraising communications. To satisfy this requirement, we also proposed to require that the method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than nominal cost. We encouraged covered entities to consider the use of a toll-free phone number, an e-mail address, or similar opt out mechanism that would provide individuals with a simple, quick, and inexpensive way to opt out of receiving future communications. We noted that we considered requiring individuals to write a letter to opt out to constitute an undue burden on the individual.

    We also proposed to provide that a covered entity may not condition treatment or payment on an individual’s choice with respect to receiving fundraising communications.

    We believed this modification would implement the language in section 13406(b) of the HITECH Act that provides that an election by an individual not to receive further fundraising communications shall be treated as a revocation of authorization under the Privacy Rule.

    Further, we proposed to provide that a covered entity may not send fundraising communications to an individual who has elected not to receive such communications.

    This would strengthen the current requirement at § 164.514(f)(2)(iii) that a covered entity make “reasonable efforts” to ensure that those individuals who have opted out of receiving fundraising communications are not sent such communications. The NPRM proposed stronger language to make clear the expectation that covered entities abide by an individual’s decision not to receive fundraising communications, as well as to make the fundraising opt out operate more like a revocation of authorization, consistent with the statutory language and legislative history of section 13406(b) of the HITECH Act discussed above.

    With respect to the operation of the opt out, we requested comment regarding to what fundraising communications the opt out should apply (i.e., should the opt out apply to all future fundraising communications or should and can the opt out be structured in a way to apply only to the particular fundraising campaign described in the letter). We also requested comment on whether the Rule should allow a similar method, short of the individual signing an authorization, by which an individual who has previously opted out can put his or her name back on an institution’s fundraising list.

    We proposed to retain the requirement that a covered entity that intends to contact the individual to raise funds under these provisions include a statement to that effect in its notice of privacy practices. However, we proposed that the required statement also inform individuals that they have a right to opt out of receiving such communications.

    In addition to the above modifications, we requested public comment on the requirement at § 164.514(f)(1) which limits the information a covered entity may use or disclose for fundraising to demographic information about and dates of health care service provided to an individual. Since the promulgation of the Privacy Rule, we acknowledged that certain covered entities have raised concerns regarding this limitation, maintaining that the Privacy Rule’s prohibition on the use or disclosure of certain treatment information without an authorization, such as the department of service where care was received and outcomes information, impedes their ability to raise funds from often willing and grateful patients because they are unable to target their fundraising efforts and avoid inappropriate solicitations to individuals who may have had a bad treatment outcome. Such entities have argued that obtaining an individual’s authorization for fundraising as the individual enters or leaves the hospital for treatment is often impracticable or inappropriate.

    The proposed rule also discussed the fact that the National Committee on Vital and Health Statistics held a hearing and heard public testimony on this issue in July 2004 and recommended to the Secretary that the Privacy Rule should allow covered entities to use or disclose information related to the patient’s department of service (broad designations, such as surgery or oncology, but not narrower designations or information relating to diagnosis or treating physician) for fundraising activities without patient authorization. The National Committee on Vital and Health Statistics also recommended that a covered entity’s notice of privacy practices inform patients that their department of service information may be used in fundraising, and that patients should be afforded the opportunity to opt out of the use of their department of service information for fundraising or all fundraising contacts altogether. See http://www.ncvhs.hhs.gov/040902lt1.htm.

    In light of these concerns and the prior recommendation of the National Committee on Vital and Health Statistics, we asked for public comment on whether and how the current restriction on what information may be used and disclosed should be modified to allow covered entities to more effectively target fundraising and avoid inappropriate solicitations to individuals, as well as to reduce the need to send solicitations to all patients. In particular, we solicited comment on: (1) whether the Privacy Rule should allow additional categories of protected health information to be used or disclosed for fundraising, such as department of service or similar information, and if so, what those categories should be; (2) the adequacy of the minimum necessary standard to appropriately limit the amount of protected health information that may be used or disclosed for fundraising purposes; or (3) whether the current limitation should remain unchanged. We also solicited comment on whether, if additional information is permitted to be used or disclosed for fundraising absent an authorization, covered entities should be required to provide individuals with an opportunity to opt out of receiving any fundraising communications before making the first fundraising solicitation, in addition to the opportunity to opt out with every subsequent communication. We invited public comment on whether such a pre-solicitation opt out would be workable for covered entities and individuals and what mechanisms could be put into place to implement the requirement.

    Overview of Public Comments

    In general, the public comments received in response to the NPRM were supportive of the proposed modifications but many asked that the final rule give covered entities flexibility with respect to operationalizing these requirements. Several commenters provided examples of routine communications and expressed the need for guidance and clarification about what constitutes a fundraising communication.

    Generally, most commenters supported the NPRM’s proposed requirement that the method through which the covered entity permits individuals to opt out of receiving future fundraising communications not cause individuals to incur an undue burden or more than a nominal cost. Many commenters stated that the final rule should give covered entities the flexibility to determine which opt out methods will work best given their circumstances, instead of requiring all covered entities to employ specific opt out methods. These commenters noted that depending on the size of the covered entity and type of population it serves, certain opt out methods might not be feasible, such as one that requires the establishment of a toll-free number, which may be cost prohibitive for some small entities. Similarly, some commenters noted that because not all individuals have access to a computer and the internet, providing individuals with the opportunity to opt out via e-mail alone may not be sufficient.

    With respect to the scope of the opt out, the commenters were generally split on whether the opt out should apply to communications related to a specific fundraising campaign or to all future fundraising communications. The commenters in support of applying the opt out to a specific fundraising campaign stated that it would be too difficult for individuals to make a meaningful decision about whether they wanted to opt out of all future fundraising communications, and allowing individuals to opt out of all future fundraising communications would greatly hinder a covered entity’s ability to raise funds. Those commenters in favor of implementing an all or nothing opt out stated that it would be too difficult for covered entities, especially large facilities, to track campaign-specific opt outs for each individual, so applying the opt out universally would make it much easier for covered entities to implement. Other commenters asked that the final rule take a flexible approach and permit covered entities to decide the scope of the opt out, while others stated that the final rule should require covered entities to include both opt out options on each fundraising communication leaving the decision to individuals.

    Additionally, while most commenters supported the prohibition on conditioning treatment or payment on an individual’s choice regarding the receipt of fundraising communications, most commenters opposed the NPRM’s proposal that prohibited covered entities from sending future fundraising communications to those individuals who had opted out and stated that it was too strict. The majority of these commenters suggested that the final rule retain the Privacy Rule’s original “reasonable efforts” language and stated that while covered entities have every incentive not to send fundraising communications to those individuals who have opted out of receiving them, it is very difficult for covered entities to ensure 100 percent accuracy with this policy.

    Several commenters stated that there are lag times between the period of time in which a fundraising mailing list is compiled and the time in which a fundraising communication is sent out, so if an individual has opted out during the interim time period, covered entities may not be able to prevent the prepared fundraising communication from being sent. Other commenters stated that it may be difficult to implement an opt out across all records belonging to that individual where complications, such as name changes and variation, address changes, and multiple addresses are involved. For those individuals who have opted out of receiving fundraising communications, commenters generally supported allowing those individuals to opt back in to receiving such communications. Some suggested that individuals be able to opt back in using the same methods they used to opt out, while others suggested that any communication indicating a willingness to resume receiving fundraising communications, such as making a donation to the covered entity, should function as an opt in. Other commenters suggested that the final rule limit the amount of time that an individual can opt out, such that after this period of time the individual automatically begins receiving fundraising communications again. A few commenters were opposed to permitting individuals to opt back in to receive fundraising communications, stating that this would be too costly and burdensome for covered entities to track.

    With respect to the requests for public comments regarding the potential use or disclosure of additional protected health information to provide more targeted fundraising communications, the vast majority of commenters supported allowing the use or disclosure of additional protected health information for fundraising. These commenters stated that the use of additional protected health information would streamline their fundraising efforts and ensure that individuals were sent communications about campaigns that would be meaningful to their experiences. These commenters also stated that it would eliminate the concern of sending a communication to an individual or family that suffered a negative outcome. Commenters suggested several categories of protected health information that covered entities should be able to use to target their fundraising efforts, including department or site of service, generic area of treatment, department where last seen, outcome information, treating physician, diagnosis, whether the individual was a pediatric or adult patient, medical record number, Social Security number, or other unique identifier, and any other information that reflects the fact that the individual was served by the covered entity.

    With respect to the minimum necessary standard, a few commenters supported its use to limit any additional categories of protected health information that can be used to target a covered entity’s fundraising efforts. These commenters supported the use of the standard because of how familiar and comfortable most covered entities are at applying the minimum necessary standard. However, another commenter was opposed to the use of the minimum necessary standard, stating that it is not uniformly applied across covered entities.

    Despite the general support for the use of additional protected health information, a small minority of commenters opposed allowing the use of additional protected health information to target fundraising efforts, citing privacy concerns with doing so. One commenter opposed expanding the information that could be used for fundraising in cases where outside fundraising entities are used, including those with whom the covered entity has executed business associate agreements.

    All commenters were opposed to requiring covered entities to provide a presolicitation opt out to individuals and stated that permitting individuals to opt out in the first fundraising communication is sufficient. Several commenters noted that the proposed revision to the notice of privacy practices to require a covered entity to inform individuals of their right to opt out of receiving fundraising communications effectively functions as a pre-solicitation opt out, so individuals who wish to opt out of receiving such communications immediately can do so upon receipt of the notice.

    Final Rule

    We generally adopt the proposals in the final rule, as well as allow certain additional types of protected health information to be used or disclosed for fundraising purposes.

    With respect to the commenters who expressed confusion over what constitutes a fundraising communication, we emphasize that the final rule does nothing to modify the types of communications that are currently considered to be for fundraising purposes. A communication to an individual that is made by a covered entity, an institutionally related foundation, or a business associate on behalf of the covered entity for the purpose of raising funds for the covered entity is a fundraising communication for purposes of § 164.514(f). The Department has stated that “[p]ermissible fundraising activities include appeals for money, sponsorship of events, etc. They do not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales, etc.).” See 65 FR 82718. Additionally, the Privacy Rule has always required that such communications contain a description of how the individual may opt out of receiving further fundraising communications (§ 164.514(f)(2)(ii)).

    With respect to the proposed requirement that the method for an individual to elect not to receive further fundraising communications should not cause the individual to incur an undue burden or more than a nominal cost, we generally agree with the commenters who suggested that the final rule be flexible and not prescriptive. Under the final rule, covered entities are free to decide what methods individuals can use to opt out of receiving further fundraising communications, as long as the chosen methods do not impose an undue burden or more than a nominal cost on individuals. Covered entities should consider the use of a toll-free phone number, an e-mail address, or similar opt out mechanisms that provide individuals with simple, quick, and inexpensive ways to opt out of receiving further fundraising communications. Covered entities may employ multiple opt out methods, allowing individuals to determine which opt out method is the simplest and most convenient for them, or a single method that is reasonably accessible to all individuals wishing to opt out.

    In response to commenters who expressed concern about the cost of setting up a toll-free phone number, we clarify that covered entities may require individuals who wish to opt out of further fundraising communications to do so through other methods, (e.g., through the use of a local phone number), where appropriate, as long as the method or methods adopted do not impose an undue burden or cost on the individual. We encourage covered entities to consider the size of the population to which they are sending the communications, the geographic distribution, and any other factors that may help determine which opt out method(s) is most appropriate and least burdensome to individuals.

    We continue to consider requiring individuals to write and send a letter to the covered entity asking not to receive further fundraising communications to constitute an undue burden. However, requiring that individuals opt out of further fundraising communications by simply mailing a pre-printed, pre-paid postcard would not constitute an undue burden under the final rule and is an appropriate alternative to the use of a phone number or e-mail address.

    Regarding the scope of the opt out, the commenters were split on whether the opt out should apply to all future fundraising communications or to a specific fundraising campaign. The final rule leaves the scope of the opt out to the discretion of covered entities. For those covered entities that expressed concern about the ability to track campaign-specific opt outs, they have the discretion to apply the opt out to all future fundraising communications. Likewise, those covered entities that prefer, and have the ability to track, campaign-specific opt outs are free to apply the opt out to specific fundraising campaigns only. Covered entities are also free to provide individuals with the choice of opting out of all future fundraising communications or just campaignspecific communications. Whatever method is employed, the communication should clearly inform individuals of their options and any consequences of electing to opt out of further fundraising communications.

    Despite the commenters who did not support the strengthened language in the NPRM prohibiting covered entities from sending further fundraising communications to those individuals who have already opted out, the final rule adopts this provision without modification. While many commenters supported the current “reasonable efforts” standard and cited several reasons that may make it difficult to attain the proposed standard, we adopt the proposed standard because it is consistent with the statute and more protective of an individual’s right to elect not to receive further fundraising communications. For example, some commenters cited lag times between the creation of mailing lists and the receipt or update of opt out lists and difficulty in accurately identifying individuals on the fundraising lists due to name changes or variations and multiple addresses. These issues are common to the management of the medical or billing records and effectuating revocations of authorization, requests for access, and other general communications between the entity and the individual. We expect the same care and attention to the handling of protected health information in fundraising communications as is necessary for the proper handling of this information in all other health care operations performed by the covered entity. Covered entities voluntarily choosing to send fundraising communications to individuals must have data management systems and processes in place to timely track and flag those individuals who have opted out of receiving fundraising communications to ensure that they are not sent additional fundraising communications.

    The majority of commenters supported allowing a process for individuals who have opted out of receiving further fundraising communications to opt back in and the final rule at § 164.514(f)(2)(v) permits covered entities have one. Like the discretion given to covered entities regarding the methods through which an individual can opt out, the final rule gives covered entities the discretion to determine how individuals should be able to opt back in. For example, a covered entity could include as a part of a routine newsletter sent to all patients a phone number individuals can call to be put on a fundraising list.

    While some commenters suggested that opt outs should be time limited such that an individual automatically opts back in after a certain period of time, we do not believe that an individual’s election not to receive further fundraising communications is something that should automatically lapse. Because the individual has actively chosen to opt out, only a similar active decision by the individual to opt back in will suffice.

    Additionally, where an individual who has opted out of fundraising communications makes a donation to a covered entity, it does not serve, absent a separate election to opt back in, to automatically add the individual back onto the mailing list for fundraising communications.

    The Privacy Rule currently permits covered entities to use or disclose only demographic information relating to the individual and dates of health care provided to the individual for fundraising communications. In response to several commenters who asked for clarification regarding the scope of demographic information, the final rule, at § 164.514(f)(1)(i), clarifies that demographic information relating to an individual includes names, addresses, other contact information, age, gender, and dates of birth. Although much of this information was listed in the preamble to the 2000 final rule (65 FR 82718) as being demographic information with respect to the fundraising provisions, we have added this information to the regulatory text for clarity.

    Additionally, we have included date of birth as demographic information, instead of merely age. We believe that date of birth may be useful to covered entities because they are more likely to maintain a record of an individual’s date of birth, rather than his or her static age. We also note that the 2000 preamble identifies insurance status as falling within the category of demographic information. The final rule continues to allow covered entities to use or disclose information about an individual’s health insurance status for fundraising purposes; however, we list this category of information separately in the regulatory text, as we do not believe this information truly constitutes demographic information. In addition to demographic information, health insurance status, and dates of health care provided to the individual (which is currently permitted under the Rule), this final rule also allows covered entities to use and disclose department of service information, treating physician information, and outcome information for fundraising purposes. These three categories of information were most frequently identified by commenters as the most needed for covered entities to further target fundraising communications to appropriate individuals.

    Although we do not define these terms, we clarify that department of service information includes information about the general department of treatment, such as cardiology, oncology, or pediatrics. Additionally, we clarify that outcome information includes information regarding the death of the patient or any sub-optimal result of treatment or services. In permitting its use for fundraising purposes, we intend for it to be used by the covered entity itself to screen and eliminate from fundraising solicitations those individuals experiencing a sub-optimum outcome, and for its disclosure to a business associate or institutionally related foundation only where such screening function is done by those parties. We also emphasize that as with any use or disclosure under the Privacy Rule, a covered entity must apply the minimum necessary standard at § 164.502(b) to ensure that only the minimum amount of protected health information necessary to accomplish the intended purpose is used or disclosed.

    We adopt in the final rule the provision prohibiting the conditioning of treatment or payment on an individual’s choice with respect to the receipt of fundraising communications. We also adopt at § 164.520(b)(1)(iii)(A) the requirement that the notice of privacy practices inform individuals that a covered entity may contact them to raise funds for the covered entity and an individual has a right to opt out of receiving such communications. The final rule does not require covered entities to send pre-solicitation opt outs to individuals prior to the first fundraising communication. We believe that because the individual will be on notice of the opportunity to opt out of receiving fundraising communications through the notice of privacy practices and the first fundraising communication itself will contain a clear and conspicuous opportunity to opt out, there is no need to require covered entities to incur the additional burden and cost of sending pre-solicitation opt outs.

    Under the Privacy Rule fundraising communications can take many forms, including communications made over the phone. Despite the fact that the HITECH Act refers only to written fundraising communications, because the Privacy Rule applies to communications made over the phone, we believe it would be counterintuitive to apply the strengthened opt out requirement to only written fundraising communications.

    Therefore, like fundraising communications made in writing, covered entities that make fundraising communications over the phone must clearly inform individuals that they have a right to opt out of further solicitations. Accordingly, to make clear that the opt out requirement applies to fundraising solicitations made over the phone, the final rule provides that the opt out requirement applies to each fundraising communication “made” rather than “sent” to an individual.

    We also emphasize that the notice and opt out requirements for fundraising communications apply only where the covered entity is using or disclosing protected health information to target the fundraising communication. If the covered entity does not use protected health information to send fundraising materials, then the notice and opt out requirements do not apply. For example, if a covered entity uses a public directory to mail fundraising communications to all residents in a particular geographic service area, the notice and opt out requirements are not applicable.

    Response to Other Public Comments

    Comment: A few commenters suggested that, to better protect an individual’s privacy, particularly where sensitive health information may be used to target solicitations, the final rule should require an opt in process rather than an opt out process for consenting to fundraising communications.

    Response: We decline to require an opt in process. The HITECH Act did not replace the right to opt out of fundraising communications with an opt in process.

    Further, we continue to believe that the opt out process, particularly as it has been strengthened by the HITECH Act and this final rule, provides individuals with appropriate control over the use of their information for these purposes.

    Comment: One commenter asked that if an individual opts out of receiving further fundraising communications through a mailed communication, must the covered entity also remove the individual’s name from the list through which the covered entity sends e-mail fundraising communications, or must the individual opt out of receiving such e-mail communications separately.

    Response: A covered entity may choose to provide individuals with the opportunity to select their preferred method for receiving fundraising communications. If an individual elects to opt out of future fundraising communications, then the opt out is effective for all forms of fundraising communications. Thus, the individual must be removed from all such lists.

     

    HHS Description From Original Rulemaking
    Other Requirements Relating to Uses and Disclosures of PHI: Fundraising

     

    We proposed in the NPRM to require covered entities to obtain authorization from an individual in order to use the individual’s protected health information for fundraising activities.

    As noted in § 164.501, in the final rule we define fundraising on behalf of a covered entity to be a health care operation. In § 164.514, we permit a covered entity to use protected health information without individual authorization for fundraising on behalf of itself, provided that it limits the information that it uses to demographic information about the individual and the dates that it has provided service to the individual (see the § 164.501 discussion of “health care operations”). In addition, we require fundraising materials to explain how the individual may opt out of any further fundraising communications, and covered entities are required to honor such requests. We permit a covered entity to disclose the limited protected health information to a business associate for fundraising on its own behalf. We also permit a covered entity to disclose the information to an institutionally related foundation.

    By “institutionally related foundation,” we mean a foundation that qualifies as a nonprofit charitable foundation under sec. 501(c)(3) of the Internal Revenue Code and that has in its charter statement of charitable purposes an explicit linkage to the covered entity. An institutionally related foundation may, as explicitly stated in its charter, support the covered entity as well as other covered entities or health care providers in its community. For example, a covered hospital may disclose for fundraising on its own behalf the specified protected health information to a nonprofit foundation established for the specific purpose of raising funds for the hospital or to a foundation that has as its mission the support of the members of a particular hospital chain that includes the covered hospital. The term does not include an organization with a general charitable purpose, such as to support research about or to provide treatment for certain diseases, that may give money to a covered entity, because its charitable purpose is not specific to the covered entity.

     

    HHS Response to Comments Received From the Original Rulemaking
    Other Requirements Relating to Uses and Disclosures of PHI: Fundraising

     

    Comment: Many comments objected to the requirement that an authorization from the individual be obtained for use and disclosure of protected health information for fundraising purposes. They argued that, in the case of not-for-profit health care providers, having to obtain authorization would be time consuming and costly, and that such a requirement would lead to a decrease in charitable giving. The commenters also urged that fundraising be included within the definition of health care operations. Numerous commenters suggested that they did not need unfettered access to patient information in order to carry out their fundraising campaigns. They stated that a limited data set restricted to name, address, and telephone number would be sufficient to meet their needs. Several commenters suggested that we create a voluntary opt-out provision so people can avoid solicitations.

    Response: We agree with commenters that our proposal could have adversely effected charitable giving, and accordingly make several modifications to the proposal. First, the final rule allows a covered entity to use or disclose to a business associate protected health information without authorization to identify individuals for fundraising for its own benefit. Permissible fundraising activities include appeals for money, sponsorship of events, etc. They do not include royalties or remittances for the sale of products of third parties (except auctions, rummage sales, etc).

    Second, the final rule allows a covered entity to disclose protected health information without authorization to an institutionally related foundation that has as its mission to benefit the covered entity. This special provision is necessary to accommodate tax code provisions which may not allow such foundations to be business associates of their associated covered entity.

    We also agree that broad access to protected health information is unnecessary for fundraising and unnecessarily intrudes on individual privacy. The final rule limits protected health information to be used or disclosed for fundraising to demographic information and the date that treatment occurred. Demographic information is not defined in the rule, but will generally include in this context name, address and other contact information, age, gender, and insurance status. The term does not include any information about the illness or treatment.

    We also agree that a voluntary opt-out is an appropriate protection, and require in § 164.520 that covered entities provide information on their fundraising activities in their “Notice of Information Practices.” As part of the notice and in any fundraising materials, covered entities must provide information explaining how individuals may opt out of fundraising communications.

    Comment: Some commenters stated that use and disclosure of protected health information for fundraising, without authorization should be limited to not-for-profit entities. They suggested that not-for-profit entities were in greater need of charitable contributions and as such, they should be exempt from the authorization requirement while for-profit organizations should have to comply with the requirement.

    Response: We do not agree that the profit status of a covered entity should determine its allowable use of protected health information for fundraising. Many for-profit entities provide the same services and have similar missions to not-for-profit entities. Therefore, the final rule does not make this distinction.

    Comment: Several commenters suggested that the final rule should allow the internal use of protected health information for fundraising, without authorization, but not disclosure for fundraising. These commenters suggested that by limiting access of protected health information to only internal development offices concerns about misuse would be reduced.

    Response: We do not agree. A number of commenters noted that they have related charitable foundations that raise funds for the covered entity, and we permit disclosures to such foundations to ensure that this rule does not interfere with charitable giving.

    Comment: Several commenters asked us to address the content of fundraising letters. They pointed out that disease or condition-specific letters requesting contributions, if opened by the wrong person, could reveal personal information about the intended recipient.

    Response: We agree that such communications raise privacy concerns. In the final rule, we limit the information that can be used or disclosed for fundraising, and exclude information about diagnosis, nature of services, or treatment.