The HIPAA Omnibus Rule: Its Effect on Healthcare Fundraising

Since its adoption in 1996 and final publishing in 2003, substantive changes to Health Insurance and Portability and Accountability Act (HIPAA) have been few and far between…until now. On January 17th the U.S. Department of Health and Human Services (HHS) announced upcoming changes which will significantly enhance the security, privacy, and enforcement of the original program, while providing new thresholds for how patient’s Protected Health Information (PHI) can be used and disclosed for fundraising and marketing purposes. These are under the “Omnibus Rule” which will take effect on September 23, 2013. More information can be found here.

For Fundraisers, a few of the more significant changes are:

  • More stringent opt-out provisions – requiring covered entities to provide “clear and conspicuous” opportunity to opt out of further fundraising communications (Section 12306(b)).
    • Provide multiple channels for patients to opt out.
    • Once opted out, the entity must take “reasonable measures” to certify that no further fundraising communications are sent
  • Availability of additional Protected Health Information (PHI) data for the purpose of fundraising efforts, without patient authorization.  This information is in addition to the currently permitted data (Demographic data, dates of health care provided, and health insurance).  They include:
    • Department of Service – this can include “broad designations, such as cardiology, oncology, or pediatrics”
    • Outcome Information – this includes information regarding the “death or sub optimal result of treatment or services”.  It also assumes the covered entity removes those individuals receiving “sub-optimum” outcomes from fundraising solicitations.
    • Treating Physician
    • Exact Date of Birth (vs. Month/Year available now)

I am fortunate enough to work with hundreds of talented researchers, administrators, and executives at healthcare fundraising organizations across the country. Through these conversations I’ve realized that the use of this new information can be as diverse as the missions they support. Examples can be as basic as the development of creative letterheads (communication based on Department of Service) to the foundation of VIP Programs, using outcomes information to target patients with similar conditions.

For many, there seems to be a general interest to reassess the organizations ability to acquire, analyze, and segment this new information ahead of the September 23rd compliance date.  Has your organization developed a unique approach to capturing and leveraging this information? Please let us know in the comments.

Share this post