HIPAA Policy-04

Scope

This policy applies to Indiana University (IU) fundraising personnel who perform any fundraising activities on behalf of a beneficiary covered healthcare component of the university that jointly benefits from such fundraising.

A. Use and Disclosure of Protected Health Information (PHI) for Fundraising (Without Authorization)

IU fundraising personnel, as a business associate to beneficiary covered healthcare components, may receive, use and disclose the following PHI without obtaining an individual’s authorization for the purpose of raising funds for the joint benefit of the IU Foundation and the beneficiary covered healthcare component:

• Basic demographic information relating to a patient (e.g. patient name, address and other contact information, age, gender, and date of birth);
• Dates of health care services provided to the patient;
• Department of service information;
• Treating physician or healthcare provider;
• Outcome information (e.g. which may include information regarding the death of the patient or any sub-optimal result of treatment or services); and
• Health insurance status.

B. Use and Disclosure of Protected Health Information (PHI) for (With Authorization)

Use of any other PHI for fundraising purposes shall require a prior written authorization from the patient. This includes clinical information relating to the patient's illness, diagnosis or treatment, as well as the patient medical record number.

In addition, an authorization shall be required prior to using PHI obtained from a beneficiary covered healthcare component for the fundraising activities of any other party.

IU fundraising personnel shall obtain a patient’s authorization where required by this policy and may rely on a beneficiary covered healthcare component’s assertion that they obtained the patient’s authorization.

IU fundraising personnel shall provide the beneficiary covered healthcare component and the individual with a copy of signed patient authorization forms that are obtained by IU fundraising personnel. The beneficiary covered healthcare component shall retain a copy of the signed authorization for a minimum of seven years following the date the authorization was signed.

C. General Requirements

IU Critical Health Data Areas may not conduct their own fundraising activities. Fundraising activities must be facilitated through an IU office, authorized to conduct fundraising at IU.

An executive from the beneficiary covered healthcare component must approve the request before any PHI may be released to IU fundraising personnel for fundraising purposes.

IU shall include a statement in the IU Notice of Privacy Practices that indicates that PHI may be used or disclosed for fundraising purposes.

IU fundraising personnel shall:

1. Provide individuals with simple, quick, and inexpensive ways to opt out of receiving further fundraising communications (e.g. a toll-free number, e-mail, pre-printed, pre-paid postcard response card, etc.)
2. Make the opt out instructions clear so that an individual understands whether they are opting out of all or certain types of future fundraising solicitations. This applies to written and phone solicitations.

The solicitation materials must include the following opt out language:

1. Language for opting out of all future solicitations: “Please check here if you no longer wish to receive any future solicitations regarding fundraising opportunities for the IU Foundation.”; or
2. Language for opting out of certain types of solicitations: “Please check here if you no longer wish to receive future solicitations for [Specify the Fundraising Campaign].”
3. Ensure that individuals who opt out of receiving future fundraising material are not sent such communications in the future.
4. Set up the fundraising campaign account name to reflect the parties who benefit from the campaign.

IU Fundraising Personnel shall not:

1. Require individuals to write letters to discontinue receiving fundraising communications or any other mechanism that places undue burden on the individual; or
2. Condition treatment or payment on an individual’s choice with respect to the receipt of fundraising communications.
3. Condition treatment or payment on an individual’s choice with respect to the receipt of fundraising communications.IU fundraising personnel may provide individuals with a mechanism to opt back in and receive fundraising communications.

D. Safeguarding and Secure Disposal of PHI

PHI, including demographic and other information received from a beneficiary covered healthcare component for fundraising purposes shall be appropriately safeguarded. In addition, such PHI shall be securely disposed of or returned to the beneficiary covered healthcare component once the fundraising campaign has concluded. PHI, such as patient lists obtained from a beneficiary covered healthcare component, may not be:

• Retained by IU fundraising personnel once the fundraising campaign has concluded;
• Used for future solicitations, even if the campaign is for the same faculty member or Department; or
• Used for other fundraising purposes.

Reason for the Policy

The Health Insurance Portability and Accountability Act (HIPAA) limits the use and disclosure of Protected Health Information (PHI) for fundraising purposes. This policy establishes how the IU Foundation and IU fundraising personnel may use and disclose PHI in accordance with HIPAA for fundraising purposes.

The Indiana University (IU) Foundation is an institutionally-related foundation with an explicit linkage to support fundraising where such fundraising jointly benefits the IU Foundation and the Covered Entity (beneficiary covered healthcare component.) Fundraising for the IU Foundation benefits both IU and the beneficiary covered healthcare component by supporting research. The beneficiary covered healthcare component benefits from fundraising and the research it supports since the beneficiary covered healthcare component employs faculty members. HIPAA permits the shared benefit of fundraising.

IU fundraising personnel assist faculty members who are also part of a beneficiary covered healthcare component with fundraising activities involving the use or disclosure of Protected Health Information (PHI). In this capacity, the IU Foundation and related IU Fundraising Personnel function as a Business Associate to the Beneficiary Covered Entity.

Definitions

Individually Identifiable Health Information (IIHI): A subset of health information, including demographic information collected from an individual, and: (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual.

Protected Health Information (PHI): Individually identifiable health information held or transmitted by a covered entity or its business associate in any form or medium, whether electronic, on paper or oral.

See Glossary of HIPAA Related Terms for complete list of terms.

History

7/22/2013 – Effective Date
1/13/2016 – Updated Definitions Section
08/01/2016 – Added link to Glossary, updated bad links
11/10/2016 – Added links to IU Policies
06/xx/2017 – Published on University Policies site
12/17/2021 – Updated policy contacts
04/03/2025 – Updated the term "HIPAA Affected Areas" to "Critical Health Data Areas"

Related Information

HIPAA Regulations
45 CFR §164.502

HITECH Regulations
42 CFR: Part 412
42 CFR: Part 413
42 CFR: Part 422
42 CFR: Part 495
45 CFR: Subtitle A Subchapter D 

Related IU Policies
HIPAA-P01 – Uses and Disclosures Protected Health Information
HIPAA-P03 – Authorizations