The HIPAA Omnibus rule does permit the use of department of service, treating physician, and outcomes information in fund raising activities with an understanding that a patient can opt out and their wishes must be respected.
*The Notice of Privacy Practices must disclose fundraising and right to opt out.
*The covered entity or business associate must not send further communications to those individuals who have opted out, but opt out can be limited to a specific campaign.
*If PHI not used (e.g., a purchased list) notice and opt out do not apply.
Here’s an excellent overview of the regulation and best practices related to fundraising
How do I think about supporting healthcare fundraising activities with IT?
*Keep all data centrally managed so that no shadow databases of patient identified information are stored in departments or on mobile storage systems.
*Ensure that experts perform all queries and create “minimal need to know” views of patient information.
*Create audit trails of all lookups
*Support the Development department with business intelligence tools that enable them to do their work but eliminate the need to access clinical systems
*Ensure that opt out requirements are respected.
As with most things involving privacy and security, it is possible to balance business needs and regulatory compliance. Centrally managing the process requires close collaboration between IT and the fundraising business owners. Strong policies, communication and relationships are just as important as the technology.