MEMORANDUM

To: Impacted Clinical Units

From:Laura L. LaCorte

Date:April 8, 2003

Subject:THE HIPAA PRIVACY RULE AND ITS IMPACT ON FUNDRAISING AND MARKETING ACTIVITIES

A new federal privacy rule goes into effect April 14, 2003. This rule will impact the fundraising and marketing activities that your departments currently undertake. Please take a moment to review the summary below.

What is the HIPAA Privacy Rule?

The Health Insurance Portability and Accountability Act privacy regulation (HIPAA Privacy Rule) is a new law that goes into effect April 14, 2003. The law generally prohibits health care providers from using or disclosing "protected health information" without written authorization from the individual. "Protected health information" is any identifiable health information relating to the individual's past, present or future physical or mental health condition or payment for health care. Examples of protected health information include medical records and billing records.

The HIPAA Privacy Rule creates a federal standard for protecting the privacy of health information, which is in addition to existing state laws.

How Does HIPAA Affect the Use of Health Information for Fundraising?

While fundraising is now clearly regulated by the HIPAA Privacy Rule, regulators have provided limited guidance on how complex academic medical centers like USC should apply the rule. As a result, there is no consensus in the academic community on this issue, and other institutions may take more restrictive or more expansive positions than the one adopted here. As additional guidance becomes available, we will let you know and modify our policies as appropriate. Because this is an area where the analysis tends to be fact-specific, please contact the Office of Compliance for assistance if you are uncertain as to how the Privacy Rule should be applied to a particular situation.

Currently, many physicians and other practitioners, as well as the USC Office of Development, solicit charitable contributions from current and former patients. This may take the form of in-person appeals, broad-based mailings, or targeted solicitations based on the patient's diagnosis and treatment.

The HIPAA Privacy Rule permits USC to use a patient's demographic information for USC's own fundraising purposes. (Under the Rule, the faculty practice groups[1] and other clinical units, such as Dentistry, are treated as though they are a part of "USC" for these purposes.) When a patient’s demographic information is used for fundraising activities (e.g., creating mailing lists), the privacy rule requires that any fundraising materials sent to the patient provide the patient an opportunity to “opt-out” of any future fundraising solicitations. Please contact the Office of Compliance for appropriate language and assistance with implementation.

USC is prohibited, however,from using information about the patient's diagnosis or treatment for fundraising purposes, unless the patient has specifically authorized that use in writing. The regulations specify what provisions must be included in the authorization for it to be valid. USC's template authorization for fundraising activities can be downloaded from the compliance web page at or the USC policies web page at

Under the Privacy Rule, a practitioner is permittedto do the following without the patient's special written authorization:

  • Make a personal, in-person appeal to the patient;
  • Send a fundraising solicitation to all current and future patients or to a patient list narrowed based on address, age, date of service, or other demographic information;
  • Provide the Office of Development with patient lists that include name, address, and dates of service.

However, the following activities are prohibited without the patient's special written authorization:

  • Providing any non-USC entity with patient information (even if limited to names and addresses only) to enable that entity to conduct fundraising on its own behalf. This includes any hospital (including Norris Cancer Hospital);
  • Providing the Office of Development with any information about patient diagnoses or treatment;
  • Have a development officer present for an in-person appeal without prior written authorization from the patient;
  • Sending a mailing to patients based on the patients’ diagnoses or treatment.

Can I "tailor" a fundraising letter to my practice area if Ionly am using demographic information on patients?

Some academic medical centers have decided to prohibit any tailoring at all. While a plausible reading of the Rule, we believe that it is unnecessarily restrictive. The policy adopted by USC is as follows. Patient lists from individual physicians or other practitioners can be used for pitches tailored at a departmental level (excluding Psychiatry) or to a specific disease covered by the department, but not tailored to the individual practitioner’s subspecialty area of practice. For example, a diabetologist cannot send a mailing to his patient list soliciting funds for diabetes research. The reason USC has adopted this restriction is both for compliance and risk management reasons. First, sending a solicitation to a subspecialist's patient list to contribute to a restricted fund in that subspecialist's practice area may be viewed by regulators as using information as to diagnosis. Second, such a mailing will likely be viewed by the patient as having made use of their personal health information and, if opened by someone other than the patient, may create an inadvertent disclosure to a third party. However, the Department of Medicine could send a mailing to all its patients soliciting funds for diabetes research. In this circumstance, while the patient may still be concerned that their health information was used to construct the mailing list, USC will then be in a strong position to dispel that misimpression.

There are certain areas of heightened sensitivity that require greater protection from a risk management approach. Therefore, fundraising directed toward the following services/diseases/treatment should utilize broad mailing lists not narrowed by department or treating practitioner:

  • Psychiatric disorders
  • Cancer
  • HIV
  • STD
  • Reproductive medicine
  • Abortion
  • Alzheimer’s disease
  • Genetic counseling
  • Drug and alcohol abuse/treatment

We recognize that there is an inherent inconsistency in the Rule: Because a legal entity can send a mailing to its entire patient list without authorization, but cannot narrow that list based on diagnosis, multispecialty groups and academic medical centers are placed at a disadvantage. A community-based group that treats only diabetics could send all its patients a solicitation for funds to support the group's diabetes research without violating the Rule, while USC could not send the same solicitation to its diabetes patients only, since it would need to use information about the patients' diagnoses to generate that list.

What kind of follow-up can I do if I solicit funds from a patient in person?

There is a special Privacy Rule principle that it does not restrict face-to-face discussions between a patient and their treating practitioner. (This principle does not extend beyond the practitioner and patient -- not to nurses or other members of the treatment team or development, and not to the patient's relatives or friends.) Therefore, a practitioner, alone with his or her patient, may ask whether the patient would be interested in contributing to a particular project or research fund, even if that pitch is based on the patient's diagnosis. For example, the physician, alone with a diabetic patient, could ask whether the patient has any interest in contributing to a USC diabetes fund.

If a patient expresses interest, practitioners may directly send “tailored” literature to the patient regarding areas discussed verbally, with the patient’s verbal consent. In the above example, the physician should ask the patient if it would be all right to send literature about the USC Diabetes Fund to their home, and if the patient agrees, that should be acceptable. Physicians may also notify the Office of Development that an individual has an interest in funding a particular project, after obtaining the patient's verbal permission. In our example, the physician should ask the patient if it would be all right if an individual from the Office of Development contacts them about contributing to a USC diabetes fund, and if the patient agrees, the physician can notify the Office of Development. However, the physician can only inform Development that the individual is interested in contributing to a USC diabetes fund. The physician may not inform Development that the individual is diabetic.

I have attached a "practice guide" for your review. You will see that application of the rules is sometimes subtle. The Office of Compliance would be happy to answer specific questions.

How does HIPAA Affect the Use of Health Information for Marketing?

The Privacy Rule prohibits the use of any patient information (including, for example, name and address only) for any activity considered "marketing" without a special written authorization from the patient. USC's template authorization for marketing activities can be downloaded from the compliance web page at or the USC policies web page at

However, "marketing" does not include any communications made that describe health care services provided by USC, treatment alternatives, or general health topics like health fairs or wellness classes. In addition, the Privacy Rule permits in-person, face-to-face marketing by the treating practitioner.

In general, then, the Privacy Rule will prohibit the use of patient lists or other patient information to send out written materials promoting:

  • USC goods or services that are not health-related
  • Non-USC goods and services

Joint marketing programs with USC's hospital partners that may use USC patient lists should be reviewed in advance by the Office of Compliance. The sale of patient lists to any third party is strictly prohibited.

Can I have a marketing representative "shadow" me in the OR?

In general, marketing representatives should not be provided access to any patient identifiable information. On occasion, a device manufacturer representative may need to be present in the operating room or clinic to train practitioners or staff in the device, or to observe the use of the device by staff and provide feedback for quality purposes.

In these latter circumstances, the representative can be present; however, the representative should sign a Business Associate agreement before receiving access. This agreement requires the representative to comply with USC privacy policies and is required by the Privacy Rule. Copies of USC's template Business Associate Agreement can be downloaded from the compliance web page at or the USC policies web page at In unusual circumstances (generally, where the representative is a licensed health care professional) such an agreement may not be required; please contact the Office of Compliance in any such circumstance for assistance.

Please do not hesitate to contact my office if I can be of any assistance in your review and implementation of the Privacy Rule.

ATTACHMENT A HIPAA FUNDRAISING PRACTICE GUIDE

A.Written Communications

1.Patient lists from individual practitioners can be used for pitches tailored at a departmental level (excluding Psychiatry) or to a specific disease covered by the department, but not tailored to the individual practitioner’s subspecialty area of practice.

2.Patient lists from departments (excluding Psychiatry) can be used for pitches tailored at a departmental level or to a specific disease covered by the department.

3.Fundraising directed toward the following services/diseases/treatment should utilize broad mailing lists not narrowed by department or treating practitioner :

  • Psychiatric disorders
  • Cancer
  • HIV
  • STD
  • Reproductive medicine
  • Abortion
  • Alzheimer’s disease
  • Genetic counseling
  • Drug and alcohol abuse/treatment

4.The above rules apply equally to the Office of Development and to direct mailings by practitioners

B.Verbal Communications.

5.Practitioners may initiate face-to-face communications with the patient regarding fundraising opportunities, and may tailor that verbal pitch to a particular project or area that reflects the patient’s disease/treatment.

6.Practitioners may directly send “tailored” literature to the patient regarding areas discussed verbally, with the patient’s verbal consent.

7.The Office of Development can “tailor” a verbal pitch to a particular project or drive related to the patient’s disease/treatment only if the practitioner has discussed the project/drive with the patient and received verbal consent from the patient to have Development follow up OR the patient has agreed to meet Development in a treatment setting that necessarily discloses a general disease/treatment category.

1

[1] With the exception of University Childrens Medical Group (UCMG)