As a biomedical researcher, I need to complete the HIPAA Compliance Course every year. The detailed module provides steps to protect personal information that may be diagnostic clues, such as name, address, phone number, and financial information. Under HIPAA, providers need to learn only the minimum protected medical information (PHI) necessary to provide high quality medical care. Anyone who violates the HIPAA rules may lose their doctor’s license, be fined, or, in extreme cases, be sent to jail.
However, there is one surprising exception. Protected personal information can be extracted from medical records for funding.
Within days of proudly obtaining the 2021 HIPAA certification, I received a letter from a healthcare provider at my home address. My name was prominently displayed on the envelope, and the return address included the medical subspecialty group I was a recent patient with. The letter contained some “opportunities” for making donations.
However, according to the HIPAA course, personally identifiable information can only be used when it is essential to provide medical services that benefit the patient. That is the law, and violating it will have consequences. Yes and no.
In 2013, the HIPAA Privacy Regulations changed to treat fundraiser names, addresses, birthdays, genders, insurance status, service points, phone numbers, email addresses, occupations, health conditions, and doctors’ names. You can now access it. This policy allows fundraiser to share this information with relevant “Business Associates” and charities.
To be fair, the HIPAA course allows tax exemption for fundraising activities. This was taken up in one of the ambiguous sections of the online slideshow. There is no medical basis, but the 2013 revision requires only one requirement for fundraiser and is technically legal. Include opt-out options that must be “simple, fast, cheap”.
The letter I received didn’t say anything about opt-out. However, the same envelope contained another card asking for my credit card number, spouse’s name, and more detailed personal contact information. It offered $ 100, $ 200, $ 250, $ 500, or $ 750 donation options and provided open space for filling in more amounts.
The website and phone number that could be used to opt out of marketing mailing was hidden behind the card in a 9-point font. It wasn’t in the solicitation, as required by the policy.
The HIPAA course provided instructions for reporting violations. Those who were worried about even the smallest of things were advised to contact the authorities immediately. So I contacted the HIPAA coordinator and disclosed that I received a letter clearly stating my name, home address, and the clinical service I was cared for. All three of these elements must be protected by HIPAA Act. I acknowledged that I am aware of HIPAA’s exceptions to fundraising. There were no technical HIPAA violations, but the solicitation seemed to go against the spirit of the law.
The HIPAA coordinator said he could provide a courteous response and opt out, but did not acknowledge general privacy concerns. And last week I received another donation request.
I’m okay with my doctor, medical trainees, and most relatives who know I’m getting medical care. But I’m surprised that my personal health information is being used to be the target of marketing campaigns. The development office doesn’t have the “need to know” that my personal information needs. These campaigns violate privacy and privacy protection is justification for HIPAA.
I am impressed with the professional environment that strictly prevents even the slightest leakage of personal information. My colleagues make great efforts to hide personally identifiable information, carefully document permission to share impressions, and disclose information only when it is important to the well-being of the patient. I googled “Privacy Protection” on the websites of several major US healthcare providers. Each provider group acknowledged its commitment to protect patient personal information and ensured that personal IDs were used only in patient care services.
If privacy protection is really a core value, wouldn’t you expect these organizations to apply the same standards to both providers and fundraising? Why do patients need to opt out of funding campaigns instead of opting in? You may be asked to sign a consent form that gives fundraiser access to your personal information.
Twenty years ago, researchers at the University of Pittsburgh provided medical information about country singer Tammy Wynette. National Enquirer.. The punishment was acceptable because of the exchange of money.
I’m worried that our commitment to privacy protection is honest-only until the agency sees the dollar sign.
Robert M. Kaplan, PhD, MA is a faculty member at Stanford University’s Clinical Excellence Research Center, a former Deputy Director of the National Institutes of Health, and a former Chief Scientific Officer of the National Institute of Medical Research and Quality.
