September 2, 2004
The Honorable Tommy G. Thompson
Secretary
U.S. Department of Health and Human Services
200 Independence Avenue, SW
Washington, DC 20201
Dear Secretary Thompson:
As part of its responsibilities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the National Committee on Vital and Health Statistics (NCVHS) monitors the implementation of the Administrative Simplification Provisions of HIPAA, including the Standards for Privacy of Individually Identifiable Health Information (Privacy Rule). The Subcommittee on Privacy and Confidentiality of the NCVHS held hearings in Washington, D.C., on July 14, 2004. The hearings were intended to gather information about the effect of the Privacy Rule on fundraising, marketing, and media access. This letter conveys the Committee’s findings and recommendations on the impact of the Privacy Rule on fundraising.
At hearings before the compliance date, witnesses predicted that prohibiting disclosure of patient service department information would adversely affect the fundraising activities of many nonprofit health care institutions. In particular, large general hospitals would be unable to target specialized fundraising efforts to patients who were treated, for example, in their ophthalmology or cardiology departments. By contrast, specialty hospitals, by their very nature, would have this information. In a prior letter to the Department, we raised the issue of possible negative implications for fundraising of not permitting the disclosure of patient service department information.
At our July 2004 hearing, we invited witnesses who previously testified (before April 2003) to address the effects of the Privacy Rule on fundraising. We also received written comments from a leading health privacy advocacy group. The witnesses testifying orally said that their experience with the Privacy Rule had confirmed their fears about the likely consequences of the Rule.
One witness, representing the Association for Healthcare Philanthropy (AHP), stated that its member organizations were required to hire additional staff and incur additional costs to comply with the Privacy Rule. The witness further indicated that annual contributions dropped from $8 billion in 2001 to $5.9 billion in 2003. Although it is not clear precisely how much of this decrease is attributable to the Privacy Rule, the witness testified that the Privacy Rule had a substantial effect. Further, the witness provided statistics indicating that general solicitations (as are permitted without additional patient authorization under the Privacy Rule), account for less than one percent of all donations.
Another witness, representing a major academic medical center, testified that while the impact of the Privacy Rule is not entirely known (because giving is based on long term relationships developed with donors), recent statistics show that individual contributions have dropped from 70% to 56% of all contributions collected.
Both witnesses stated that fundraising organizations have historically been very sensitive to patient privacy considerations, resulting in few cases where patient privacy complaints have arisen, even though fundraisers had previously been privy to information that is no longer available due to the Privacy Rule. The witnesses recommended that information regarding the patient’s department of service should be available for fundraisers without the need for additional authorization.
Testimony at the hearing indicated that the current prohibition on disclosing patient service department information for fundraising results in only minimal privacy protection for patients. For example, directory information routinely discloses room locations, and the location of a patient’s room often indicates that the patient is being treated on a surgical, oncology, or similar unit of the hospital. Thus, patient service department information is now widely available to the public, including fundraising staff, unless the patient has opted out of the hospital directory.
The written testimony from the Georgetown University Health Privacy Institute emphasized the importance of patient control over their protected health information. The testimony argued that health care providers should obtain a prior authorization from patients to use department of service information in fundraising. An alternate approach would inform patients in the notice of privacy practices that department of service information may be used in fundraising and permitting patients to opt out of fundraising.
Based on the oral and written testimony, NCVHS recommends the following:
- HHS should allow covered entities and institutionally related foundations to use information related to the patient’s department of service for fundraising activities without the requirement to secure a patient’s authorization.
- Department of service information should apply only to broad designations (e.g. surgery, oncology, but not narrower designations), and the Privacy Rule should retain the prohibitions on disclosure of information relating to diagnosis and treating physician.
- The covered entity’s notice of privacy practices should inform patients that their department of service information may be used in fundraising, and patients should be afforded the opportunity to decline to permit their department of service information to be disclosed for fundraising or to opt out of all fundraising contacts.
We appreciate the opportunity to offer these comments and recommendations.
Sincerely,
/s/
John R. Lumpkin, M.D., M.P.H.
Chairman, National Committee on Vital and Health Statistics
Cc: HHS Data Council Co-Chairs