Fundraising Privacy Guidelines

These Guidelines expand upon the HIPAA Fundraising Communications Policy for Stanford University, Stanford Health Care (SHC), and Stanford Children's Health (SCH), which permits the use and disclosure of protected health information (PHI) for fundraising purposes in accordance with institutional policy and legal requirements.  The policy and these guidelines apply to fundraising activities on behalf of the Stanford Affiliated Covered Entity (“SACE”).

I. Fundraising Definition and Coordination

For HIPAA purposes, a "fundraising communication" is a communication to an individual by a covered entity (or the entity's business associate or institutionally related foundation) for the purposes of raising funds for the covered entity.  Fundraising communications include, but are not limited to, solicitations for donations or gifts, sponsorship of events, and communications for events or activities held to raise funds for the covered entity.

All fundraising activities involving PHI must be coordinated through the University Medical Center Development (MCD) office or the Lucile Packard Foundation for Children’s Health (LPFCH) as appropriate.

Pursuant to HIPAA, the fundraising activity must be for the benefit of the covered entity, which includes SHC, SCH, the School of Medicine (SOM), and other parts of the SACE.  Accordingly, the SACE may not use or disclose PHI for fundraising purposes that benefit a person or entity other than the covered entity.  This means that Stanford PHI may not be used or disclosed for fundraising to benefit a department or school outside of the SACE (such as the School of Engineering), or a company or outside organization.

II.  Permissible Internal Use of PHI for Fundraising, Without Patient Authorization

Federal and state laws permit limited PHI to be used within the SACE for fundraising purposes with appropriate notice in the Notice of Privacy Practices, but without patient authorization.  As explained further below, the PHI must be the minimum necessary for the specific purpose. This “Limited PHI” primarily includes demographic data and certain other data elements, as follows:

1. Name;
2. Address and other contact information (e.g., street address, city, county, state, and zip code);
3. Age or date of birth;
4. Gender;
5. Insurance status;
6. Dates of service;
7. Affiliation with SHC, SCH, or Stanford University;
8. Indication of whether the individual was an inpatient, emergency department patient, outpatient, or clinic patient;
9. Other common elements of demographic information, including phone number, email address, occupation, and education level.
10. General outcome information (e.g., death or "suboptimal outcome");
11. General department of service, as defined by the Hospital Privacy Office; and
12. Treating physician name

Any new data extract report from hospital systems to MCD must be reviewed and approved by the hospital Privacy Office.    MCD staff members are not permitted to access hospital electronic or paper medical records for fundraising purposes.

The “minimum necessary” standard of HIPAA applies to using these data elements for fundraising.  This means only the minimum PHI needed for a specific activity should be used.  For example, if an annual appeal requires using patient name, address, and limited other information excluding treatment physician and general department of service, then only those necessary data fields should be used for that fundraising activity.

Conversations with individuals (including patients) about possible "areas of giving interest" are permissible without an authorization, provided that their medical information is not used for a fundraising purpose.  For example, MCD may speak with a grateful patient to explore areas of giving interest (e.g., support for the new hospital, for technology, for research, or for general departments of care), as long as only the Limited PHI above is used.  Diagnosis and other PHI cannot be used for fundraising, absent written patient authorization.

III. Permissible External Disclosure of PHI for Fundraising, Without Patient Authorization

Certain Limited PHI may be disclosed (outside of the SACE) without an authorization, including to a business associate or an institutionally related foundation, for purposes of fundraising on behalf of the SACE.   Note that pursuant to state law, the list of Limited PHI that may be externally disclosed is narrower than for internal uses listed in Section II above; the elements that may be externally disclosed include (1) through (9).   Any disclosure must also meet the minimum necessary standard, as explained above.

Pursuant to state law, information revealing the medical history, mental or physical condition, or treatment of a patient may not be disclosed (outside of the SACE) for fundraising purposes, absent written patient authorization.  Accordingly, physician names and departments of service that may reveal medical history, condition, or treatment, or outcome information (e.g., death), may not be disclosed for a fundraising purpose without patient authorization.  

Disclosure to a business associate (a consultant or other person or entity, who is not part of the Stanford/SACE HIPAA Workforce and who performs a service involving PHI on the SACE’s behalf) requires a Business Associate Agreement.  Please contact the Privacy Offices or contracts offices for assistance. 

IV. Fundraising Activities that Require Patient Authorization

Patient authorization is needed if a use or disclosure for fundraising activities requires more than the Limited PHI described above (in Sec. II. and III.).  Authorization is obtained from the patient or his/her personal representative.  Stanford HIPAA policies describe the elements of a valid authorization.  (Please see Stanford University HIPAA Privacy Policy, H-15: Use and Disclosure).  

Examples of circumstances that require prior patient authorization include, but are not limited to:

1. Using or disclosing any PHI that exceeds Limited PHI for a fundraising purpose (for example, using diagnosis, treatment, or any other information apart from Limited PHI for fundraising); and
2. Using diagnosis, treatment, or other information exceeding Limited PHI in order to tailor a mailing (for example, if MCD asked SHC to compile a fundraising list of diabetes patients, the hospital would need the patients’ authorizations to do so, and MCD similarly would need the same authorizations to contact these patients based on PHI for a fundraising purpose).

Because HIPAA protects individuals' privacy for 50 years after death, these fundraising rules apply to both living and deceased patients.  If an authorization is needed for a patient donor who has since died, it should be obtained from his/her personal representative, pursuant to HIPAA polices.  Please contact the University Privacy Office in the event of a question.

V. Opt-Out Requirement

All fundraising communications must include clear and conspicuous instructions, in “plain language,” on how an individual may opt-out from receiving fundraising communications from the SACE.  (If the communication is in a language other than English, then the opt-out must also be in the other language so that it is easy to understand.)

The method for opting out must be simple; it cannot impose an undue burden.  Providing a phone number or email address is permissible, but requiring a written letter to opt-out is considered an undue burden so cannot be used.  The following opt-out language has been approved for the SACE:   “If you would prefer not to be contacted by Development, please call 844-427-3491 or email optoutmedicine@stanford.edu.”  Use of any other opt-out language requires prior approval from Stanford’s Privacy Offices.

The SACE has flexibility to define the scope of the opt-out.  This means an opt-out may allow patients to opt-out of a specific fundraising campaign, or all fundraising communications.  HIPAA requires a covered entity to track every opt-out strictly and immediately, so the SACE must adhere to this requirement and not make a fundraising communication to a person who has opted out of the same.

MCD maintains a record of opt-outs.  When a prospect calls or emails a member of Prospect Advancement to opt-out in response to any letter or other communication, then they will clarify the communications from which they wish to be removed.  All individuals who contact Prospect Advancement to opt-out will be coded “do not phone (DNP)” in the database for MCD.  If they are not okay with receiving anything from MCD, then they will be coded “do not solicit (DNS), do not mail (DNM), do not invite (DNI), do not email (DNE), and do not phone (DNP)”.

Anyone who receives a written or oral patient request to opt-out of fundraising MUST notify MCD immediately.  Since Stanford is an affiliated covered entity (SACE), MCD works with the affiliates within the system to maintain an up-to-date list of fundraising opt-outs for the SACE.  No fundraising materials may be sent to an individual who has opted out of receiving these materials.  You must consult with MCD prior to fundraising activities to ensure all opt-outs will be honored. 

VI. Security Requirements

You are required to be familiar with all Stanford HIPAA privacy and security policies, which are available at University Privacy Office's website or through the Hospital Privacy Office.  For example, these policies require that you:

1. Always keep PHI secure;
2. Use only encrypted media for electronic PHI;
3. Store paper PHI in locked and secure places, with all appropriate safeguards; and
4. Avoid emailing patients; note that sending an unblinded email to donors, including patient donors, may reveal patient information and thus is not permitted).   

VII. Guideposts for Certain Activities

A. Philanthropic Gifts

A patient may express a philanthropic goal for a gift to pass to part of the SACE after the patient's death.  The patient may wish to provide information related to his/her diagnosis or treatment to help the SACE carry out his or her wishes.  If the patient provides this information in a letter or other documents, the best practice is to include an authorization to use/disclose the PHI for fundraising with these documents when they are executed.  (Alternatively, some documents may be sufficiently clear already; the Office of the General Counsel should be consulted for advice on such situations.)  The documents will be held in MCD's Planned Giving files and will not be disclosed unless a question or legal challenge arises after the patient's death, or as otherwise required or permitted by law.

B. Physicians' Role in Fundraising

Physicians’ primary responsibility is patient care.  Physicians should not engage in fundraising, absent close coordination with MCD and adherence to institutional privacy policies, guidelines, and training.   A patient's care may never be conditioned on participation in a Grateful Patient program or other fundraising activities.  

If a patient wants to learn more about giving opportunities, a physician may give the patient contact information for MCD staff.

If a physician reasonably believes a patient may be of interest to MCD, the physician may provide the minimum necessary Limited PHI (such as name and contact information) to MCD so that it can inquire about the patient's potential interests.

If MCD has a question about a patient or potential donor, MCD may contact the physician as long as only Limited PHI is used for a fundraising purpose.

C. Patient Self-Identification

Sometimes patients "self-identify" their interest in becoming potential donors.  For example, patients may mention an interest in donating to MCD staff, a hospital executive, a Board member, or other friends of Stanford Medicine.  When this occurs, MCD should not request or collect information beyond Limited PHI without a patient authorization.  If an MCD staff member learns in the process of developing a relationship with a patient any information beyond Limited PHI (e.g., the person voluntarily mentions his/her diagnosis or treatment), the MCD staff member should document on the donor database the individual's area of giving interest in the same manner as any other potential donor's area of giving interest is documented.  MCD should not document treatment, diagnosis, or information other than Limited PHI without a patient authorization.

For example, Jane Doe self-identifies an interest in giving in the area of breast cancer, and mentions her personal experience with the disease (for which she may have received treatment anywhere, not necessarily at Stanford) to MCD development staff.  MCD should document that Ms. Doe expressed an interest in giving in the area of breast cancer treatment and research, or that she said she may want to support breast cancer work at Stanford.

D. Storing Data in PostGrads

The PostGrads database stores information about donations or prospective donations to the SACE.  When MCD enters information into this system, it must be for an individual who is a donor or prospective donor, and it must not contain health information.  Even when a patient has provided authorization, MCD staff should take care not to store health information in this system in order to protect privacy.  PostGrads must be maintained in a manner that does not allow development staff outside of MCD (and the covered entity) to identify that a donor was a patient.

E. Fundraising Statements in Patient Newsletters

If a newsletter has a purpose to raise funds for the covered entity, then these guidelines apply.  For example, including a fundraising-specific envelope in a newsletter reflects a purpose to raise funds for the covered entity, and thus only Limited PHI (e.g., name and address) may be used for that purpose.  In contrast, if a newsletter includes an envelope and enclosure card with check-boxes, where individuals may check off if they would like to receive information about services or programs, then such an enclosure generally does not indicate a purpose to raise funds for the covered entity and fundraising guidelines would not apply.

F. Senior Leadership Notification of a Donor Patient in the Hospital

When a donor patient is in the hospital, he/she has a right of privacy like any other patient, in accordance with HIPAA and state laws.  Whether or not senior leadership may be notified of a donor patient’s hospitalization is a matter of job-related need to know and is analyzed on a case-by-case basis.

VIII. Reporting Privacy/Security Incidents or Complaints

Stanford policy requires you to report any potential privacy concerns or unauthorized access to, use, or disclosure of, PHI immediately to the University Privacy Office by making a Service Request.  Please see Stanford University HIPAA Privacy Policy, H-16: Breach Notification.

IX. Document Retention

All documents (e.g., authorizations, opt-outs) related to fundraising activities should be retained for a minimum of six (6) years from the date of its creation.

X. Related Policies, Processes and Forms

Please refer to Stanford University HIPAA Policies:

• H-11: Fundraising Communications
• H-16: Breach Notification
• H-15: Use and Disclosure

XI. Questions About Guidelines

If you have questions about these Guidelines, please contact the University Privacy Office make a Service Request.

XII. Document History

These guidelines replace earlier versions of fundraising privacy guidelines, which originated in 2003 and were updated periodically thereafter. 

Fundraising Privacy Guidelines