§164.514(f) Fundraising communications.
(1) Standard: Uses and disclosures for fundraising. Subject to the conditions of paragraph (f)(2) of this section, a covered entity may use, or disclose to a business associate or to an institutionally related foundation, the following protected health information for the purpose of raising funds for its own benefit, without an authorization meeting the requirements of § 164.508: (i) Demographic information relating to an individual, including name, address, other contact information, age, gender, and date of birth; (ii) Dates of health care provided to an individual; (iii) Department of service information; (iv) Treating physician; (v) Outcome information; and (vi) Health insurance status.

(2) Implementation specifications: Fundraising requirements.
(i) A covered entity may not use or disclose protected health information for fundraising purposes as otherwise permitted by paragraph (f)(1) of this section unless a statement required by §164.520(b)(1)(iii)(A) is included in the covered entity’s notice of privacy practices. (ii) With each fundraising communication made to an individual under this paragraph, a covered entity must provide the individual with a clear and conspicuous opportunity to elect not to receive any further fundraising communications. The method for an individual to elect not to receive further fundraising communications may not cause the individual to incur an undue burden or more than a nominal cost. (iii) A covered entity may not condition treatment or payment on the individual’s choice with respect to the receipt of fundraising communications. (iv) A covered entity may not make fundraising communications to an individual under this paragraph where the individual has elected not to receive such communications under paragraph (f)(2)(ii) of this section. (v) A covered entity may provide an individual who has elected not to receive further fundraising communications with a method to opt back in to receive such communications.

Audit Inquiry

Is the disclosure of PHI to a business associate or institutionally related foundation limited to the information set forth in the established performance criterion?

Obtain and review policies and procedures and notice of privacy practices and evaluate the content relative to the established performance criterion.

Obtain and review a sample of communications for fundraising purposes to determine if it contains a clear and conspicuous opportunity to opt-out of further fundraising communications or reference to a mechanism for opting out.

Obtain and review documentation that the policies and procedures are conveyed to the workforce.