How New Federal Privacy Rules Are Affecting the Way Charities Raise Funds and Manage Employee Information

IN THE TRENCHES

By Alison Stein Wellner

For more than 15 years, the Transplant Foundation, in Miami, has provided information and comfort to people who are on the verge of experiencing one of modern medicine’s most sophisticated and dangerous operations: organ transplantation. Because of its close affiliation with the University of Miami Medical Center, the charity has always had easy access to people who might need its support groups, informational resources, and other services. The group would simply borrow the hospital’s list of transplant candidates and send information to the 3,000 people waiting for a new heart, liver, or kidney. The hospital’s records were also useful fund-raising tools — it was easy for the Transplant Foundation to locate grateful patients who might be willing to make a donation.

Last spring, all of that changed. In April, new privacy rules contained in the federal Health Insurance Portability and Accountability Act of 1996 went into effect.

The regulations, commonly referred to as Hipaa, ushered in a new era of stringent privacy protection for health information. For the Transplant Foundation, the result has been to cut off the organization’s most direct avenue for reaching potential clients and raising funds.

“We do not have access to the patients anymore,” says Eli Compton, the organization’s executive director. “It is unfortunate for the patients because we cannot [easily] offer that service to them any longer and that is really sad.”

Although Ms. Compton and her colleagues are now scrambling to devise creative ways to raise money and reach potential clients, she estimates that the membership of the organization, which now numbers more than 1,000, will take a 30-percent hit over the next year, and that donations will decline by about 20 percent.

While most charities have not been affected as dramatically as the Transplant Foundation, there is no doubt that the new privacy rules have brought about change in the way that all American organizations handle health information. To be sure, the rules have had their strongest impact on groups that provide health-care services. But the rules also affect organizations whose missions have absolutely nothing to do with health or health care, because their reach extends to employees’ health information, says Christopher S. Panczner, a lawyer in New York who specializes in the health-privacy law. Any organization that offers health insurance, and handles any information about health claims, is likely to be subject to the new privacy regulations and must learn how to comply with them.

Defining the Boundaries

The privacy rules erect a shield around what is called “protected health information,” Mr. Panczner says. Protected health information is defined as information about a person’s past, present, or future health care, or payment for that care. This includes medical records, but also includes any information about an individual’s health that is passed on orally, in casual communication, or in any other form.

Simply put, the idea behind the rules is that individuals’ personal health information is no one’s business but their own, and if anyone else wants it, they have to ask an individual for it in writing. The only people who are allowed access to personal health information without individuals’ permission are health-care providers, such as doctors, or people who are arranging for payment for that care, such as insurance companies or human-resources administrators who need that information to process claims. The law has some other exceptions as well — for example, if a patient has a dangerous and communicable disease, such as tuberculosis, state health officials would have the right to obtain the patient’s protected health information.

The rules also say that as few people as possible within an organization should have access to protected health information, and that those people must know that they are not allowed to share that information in any way, outside of providing health care or paying for it. If health-insurance claims are handled by one person in an organization, only that person should have access to protected health information. If insurance claims are handled by a larger group, then that group, and that group only, should have access to the protected information. The guiding principle is that the data should pass through as few hands as absolutely required by an employer’s human-resources system. (If volunteers can come into contact with protected health information, says Mr. Panczner, they as well as staff members should be trained in the protocol for keeping it private.)

In an organization that provides health care, this means that using a patient’s health information for fund raising, marketing, or any other purpose beyond providing or paying for health treatment is unacceptable. For example, at the Christie School, a charity in Marylhurst, Ore., that works with abused children, privacy was always of great concern. “Hipaa was just a step up, since we do have to provide a high level of confidentiality for children,” says Linda Fanning, the school’s quality improvement and privacy manager.

But the Christie School has made one major change: It has often included in its fund-raising and promotional materials pictures of the children at the facility enjoying recreational activities, but now, the charity omits photos from its literature, says Ms. Fanning.

At St. Barnabas Health System, a nonprofit organization in Gibsonia, Pa., that provides long-term care to 350 patients, the longstanding fund-raising practice of including patients’ stories in promotional materials hit a snag when the new privacy rules went into effect, says Kathleen Brenneman, manager of public and media relations. Now, the organization has to get each patient’s consent, either from the patient or the patient’s designated advocate. Although most of the time, the hospital is able to obtain that permission, she says, it adds an additional step to the process of publicizing the organization’s work.

Insurance Requirements

In an organization that is not involved in providing health services, the most common form of protected health information floating around the office is information relating to health insurance. Most employers that offer health insurance handle protected data because they may need to process disability claims or sick-leave claims, may use it to design or change their health benefits, or may need it to comply with other laws, including the federal Family Medical Leave Act.

Organizations that offer their employees health insurance must be vigilant about complying with the privacy’s rules’ insistence on allowing as few people as possible access to medical information when handling insurance claims. In addition to keeping the number of people who have access to workers’ health information to a minimum, it also means that the information in either paper or electronic form should be protected physically, and that the information may not be traded around the water cooler, or in any other manner. For example, Mr. Panczner says, it would be a violation of the law for a person handing insurance claims at a charity to go to the executive director of an organization, and pass on the information that a particular employee has cancer as a means of warning the leader about rising insurance costs. Even information sharing that is intended to benefit an employee — such as notifying supervisors about ailing workers so they do not overburden those employees — is prohibited.

The other major requirement of the new rules that affects organizations that sponsor health plans is that employees must be notified of their new privacy rights, and be told that they have the right to review and amend their private health information. If an organization provides its own insurance rather than using an outside company, it is responsible for sending out the privacy notice. If an organization works with a health-insurance company, the insurer sends out privacy notices, in accordance with the new regulations.

For many organizations that offer health insurance, the steps to comply with the privacy rules are relatively simple, according to Mr. Panczner and the new federal rules. Employers should make sure that paper files relating to health insurance are secure (a simple lock on a file cabinet will suffice), that electronic files are password-protected, and that as few people as possible can access it.

In addition to these steps, a lawyer or a consultant who specializes in federal health-privacy rules can help vet an organization. The Christie School brought in a consultant to do just that, says Ms. Fanning.

“It really helped us do what we needed to do to be in compliance,” she says. The consultant helped the organization evaluate its potential for health-information leaks.

For example, Ms. Fanning says, the school considered which of its business associates, such as office- and medical-supply companies, might have access to information about its students or come in contact with them during routine visits, and sent them documents explaining their new legal obligations to maintain students’ privacy.

Compliance with the new rules can get unexpectedly complicated. For example, at LifeCare Alliance in Columbus, Ohio, the organization sent out a privacy notice to its 3,500 recipients of home-delivered meals, confusing many of them.

“Over two weeks’ time, we received 750 calls,” says Charles W. Gehring, the alliance’s president. (The organization had just one person available to field calls even before then, the privacy rules were “a lot of work,” says Mr. Gehring. The full-time staff person given the task spent up to 20 hours from her regular work week, for four months, bringing the charity into compliance. “I’m not complaining, but she could have been doing other things,” he says.

Still, charities have to take the time to comply with federal law, says Mr. Panczner. They face more than a slap on the wrist if they don’t: Although people whose privacy has been violated don’t have a right to sue directly, the federal Department of Health and Human Services is ready to investigate complaints. Penalties for violations of privacy of health information can include cash penalties, jail time, or both. (The Association for Healthcare Philanthropy offers some guidance for nonprofit groups involved in health care.)

To learn more, click here for a fact sheet and general explanation of Hipaa. A more detailed explanation can be found here.

How is your organization working to comply with Hipaa? Have you encountered any difficulties? Join the discussion in the Share Your Brainstorms online forum.