FundClass Archives:

•

Michael

Timothy:

Health information privacy is a big issue for hospitals and other health-related charities and nonprofits. The HIPAA regulations issued by the Federal government place new restrictions on who may solicit "grateful patients" and how they may be targeted for solicitation.

What are the best resources you've found for briefly outlining which
nonprofits are affected and how the new regulations affect health-related fundraising?

Thanks!

•

Liz

Timothy, I'm also interested in this topic, especially as it relates to "other health-related charities and nonprofits." I do some volunteer work with a cancer org. We use survivors in our PR. Do we now need to get written permission to do that? What else do we need to know?

•

Carolyn

I am very interested in this topic, but it would be very helpful if information or rules that apply directly to the country or state you are in are identified as such so we will know what items may not be relevant where we are. Thanks

•

Timothy

Hi Michael,

Boy, starting off with the tough questions! :-)

Bear with me while I provide a little background for those who are not familiar with HIPAA:

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress in 1996. HIPAA included a number of provisions intended to make health insurance more affordable and accessible. It also required the Health and Human Services agency (HHS) to adopt national standards for certain electronic health care transactions, codes, identifiers and security. It also set a three-year deadline for Congress to enact comprehensive privacy legislation to protect medical records and other personal health information. When Congress did not enact such legislation by 1999, HIPAA required HHS to issue health privacy regulations.

As a result, HIPAA is a large and well-intentioned piece of legislation that has not been completely implemented with regard to privacy. In the vacuum left by Congress, HHS and various other agencies are forced to move slowly in setting policy & regulations to meet HIPAA. Consequently, it is still a little difficult to describe specific applications of the law because so many gray areas remain.

However, the intent of the Act is very clear: to prevent the disclosure of anyone's personal medical facts to anyone who has not received explicit permission to receive it. The good news is that HHS has proposed a "Final Ruling" protecting the confidentiality of medical records. The rule limits the use and release of personal medical information, gives patients the right to access their medical records, restricts most disclosure of health information to the minimum needed for the intended purpose, and establishes safeguards and restrictions regarding disclosure of records for certain public responsibilities, such as public health, research and law enforcement. And as you noted, a few of the provisions address NPO operations, but there is very little guidance. If Congress does not intervene, this rule will become effective starting in April of this year.

Now back to your questions, Michael:

Who is affected?

1. HIPAA is not restricted to clients, so it affects all NPOs with U.S. employees who participate in an employer-sponsored health plan. You have specific responsibilities to protect your employees' medical privacy to the same degree as clients.
2. The regulations regarding medical privacy also apply additionally to all organizations that collect personal health information, regardless of their tax standing. Say for instance you are the XYZ Disease Association and you maintain a database of people who have that disease, collected from letters and visits to your website. Under HIPAA, you are obligated to limit access and protect that information, even if those people volunteered that information to you. In the future, you will need to inform visitors & clients that you intend to collect the info, for what purpose, their rights to see what you have on them, and give them the option to decline to participate.

Best resources?

Much general information about HIPAA is available on the web and at the library. The authoritative source is the Health & Human Services agency http://www.hhs.gov. A search of "HIPAA" on the HHS site will show you a number of useful documents, including the new regulations and some interpretive documents. Unfortunately, I do not know of a good reference specifically for NPOs other than the Final Ruling itself. As I said before, so much of this is so new that very little information about its application has been published. If you do know of such a resource, please share it with the group.

However, you might try contacting your health plan insurance provider. HIPAA has some of its biggest impacts on the insurance industry, so they have invested considerable research into its application and often provide consultation free of charge. Your provider will know your organization best, so I would start there. If you don't have an employee health plan, contact one of the larger insurance companies in your area, they can often provide the information or contact you need.

Whew! Sorry about the long post, but as I said, you started with the tough questions!

•

Michael

Timothy:

Thanks for a great introduction to a tough issue. One reason for my asking the question here was to demonstrate that it's not simple. I know a local consultant who attended a one-day seminar at a national conference and is now marketing herself to attorneys as well as nonprofits as an "expert" on HIPAA. Groan!

Another resource is the Association for Healthcare Philanthropy (AHP). Their web site includes an entire section on HIPAA and what it means for healthcare-related fundraisers: http://www.go-ahp.org/

One major issue specific to the fundraising area is the issue of so-called "grateful patient" fundraising mailings. It's now a lot tougher to mail a fund raising appeal to, say, parents of newborns born in a certain hospital that is targeted to their particular situation. Providers must respect privacy when it comes to patient department of service information when it comes to fund raising. This has the effect of making "grateful patient" appeals generic rather than specific, protecting patient privacy but making appeals less successful (targeted appeals generally work better than generic ones).

Thanks again, Timothy, for your thoughtful response.

•

Timothy

Hi Liz,

This is a very interesting question! I have not found anything in the HHS Rule to cover this specifically. However, if the survivors are identifiable in any way, I am quite sure the use of their info would fall under the privacy regulations, and you will need their permission. Even if HIPAA did not cover it, you'll still need a standard media release form signed.

If they are not identifiable, I would still get their permission as a courtesy. I'm not sure I'd appreciate seeing my story used without my permission, even if no one else could tell it was me.

•

Priscilla

Our organization works with cancer patients as well. We believe that no one has the right to tell another person's story unless you have their express permission. Written or emailed works for us but we have to have one of these before we will even use it anonymously.

•

Carlos

Suppose the development officer moves to another similar organization and begins using the database he had collected while working for the organization to benefit the new organization?

What are the rights of deserted organization?

Thanks.

•

Timothy

Hi Carlos,

The situation as you describe it is outright theft, and the "deserted organization" should contact the authorities to determine the course of action to recover their property.

It is highly unethical and usually illegal to use ANY materials or data from a previous employer, unless it is already in the public domain. You can bring your expertise to the new job, and that's all.

•

Jeanne

This is in support of your point, though not directly answering your questions. I look forward to the compilation of the answers you receive.

I'm interested in the IT security issue in the larger context of emergency planning--whether an emergency may relate to destruction of, or lacking access to one's business, because of fire, flood and other typical disasters, or having a business cordoned off during a crime or fire investigation, or relating to impact of terrorism. The unscrupulous (or inept) employee fits here too.

The Westchester County Chamber of Commerce and American Red Cross have recently joined to provide training in emergency planning to small businesses and non-profits. IT security falls under this, and is an important part for most. The assumption is that the large businesses (the IBMs, other major corporations with headquarters or operations in Westchester) are well covered, as you said, but small businesses and non-profits are doing much less planning, and there is less awareness. A study by the U. of Delaware indicates that since 1985, of every business that suffers a major emergency or disaster, 50% never fully recover, and 80% of the 50% never open their doors again. I'm not aware of statistics for non-profits.

Those of us who have volunteered and received initial training will start in a month or so to hold awareness sessions for small businesses and non-profits, to be followed by more detailed workshops. I'm a trainer with a background in non-profit management including development, and was involved in preparing (or being affected by) security plans overseas—where there were threats of strikes and riots and possible need to evacuate employees--so am keenly aware of the issues.

Keep your good advice coming!

•

Timothy

Jeanne,

Thanks for the information. As you point out, emergency planning (aka disaster planning) is an important part of security planning for any organization, and as the statistics show, many companies don't survive "the big one." I presume that NPOs have the same failure rate, if not more.

I have noticed that organizational emergency planning is much like making a will. It's hard not to think you are tempting the fates, we it put off for later whenever possible, and it can be downright uncomfortable planning for the worst. But like a will, suffering an emergency without a plan is far worse than making the plan itself.

For anyone interested, there are many resources available to help you in your emergency planning--books, seminars, websites, and partnerships with support organizations such as the one Jeanne described with the American Red Cross.

You don't have to spend a fortune or many months to develop your plan. Working with partners and other resources you should be able to quickly put together a short, simple plan, and then refine it as time & resources allow. The important point is to HAVE a plan, and USE IT when the inevitable happens.

•

Lisa

1. Would you call your organization small, medium, or large? Small

2. Would you describe your security concerns as mostly physical (example: vandalism or theft), informational (the data in your files and on your computers), something else, or no concerns at all?

Our Security concerns are informational as we use an adoption application, which requires "some" personal information on those people wishing to adopt a rescue animal from us. Currently, only the two directors and two trained interviewers see these applications. Our database, which is open to a larger base of volunteers has separate "views", the "volunteer view" does not contain addresses, email, telephone etc. for "adopters". This also applies for those people who surrendered a pet to us but also blanks out the persons name, leaving dates, reasons for surrender, pet information etc. available.

3. Does a person or department in your organization have the explicit responsibility for security? The Directors take responsibility for the security of information and are the only ones who have full administrative database privileges. We train our interviewers and are certain they understand that this information is NOT for public viewing. Our files remain locked and our computers password protected. We also use Norton System works on our computers with the internet security alert always enabled. It can slow things down during peak usage hours, but so far has kept us from being "hacked into" and has caught all daily attempts to send an email virus to our organizational addresses (we get a minimum of 5 virus laden emails per day, luckily all have been detected and quarantined). We also insist our volunteers with access to our database programs use virus software and run FULL system scans on their personal computers weekly.

4. How much do you spend on security in a typical year? This is our first year of operation and our cost was roughly $440.00

5. Are employees and volunteers given security training? No employees and yes volunteers with access are trained in computer security regimens and volunteers without computer access to our system are taught that ALL adoption and surrender information must be privacy protected. Without this privacy owners and adopters will be less likely to use a rescue, which means more animals will end up euthanized at the local shelters. That usually "helps" them "remember" not to gossip.

6. Have you had any serious security compromises in the last few years? What were they? What was done to prevent it from happening again? One total hard drive crash just prior to our becoming a stand-alone organization. We were still working with a National group and the Executive Director did not keep her virus protection up to date and a Trojan Horse/Worm infected her computer. She sent this to 25 volunteers (us included) and never said a word to anyone unless they called her asking what in the world was going on (strange error messages were popping up everywhere). One of our computers was not up to date (the volunteer had continually told the system she'd update "later") and the hard drive was a total loss. So far, we've been lucky and our precautions have been enough. I'm certain as we grow, so will our security needs.

•

Timothy

Lisa,

Wow, I'm impressed! You've described a security plan that rivals that of many, much larger companies. Here are the important aspects you have in your security system:

- Someone high in the organization has responsibility for security.

- Everyone is assigned a clearly defined role, and access to info for each role is based on "least privilege" (only the minimal access needed to perform their duties). This access is enforced by technology.

- More than one person is assigned to every role, important for both redundancy and oversight.

- Training is in place and is mandatory.

- Information in storage is protected (in this case, with encryption).

- Intrusion detection systems are in place (Norton Systems firewall). Outside access is only by trusted (regularly scanned) systems.

- Reading between the lines, I presume you do regular backups.

Excellent! You have all 3 fundamentals -- Accessibility, Confidentiality, and Integrity -- covered, through a formal system of policy and procedures.

For your next step, I would recommend you add an oversight function, usually done as an occasional audit or walkthrough. The purpose is not to punish anyone doing something wrong, but to ensure the procedures you have are followed correctly. Used properly, an audit will augment training, and close the holes before a big mistake can happen.

Thanks for your reply!

•

Christine

Join me in thanking Timothy Casey for his time and effort in answering your questions and concerns about privacy and security. We are fortunate to have his expertise and knowledge on our behalf and for giving so generously of those talents to FundClass. Thanks, Timothy!