Skip to Main Navigation
Skip to Main Content
The University of Texas at Dallas

HIPAA Privacy Manual

Section 34: Fund Raising

Policy:

In general, a patient’s Protected Health Information (PHI) may not be used for fundraising purposes without specific authorization from the patient or surrogate decision maker. UTD fundraising personnel may only use and disclose dates of treatment and demographic information in connection with fundraising activities unless they obtain specific authorization from individual patients granting more expansive use of the patient’s PHI. Demographic information generally includes name, address, other contact information, age, gender and insurance status.

Information about the department in which an individual received services also cannot be used for fundraising purposes without the patient’s prior authorization, if that information would reveal or could reveal the nature of the diagnosis, services or treatment that the individual received.

UTD personnel and affiliated fundraising associates MAY:

  • Use a patient's basic demographic information to solicit gifts.
  • Access patients’ dates of care.
  • Use public information outside its internal database to send fundraising requests, without fear of violating this policy.

UTD personnel and affiliated fundraising associates MUST:

  • Provide a “Notice of Privacy Practices” to any patients they may be planning to contact. Patients may receive a Notice of Privacy Practices while at UTD, by visiting the UTD website, or calling 214-905-3011.
  • Include an opt-out provision along with the initial fundraising letter sent describing how individuals may opt out of receiving further fundraising materials.
  • Exclude information about diagnosis, nature of services, or treatment in any solicitation.
  • Remove that patient’s information immediately from the mailing list upon receipt of an opt out clause.
  • Sign an appropriate business associate contract before disclosing patient information to consultants or outside entities for fundraising activities. This contract is not necessary should UTD employees or an institutionally related foundation perform the fundraising, which includes nonprofit foundations that raise only a portion of funds for UTD

After Notice of Privacy Practices is sent, information that CAN be used for fundraising without authorization or consent includes:

  • Name
  • Address
  • Other contact information (such as email, phone, etc.)
  • Age
  • Gender
  • Insurance status
  • Date of service

Information that CANNOT be used without authorization:

  • Diagnosis
  • Nature of services
  • Treatment
  • Place within clinic where patient receives treatment that specifically identifies that treatment (such as Psychology Department)

Information about the part of the clinic where treatment occurred may be used to filter names for fundraising as long as the department does not identify the type or nature of treatment. Caution should be used when divulging the treatment area. When a prospective contributor voluntarily discloses information about diagnosis and treatment to a member of UTD’s fundraising staff, that information can then be used for other fundraising purposes.