HIPAA Fundraising Rules Explained: What You Can and Can’t Do

Fundraising Communications Overview

HIPAA allows certain fundraising communications by a covered entity when they are for the organization’s own benefit. You can reach out to patients and families, but only under strict rules designed to respect privacy and choice.

Who may send fundraising communications

• Covered Entity: Your hospital, health system, or clinic may use limited Protected Health Information (PHI) for fundraising.
• Business Associate: A vendor (e.g., mail house, CRM provider) may receive limited PHI for fundraising under a Business Associate Agreement.
• Institutionally Related Foundation: A charitable foundation tied to your organization may also receive the permitted PHI to raise funds for your benefit.

Key terms

• Protected Health Information (PHI): Individually identifiable health information maintained or transmitted by a covered entity or business associate.
• Covered Entity: A health plan, health care clearinghouse, or health care provider that transmits health information electronically.
• Business Associate: A person or company that performs services involving PHI for a covered entity.

Core compliance principles

• Use only the categories of PHI that HIPAA permits for fundraising.
• Include a clear Opt-Out Mechanism in every fundraising communication and honor requests promptly.
• Describe your fundraising practices and opt-out rights in your Notice of Privacy Practices.
• Do not condition treatment or payment on fundraising participation.
• Apply the minimum necessary standard and manage vendors carefully.

Permissible Use of PHI for Fundraising

HIPAA specifies exactly what PHI you may use or disclose for fundraising without Patient Authorization. Staying within these limits is essential to remain compliant.

PHI you may use or disclose without authorization

• Demographic information (e.g., name, address, contact details, age, gender).
• Dates of health care provided (e.g., visit or discharge dates).
• Department of service (e.g., oncology, cardiology) where the patient received care.
• Treating physician information.
• General outcome information (e.g., whether treatment had a positive or negative result).
• Health insurance status (e.g., insured, self-pay), not detailed coverage data.

You may segment outreach using these data points (for example, contacting former cardiology patients about supporting the heart institute). Do not use diagnosis, procedure codes, medications, test results, detailed clinical notes, or payment amounts without authorization.

When you must obtain Patient Authorization

• If you want to use PHI beyond the permitted categories (e.g., diagnosis or specific treatment information).
• If fundraising would benefit a third party that is not your institutionally related foundation.
• If the activity crosses into marketing (see “Distinguishing Marketing Communications”).

Authorizations must be voluntary, specific to the purpose, and revocable, and they must not be combined with treatment or payment conditions.

Notice of Privacy Practices Requirements

Your Notice of Privacy Practices (NPP) must tell patients that you may use limited PHI to contact them for fundraising and that they have the right to opt out of future solicitations.

What your NPP must say

• That your covered entity may use certain PHI for its own fundraising efforts or disclose it to a business associate or institutionally related foundation.
• That individuals can opt out of receiving fundraising communications at any time.
• How to exercise that right using a simple, readily available process.

Operational tips

• Ensure the NPP’s fundraising statement is clear, prominent, and consistent with your actual practices.
• Train staff to answer questions about fundraising and opt-out rights.
• Align all communication templates with the NPP language to avoid mixed messages.

Opt-Out Rights and Procedures

HIPAA requires that every fundraising message provide a clear and conspicuous opportunity to opt out, and that the method not impose an undue burden or more than a nominal cost on the individual.

Design a clear opt-out mechanism

• Include a toll-free number, reply email, or pre-paid mail option in each solicitation.
• Offer channel choices (e.g., stop emails, stop calls, or stop all fundraising).
• Do not require a login or multi-step account creation to opt out.
• Confirm the request and explain what communications will stop and when.

Managing and honoring opt-outs

• Maintain a suppression list synchronized across your CRM, email, phone, mail, and any business associate systems.
• Honor requests promptly and ensure future campaigns exclude opted-out individuals.
• Allow individuals to change preferences easily, including opting back in if they choose.
• Audit vendors regularly to verify compliance with your suppression lists.

Prohibition on Conditioning Treatment or Payment

You may not condition treatment, access, scheduling priority, or payment on a patient’s willingness to receive, ignore, opt out of, or contribute in response to fundraising communications. Care decisions must remain completely separate from development activities.

Permissible acknowledgments

• Thank-you letters, donor wall recognition, or event invitations are acceptable as long as they are unrelated to clinical decision-making.
• Staff may not imply that donations influence care, placement, or physician access.

Opt-In Procedures for Fundraising

HIPAA does not require an opt-in to send permitted fundraising communications. Still, many organizations adopt opt-in to strengthen trust, improve data quality, and reduce complaints.

Recommended opt-in workflow

• Collect consent at registration, discharge, or online using a separate, plainly worded checkbox.
• Describe what you will send (e.g., impact stories, annual appeals) and the channels you will use.
• Record channel-level preferences (email, phone, SMS, mail) and maintain timestamps and source.
• Allow easy updates and provide confirmation receipts for transparency.

Reversals and re-engagement

• Once someone opts out, you may not send further fundraising communications unless they proactively opt back in.
• Keep proof of consent and maintain clear audit trails across all systems and business associates.

Authorization versus opt-in

Opt-in reflects communication preferences. Patient Authorization is a formal HIPAA permission needed when you use PHI beyond the permitted fundraising categories or when the activity benefits an outside party. Do not substitute opt-in for a required authorization.

Distinguishing Marketing Communications

Fundraising asks for charitable support for your organization. Marketing, by contrast, promotes a product or service and typically requires Patient Authorization if it involves financial remuneration from a third party or falls outside specific exceptions.

What counts as marketing

• Communications encouraging enrollment in a commercial health plan or purchase of a non-covered product or service.
• Paid promotions of third-party products or services unrelated to the individual’s treatment or care coordination.

Marketing Authorization Exceptions

• Face-to-face communications about health-related products or services you provide.
• Promotional gifts of nominal value (e.g., a pen or calendar).
• Refill reminders or communications about a drug or biologic currently being prescribed, where any payment received is reasonably related to the communication’s cost.
• Communications for treatment, case management, or care coordination, including recommending alternative treatments, providers, or settings.

Practical examples

• Fundraising: “Please support our children’s hospital renovation.” (Permissible using limited PHI with an opt-out.)
• Marketing: “Sign up for this commercial weight-loss program.” (Likely requires authorization unless an exception applies.)
• Targeted fundraising: “Former cardiology patients, help advance heart research.” (Permissible using department-of-service data; avoid disclosing diagnoses.)

Conclusion

To comply with HIPAA fundraising rules, use only the permitted PHI, provide an effortless opt-out in every message, never tie care to giving, and distinguish fundraising from marketing. When in doubt, secure Patient Authorization or narrow your data to the minimum necessary and refine your Opt-Out Mechanism and NPP disclosures.

FAQs.

What PHI can be used for fundraising without authorization?

You may use or disclose demographic details, dates of service, department of service, treating physician, general outcome information, and health insurance status. Do not include diagnosis, procedure details, test results, or payment amounts unless you obtain Patient Authorization.

How must covered entities provide opt-out options?

Every fundraising communication must include a clear, no-cost Opt-Out Mechanism (e.g., toll-free number, reply email, prepaid mail). The method cannot be burdensome, must be honored promptly, and should remove the person from future fundraising across all channels and vendors.

Can treatment be conditioned on fundraising participation?

No. HIPAA prohibits conditioning treatment or payment on whether someone receives or responds to fundraising communications. Care access, scheduling, and clinical decision-making must remain independent of development efforts.

What are exceptions to marketing authorization under HIPAA?

Common exceptions include face-to-face communications, promotional gifts of nominal value, refill reminders or communications about a currently prescribed drug where any remuneration is limited to reasonable costs, and communications for treatment, case management, or care coordination. Outside these exceptions, marketing generally requires Patient Authorization.