Use of Patients' Protected Health Information to Solicit Hospital Funds: How did This Practice Come About?

Modifications to Health Insurance Portability and Accountability Act (HIPAA) have allowed for the disclosure of patient protected health information (PHI) for the purpose of hospital fundraising. The public has recently raised ethical concerns regarding these practices. We examined the forces that brought about these HIPAA modifications. We first examined 304 comments submitted to the proposed rule for the HIPPA regulation modifications. We additionally queried the OpenSecrets repository for lobbying activity by these commenters. We found that 57 out of the 304 comments pertained specifically to fundraising practices. The majority of comments were from hospital developmental (fundraising) offices (51%, 29 of 57 comments), and the majority (96%, 24 of 25 hospital comments; 83%, 34 of 41 total comments discussing PHI disclosure) supported additional PHI disclosure. There was a paucity of comments from physician organizations (1 of 57) and patient advocates (2 of 57). The majority of lobbying dollars (95% of over $81 million) were from commenters who favored the modifications. The lack of physician and patient representation in the rule-making process likely contributed to the creation of regulations that elicit ethical concerns in physicians, and potential harm for patients.

Introduction

After modification of the Health Insurance Portability and Accountability Act (HIPAA) regulations in 2013, increasing concerns have been raised for disclosing the protected health information (PHI) of patients to those not involved in patient care for the purpose of hospital fundraising, including wealth-screening patients to identify potential donors (1). Physicians play a pivotal role, as their relationships with patients can facilitate favorable fundraising outcomes (2). However, among physicians who have been successful at encouraging patient donations, various concerns have been expressed, including changing patient expectations related to privacy, tainting of the physician–patient trust relationship, compromising a level playing field for the treatment of all patients, as well as the possibility of vulnerable patients and their families being taken advantage of (2). In the past couple of years, New York Times articles have highlighted how physician involvement in hospital philanthropy through “grateful patient programs” is controversial (3,4).

While some hospitals affirm these fundraising efforts are necessary, for example, to defray costs for uninsured patients, growing evidence suggests the practice infringes on patient trust (4,5). A 2019 survey demonstrated the universal extent of public disapproval: 85.8% of the general public disapproves of physicians discussing donating with patients if the patient has not brought it up, 91.5% disapprove of physicians providing patient names to hospital fundraising staff without patients’ permission, 90.1% disapprove of hospital development staff performing wealth screening using publicly available data, and 83.2% agree that physicians discussing donating with patients may interfere with the patient–physician relationship (5).

In modern democracies, it is very rare that fundamental protections for vulnerable patient populations are weakened. Historically, fundamental patient protections have been threatened only on a few occasions, particularly during periods of war or population migration (6). More recently, efforts to weaken insurance coverage for preexisting conditions mandated by Obama Care would have placed sicker people at risk of not obtaining accessible care (7,8). Utilizing wealth screening could create a tiered health care delivery system, with rich patients given more attention as they would be more likely to donate money. We argue that changes to fundamental patient protections are a bellwether sign necessitating further investigation to understand the forces propelling the change.

The modifications to the HIPAA regulations, effective March 2013, were proposed, approved, and released by the Department of Health and Human Services (HHS), as an update to the 2000 HIPAA regulations. Here we outline some of the forces that brought about this change in fundraising disclosure policies by examining lobbying efforts and the comments submitted to the proposal of these regulation modifications, titled Health Information Technology for Economic and Clinical Health Act: Modifications to the HIPAA Privacy, Security, and Enforcement Rules (9).

Methods

HHS posted the proposed rule to regulations.gov on July 14, 2010 (Docket ID: HHS-OCR-2010-0016) (10). The public then had a 2-month period to submit comments. HHS solicited comments on whether additional patient information should be allowed to be disclosed for fundraising purposes (in addition to the then current permitted information of demographics and the dates of health care), and if so, what additional information should be disclosed. HHS also solicited comments on if additional patient information disclosure is permitted, whether or not covered entities (defined as health plans, health care clearinghouses, and health care providers) should be required to provide patients with an opportunity to opt out before making the first fundraising solicitation, and with each subsequent solicitation (9).

A total of 304 comments were received by this deadline and posted. We downloaded the docket of comments, which is freely accessible to the public (10). We categorized each comment by sender type (such as university-based hospitals, health centers, hospital systems or groups, associations, companies, and organizations), and comment subject. We then filtered our comment categorization database to just include those related to fundraising. We then categorized these fundraising comments on what their opinions or recommendations were on patient fundraising policies. We extracted data on comment number, date posted, organization name, submitter name, commenter category, whether the organization supports an opt-out or opt-in policy, whether the organization supports disclosing additional patient information, and if the organization requests additional clarification from HSS. We grouped comments by sender type (academic affiliated hospital, nonacademic affiliated hospital, medical data management or privacy organization, private medical clinic, and others). Within each sender group, we tallied the No. of comments in favor of and in opposition of additional PHI disclosure, and the No. of comments in favor of specific opt-out processes. To complement these results, we queried the OpenSecrets database (opensecrets.org) for lobbying performed in the 2010 (or closest available) filing year for the commenters identified in the HSS docket whose comments pertained to fundraising.

Since all of the data analyzed in this study is freely available to the public and already published, this study was exempt from an Institutional Review Board or Ethics Committee approval.

Results

Out of the 304 comments, 59 pertained to fundraising (Supplementary Table 1). Two pairs of comments were duplicates. Of the 57 unique comments, 11 were from an academic affiliated hospital, 18 were from a (nonacademic) hospital or health care system, 11 were from professional national associations (eg, American Medical Association, American Hospital Association), 13 were from medical data management or privacy organizations (including 12 nonprofits and 1 law firm), 2 were from private medical clinics, and 2 were from others (a hospital fundraiser/lawyer who was not a representative of any group, and a group of business students commenting for a school public service project) (Supplementary Table 2).

Additional PHI Disclosure

Regarding the topic of whether additional patient information should be disclosed (eg, treating physician name and treatment outcomes), 8 academic affiliated hospitals were in favor of additional disclosure, and 1 affirmed disclosure of only the minimum necessary information (2 did not comment). Sixteen nonacademic hospitals or health care systems were in favor of additional disclosure (2 did not comment). Three organizations were in favor of additional disclosure, 4 were not in favor of additional disclosure, 1 recommended that patients should have to opt in for additional PHI disclosure, 1 recommended that patients should have to opt in to receive any fundraising communications (4 did not comment). Six professional associations were in favor of additional disclosure (5 did not comment). To note, these 6 professional associations were not associations representing physicians but rather hospitals, philanthropy, and informatics. One private medical clinic was in favor of additional disclosure (1 did not comment) (Table 1).

Table 1.

Breakdown of the Comments by Submitter Category (Sample Comments as shown in Supplementary Table 2).

	# of Comments	Additional PHI Disclosure*	Opt-Out Process*
University-affiliated hospitals	11	8 in favor, 1 not in favor	2 all-or-nothing, 3 campaign-specific, 1 flexible, 2 supported opt out but no specifications
Hospital/health care systems	18	16 in favor	2 all-or-nothing, 6 campaign-specific, 1 flexible, 2 supported opt out but no specifications
Organizations (medical data management and privacy related)	13	3 in favor, 6 not in favor	3 all-or-nothing, 2 campaign-specific, 1 patient choice, 1 only applies to communications sent using PHI, 2 supported opt out but no specifications
Professional Medical Associations	11	6 in favor	1 all-or-nothing, 4 campaign-specific, 4 supported opt out but no specifications
Private medical clinics	2	1 in favor	1 opt out not allowed

Totals that do not add up to the # of comments indicate some comments did not discuss the topic of interest.

Abbreviation: PIH, protected health information.

Opt-Out Process

Stances on whether or not to have an opt-out process included supporting an all-or-nothing process (ie, the patient's opt out is applicable to all fundraising campaigns), a campaign-specific process (ie, the patient's opt out only applies to the specific campaign), a flexible process (the covered entity can decide whether the opt out applies to all fundraising or just the specific fundraising campaign), or supporting having an opt-out process but not specifying recommendations in the comment.

Two academic affiliated hospitals favored all-or-nothing, 3 favored campaign-specific, 1 favored flexibility, 2 did not specify recommendations (3 did not comment). Two nonacademic hospital or health care systems favored all-or-nothing, 6 favored campaign-specific, 2 favored flexibility, and 3 did not specify recommendations (6 did not comment). Three organizations favored all-or-nothing, 2 favored campaign-specific, 1 recommended that the patient choose how the opt out applies, one recommended that the opt out only applies to communications sent using PHI, and fundraising communications should still be able to be made based on information such as zip codes, and 2 did not specify recommendations (4 did not comment). One professional national association favored all-or-nothing, 4 favored campaign-specific, and 4 did not specify recommendations (2 did not comment). One private medical clinic recommended that opting out should not be allowed because it is better for patients to be informed of any initiatives through communications from health providers (1 did not comment).

Lobbying Filings

On the OpenSecrets lobbying repository, 42 out of the 58 commenting organizations were found to participate in lobbying. The vast majority of dollars spent were by supporters of the modifications (additional PHI disclosure). $77,371,349 was spent on lobbying by the proponents of HIPAA changes, $3,624,871 was spent on lobbying for those neutral to HIPAA changes, and $409,731 was spent on lobbying by those against the HIPAA changes (see Figure 1 for details).

Figure 1.

Lobbying done in 2010 (or closest year if 2010 data were not available) by the organizations who commented on the proposed rule on HIPAA modifications. $77,371,349 was spent on lobbying by the proponents of HIPAA changes ($30,183,115 from group 1, $24,129,358 from group 2, and $23,058,876 from group 3). $3,624,871 was spent on lobbying for those neutral to HIPAA changes (group 4). $409,731 was spent on lobbying by those against the HIPAA changes (all from group 7).

Discussion

Our analysis demonstrates that over half the comments submitted to the proposed HIPAA modifications were from hospitals, the majority of whom supported permitting additional PHI disclosure. Additionally, the great majority of lobbying dollars were spent by proponents of the HIPAA change. The framework for these legal alterations began in 1996 when President Clinton signed HIPAA into law. The purpose of HIPAA was to protect the patient information maintained by healthcare and insurance companies from fraud and theft. This law required HHS to enact privacy legislations regarding patient identifiable information within 3 years of HIPAA's enactment if Congress failed to do so.

Privacy regulations were enacted by HHS in 1999 and 2000, and limited the exposure of PHI to 3 entities: (1) health plans (2) health care clearinghouses, and (3) health care providers who transmit electronic health information (11). In 2009, President Obama signed into law the American Recovery and Reinvestment Act (ARRA), and within this act, a provision (12) known as the Health Information Technology for Economic and Clinical Health Act (HITECH) expanded legal language enabling the grateful patient programs (GPPs) under scrutiny in this paper. The 2013 modifications to HITECH expanded the use of PHI for fundraising and nonmedical use and allowed additional classes of PHI (including department of service, treating physician, and outcome information) to be disclosed without prior patient authorization, thus further weakening confidentiality restrictions (13). This transition in regulations has led to a paradigm shift in data use policy that directly impacts patients.

Patients were the only group of donors to increase their share of giving between 2008 and 2011, ie, the timeframe preceding these legislative changes (14). The 2013 HIPAA modifications occurred during the aftermath of the 2008 recession, during which federal funding was waning and hospitals may have been seeking additional funding sources (15). A 2016 survey of 108 health institutions found that 76% of institutions operate a GPP, and 95% of the institutions without an existing GPP plan to launch or relaunch one within 3 years (16). Of institutions with GPPs, the most frequent near future investment was to increase efforts of physician engagement in patient referrals (16). Unfortunately, although GPPs are a common practice at hospitals, ethical guidelines and published reports of individual hospital experiences regarding GPPs are rare. A survey on a convenience sample of 13 major academic hospitals found none of the institutions had guidelines for ethical considerations (17). Moreover, the limited literature that shows the successes of grateful patient fundraising is not without flaws. A randomized trial published in January 2012, before the HIPAA modifications were released, showed that one-on-one coaching of physicians by a developmental office on soliciting funds from patients resulted in enhanced philanthropic donations (18). However, this same group published the following year, in May 2013, that the physicians who were successful fundraisers were troubled by and had ethical concerns around soliciting patient donations (2).

There were significant groups of stakeholders from which our analysis shows sparse comments were received, including physicians whose clinical descriptors would now be disclosed and who might be pressured to participate in the fundraising solicitation. Indeed, most healthcare workers not involved in administrative decision making, including the majority of front-line healthcare workers, did not have a voice in the legislative changes. This paucity of physician opinion in the rulemaking process may have been because relatively few physician representative groups reviewed the proposal and surveyed opinions on it, or may have been caused by a lack of hindsight on the extent to which certain developmental departments involve physicians in fundraising efforts (1,2,19–21). Though the American Medical Association submitted a comment, many physicians no longer view the group as a representative organization (22), and no other traditional medical associations, surgical or medical, participated. The associations that did participate, rather, included hospital, philanthropic, and medical informatics associations.

There was also a scarcity of comments from patient advocacy groups (2 commenting organizations function as patient advocacy groups; the Patient Privacy Rights and World Privacy Forum). Patients may be unaware that PHI is shared with development offices, and feel their privacy and confidentiality has been violated (18). The majority of the US adult patients have concerns about data breaches when their PHI is transferred between healthcare professionals, which has resulted in some patients withholding information from a healthcare professional (5,23). These fears and concerns emphasize the need to ensure that (1) patients are informed when their PHI will be shared, particularly when disclosure is for nonmedical purposes and (2) patient viewpoints are represented when developing health policy (24).

Differences in opinions based on comment author existed. Overall, all comments against permitting more PHI disclosure were from privacy or patient rights’ nonprofits, and almost all hospitals (university and nonacademic) supported additional PHI disclosure. The comments from hospitals were primarily sent from the fundraising or development departments, and argued that allowing additional PHI to be used in fundraising efforts would allow for more targeted efforts and more efficient use of limited fundraising budgets. Following the 2013 HIPAA modifications, there has been a surge in both hospital services that utilize PHI (eg, wealth screening, concierge/VIP programs) (16,17), and PHI breaches by covered entities (eg, hospitals) (25) and their service providers (26).

Previous analysts have remarked that the issue with the comments in favor of additional PHI disclosure is that they did not discuss the crucial question of how to properly balance the confidentiality of the patient with the desire of the hospital to use PHI for fundraising purposes; rather, they simply reiterated that increased access to a larger subset of PHI could enhance and ease hospital fundraising efforts (11). This may have been in part because HHS solicited comments on the quite narrow question of whether additional categories of PHI should be allowed to be disclosed for fundraising, instead of prompting further discussion by asking for ideas on how to balance patient privacy with health care philanthropy (11).

Nearly all who commented on the opt-out process were in favor of having it, though split opinions existed on whether the process should be all-or-nothing or specific campaign based. A privacy rights organization recommended that patients should have the right and option to opt in to receive any fundraising communications as the public prefers to opt in rather than to opt out when pertaining to the use of sensitive health information. Ultimately, HHS gave flexibility to covered entities to decide how to implement the opt-out process, though covered entities must have an opt-out process that is clearly communicated to patients, and it may not cause an individual an undue burden or more than a nominal cost (13). The final rule does not require a pre-solicitation opt out be provided, so a hospital may run a program where patient information is distributed to development staff without an explicit opt out. There is no mechanism within the regulation for physicians to protect or exclude their patients from this process of distributing patient information for development staff.

Examining the rate of return of lobbying activity, dollar per dollar, on a specific piece of legislation is tricky for structural reasons. In an analysis on lobbying for tax breaks, researchers found a return on investment in excess of $220 for every $1 spent on lobbying, ie, a 22,000% return on investment (27). Lobbying remains a powerful influence on defining public policy, and as is clear in our analysis, the legislation was ultimately changed in favor of the parties who spent the most lobbying dollars. The datasets analyzed here, however, are limited since in required quarterly reports, lobbying firms report client identification instead of the issues discussed (28). This leaves a gap in the reporting of granular topics.

Although lobbying in and of itself has been shown to have mixed results (a past study demonstrated less than half of lobbying efforts achieve the desired change) (29), lobbying efforts are a proxy measurement for resources an organization has. Additionally, business corporations, such as hospitals, are more likely to have the organizational structure to generate better quality comments, including resources to generate a more persuasively drafted argument with relevant data. In contrast, interest groups, such as specialty physician medical associations or privacy right groups are less likely to have such an organizational structure and tend to be less successful through political voice (30). Indeed, a past study demonstrated that business interests tend to have greater success in the notice and comment procedure, likely due to strength in numbers and the ability to craft better quality letters (31).

Although the HIPAA modifications discussed in our analysis were introduced over a decade ago and the legislature was passed in 2013, the HIPAA modifications continue to affect patients and this issue is still very much relevant today. In the past couple of years, major newspapers have published on GPPs and use of PHI for hospital fundraising purposes, and highlighted the public's disproval of the practice (3,4). Additional modifications to HIPAA specifically allowing greater ease of patient information flow and disclosure including for non-health care operations continue to be made today (32). Raising light on this issue will help patient advocates and health care providers make informed decisions on how to respond to current and future legislative changes. This also highlights the need for action of health care providers in understanding the GPP practices at their institution and advocating on behalf of their patients.

This legislature change occurred partly because other stakeholders, namely health care providers and patient advocates, were not aware of the policy changes and for the most part are still largely unaware that these practices are happening in hospital developmental offices. Indeed, generally, development departments do not preferentially want their targeted patients to know that wealth screening is being performed on them. Discussing these practices may help to catalyze change. In particular, highlighting GPPs in the news and in the academic literature will do best to highlight the associated ethical issues. We anticipate that with knowledge of GPPs, patients may be more mindful and empowered about seeking information on how their personal information may be used to wealth screen at their doctor's offices and hospitals. Patient advocacy groups may act to help change this practice, particularly since the HHS is again soliciting comments on possible legislature changes that would make it easier to share PHI (32). Health care providers may also be more cognizant on the GPP practices at their institutions, and advocate on behalf of their patients.

We have multiple recommendations for future research. We propose surveying of the developmental offices of 100 public medical school hospitals, 100 private medical school hospitals, and 100 non-university-based hospitals to understand the prevalence of wealth screening, commercial screening and database software used, regulatory compliance and oversight, and database access and control. We also recommend surveying these institutions regarding the ten largest donations they received in the past fiscal year, on what percentage of the donors were initially identified through wealth screening software or brought to the attention of development offices by medical staff or the donors themselves. This would contextualize the impact of GPPs. Additionally, we propose conducting a “virtue ethics” analysis in the context of GPPs and wealth screening in the medical population and were compared to wealth screening programs in the nonmedical nonprofit populations. This analysis would involve the identification of potential regulative ideals (eg, values) used within organizations used to set normative conduct and rules. The regulative ideals could then be compared between the medical and nonmedical organizations to identify unique ethical concerns in the medical contexts.

Though there is a lack of literature on how the money generated from GPPs is used, alternatives exist. Venture philanthropy, in which health organizations take on specific issues and raise money to translate discoveries into therapies, can produce quicker outcomes than traditional patient fundraising (33). Not-for-profit organizations can cultivate philanthropy for research, by targeting large foundations (33). Finally, it may be possible to perform wealth screening of patients in an ethical manner if it is clearly disclosed to patients and their families. With the advancement of artificial intelligence technology, ethical planning and management of GPPs may be possible in the future. Consenting patients may also be more likely to give.

Conclusions

Our analysis demonstrates hospitals (both university-based and nonacademic based) were strongly supportive of additional PHI disclosure for fundraising solicitation purposes. A lack of physician representation and patient advocacy was present in the comments submitted in response to the HIPAA modification proposal, even though the modifications impacted these stakeholders greatly. The majority of lobbying dollars spent on this issue were from proponents of the HIPAA change. Taken together, these results highlight the key drivers behind a lapse in fundamental patient protections. When shaping health policy decisions, it is key to consider the perspectives of all involved, including patients, their advocates, and physicians.

Click here for additional data file.

Supplemental material, sj-docx-1-jpx-10.1177_23743735221106604 for Use of Patients’ Protected Health Information to Solicit Hospital Funds: How did This Practice Come About? by Uma V Mahajan, Vahid Wafapoor, Omkar A Mahajan and William S Anderson in Journal of Patient Experience