Fundraising and HIPAA

All fundraising activities within the Columbia University Healthcare Component (CUHC) will be conducted in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Reason(s) for the Policy

To provide guidance regarding the use of Protected Health Information (PHI) for fundraising purposes, including the procedure to follow when a patient wishes to opt out of receiving fundraising communications from the CUHC.

Primary Guidance To Which This Policy Responds

HIPAA Administrative Simplification and Final Omnibus Rule of 2013 45 CFR § 164.514(f)

Who is Governed by This Policy

CUHC workforce members.

Who Should Know This Policy

All faculty, staff and students

Exclusions and Special Situations

This policy only applies to fundraising activities within the CUHC.

CUHC may use certain protected health information (“PHI”) for fundraising purposes, but must allow patients to opt-out of receiving further fundraising communications.

  1. The following protected health information may be used by CUHC for fundraising purposes:
    • demographic information (e.g., name, suffix, title, address, date of birth/age, gender, language, race, ethnicity, marital status, occupation, email addresses, telephone numbers, minors’ guarantor information)
    • health insurance
    • department of service, and location of service
    • provider name and specialty
    • date(s) of service (excluding future appointments)
    • treatment outcome (deceased only)
    • Patient ID/EPIC MRN - Used to suppress patients who 'opt out' of fundraising, data management and included in gift officer reports for meetings with faculty
  2. Patients have the right to opt out of receiving fundraising communications. The Office of Development maintains a list of individuals who have requested not to be contacted for fundraising purposes.
  3. Any CUHC workforce member that is informed of a request to opt out of receiving fundraising communications by a patient or his/her designated representative should direct that person to contact the CUIMC Office of Development to process the request. The individual may email Development at [email protected] or call 212-305-9795.
  4. Before contacting a patient for fundraising purposes:
    • The sender of the communication must contact the CUIMC Office of Development at [email protected] or 212-305-9795 to verify that an opt out request is not on file for that individual.
    • All written, electronic, or verbal communications for a fundraising purpose must clearly inform the patient that they have the right to opt out of receiving future communications and how to exercise this right.
    • Information mailed or emailed to patients for the purpose of soliciting a donation must include the following required opt out language:
      • Please contact the CUIMC Office of Development at [email protected] or 212-305-9795 if you wish to opt out of receiving fundraising communications.
  5. Questions about this policy may be directed to the Office of Development or the Privacy Office.



CUHC workforce members must:

  • Comply with regulatory requirements and respect a patient’s request to not receive fundraising communications.
  • Contact the CUIMC Office of Development before any fundraising communications are sent to patients to verify that the individual(s) have not previously opted out.
  • Include required disclosure statement in any patient solicitations.



Columbia University Healthcare Component (CUHC) – Columbia University is a Hybrid Entity that has designated as its Healthcare Component (the Columbia University Healthcare Component) Columbia University Medical Center and the other colleges, schools, departments and offices of the University to the extent that they (i) provide treatment or health care services and engage in Covered Transactions electronically or (ii) receive Protected Health Information to provide a service to, or perform a function for or on behalf of, the Columbia University Healthcare Component.

Covered Entity – (i) a health plan, (ii) healthcare clearinghouse, or (iii) healthcare provider that transmits any health information in electronic form in connection with a Covered Transaction.

Hybrid Entity – A single legal entity (i) that is a Covered Entity (ii) whose business activities include both Covered and non-Covered functions and (iii) that designates health care components within the Hybrid Entity as more particularly described in Section 164.103.

Protected Health Information (PHI) is individually identifiable health information:
(1) Except as provided in section (2) of this definition, that is: (i) Transmitted by electronic media; (ii) Maintained in electronic media; or (iii) Transmitted or maintained in any other form or medium (includes paper and oral communications).
(2) Protected Health Information excludes individually identifiable health information: (i) In education records covered by the Family Educational Rights and Privacy Act, as amended, 20 U.S.C. 1232g; (ii) In records described at 20 U.S.C. 1232g(a)(4)(B)(iv); (iii) In employment records held by a covered entity in its role as employer; and (iv) Regarding a person who has been deceased for more than 50 years.