Skip to Content

A Summary of the Proposed HIPAA Regulations Implementing HITECH



Generally, the HIPAA Privacy Rule permits a covered entity to use or disclose limited PHI (only the patient’s demographic information and dates of service) for fundraising purposes without individual authorization,50 as long as the NPP informs individuals that the CE may contact them to raise funds51 and the individual is notified that he or she may opt out of fundraising. 


The HITECH Act expands on this provision and requires covered entities to provide the recipient of any fundraising communication with a clear and conspicuous opportunity to opt-out of receiving any further fundraising communications.52  The Proposed Rule would implement this change and impose the following additional requirements: 1) the covered entity must provide an individual with an opt-out method that does not cause the individual to incur an undue burden or more than a nominal cost;53 2) the covered entity  may not condition treatment or payment to an individual’s decision of whether to receive funding raising communications;54 and 3) the covered entity may not send fundraising communications to an individual who has elected not to receive such communications.  On this last point, the current rule only requires covered entities to make “reasonable efforts” not to send fundraising communications to individuals who have opted out, but HHS intends to strengthen the policy, treating the decision to opt-out more like a revocation of authorization.55



  • 50. 45 C.F.R. § 164.514(f)(1).
  • 51. 45 C.F.R. § 164.514(f)(2).
  • 52. ARRA, Pub. L. No. 111-5, Div. A, Title XIII, § 13405(d)(2), 123 Stat. 264-68 (2009).
  • 53. Modifications to the HIPAA Privacy, Security, and Enforcement Rules, 75 Fed. Reg. at 40,922-23 (to be codified at 45 C.F.R. § 164.514(f)).
  • 54. Id.
  • 55. Id. at 40,897, 40,922-23.