Departments & Programs,UW Hospital and Clinics,Compliance,Privacy,HIPAA

Health Care Fundraising: Privacy Considerations

Health Care Fundraising: Privacy Considerations - Departments & Programs, UW Hospital and Clinics, Compliance, Privacy, HIPAA


February: 2012 

Prepared by Daniel Weissburg, J.D., C.H.C., Director of Compliance and Privacy Officer, UWHC 

One effective category of fundraising is that which is targeted to a population known to have a particular affinity for the cause for which funds are being raised. In a disease-specific health care context, one portion of that population is comprised of current and former patients that have been treated for the disease at issue. This is sometimes called “grateful patient” fundraising. Another portion of that population is friends and family members of those same grateful patients. 

Federal privacy laws, and UWHC’s policies that reflect those laws, dictate a process by which a grateful patient may be approached for disease-specific fundraising. Key to this process is patient authorization. It should be noted that other categories of health care fundraising may be undertaken absent patient consent.  These other categories should not be ignored, but may be less effective than grateful patient fundraising. 

Category #1:  Fundraising that does not Require Patient Authorization 

Fundraising activities that involve only the use of a patient’s demographic information and dates of service do not require patient authorization. Fundraising under this category may not be targeted by disease or type of treatment. It can, however, be targeted by patient age, gender and dates of service. If more detailed and specific health care information (called “protected health information” or “PHI”) is used, the fundraising activity falls into Category #2, discussed below. 

If a current or former patient states an unsolicited desire to donate money, staff may give the individual’s contact information to the University of Wisconsin Foundation or its designated representative to follow-up. When a current or former patient takes the initiative to donate money, not in response to a fundraising solicitation, no authorization is needed. 

No authorization is required to fundraise from individuals listed on outside mailing lists, like mailing lists that were not generated or created from UWHC patient databases. 

Some examples of fundraising activities that do not require authorization include:

Category #2: Fundraising that Requires Patient Authorization

Before any detailed and specific patient information (other than demographic information and/or dates of service) is to be used for fundraising purposes, a written authorization must be obtained from the patient. 

Some examples of fundraising activities that require authorization include:

Securing the needed authorization can be done via a two step process: 

Step One: Non-Fundraising Communication. A diagnosis-specific list may be contacted for purposes other than fundraising even if no patient authorization is in place. Such purposes include providing information about:

A small component of the non-fundraising communication may include an invitation to receive other information, “including information about how you can support X at UWHC.” 

Step Two: Securing the Authorization. Patients and former patients who elect to accept this invitation should be directed to execute a form authorization that allows direct fundraising. This authorization can be agreed to by a computer click, and need not be overly legalistic. Indeed, it can be presented so as to demonstrate UWHC’s aggressive commitment to patient privacy with language like the following. 

“UWHC’s top priority is patient privacy. Accordingly, we will only contact you with information on opportunities to support X if you give your specific authorization, and you may easily revoke this authorization at anytime.” 

The exact language used should be tailored to the specific fundraising campaign, and all language must be approved by UWHC’s Privacy Officer. Once the authorization is secured, fundraising activities and appeals may proceed. 

Opt Out Opportunities 

All communications to a diagnosis specific list, including those made to a list of patients from whom authorizations have been secured, must include an opportunity to easily opt out of receiving future communications. 


By its nature and by law, fundraising from patients raises some unique challenges. 

Thoughtfully structured health care fundraising campaigns can meet the twin goals of effectiveness and compliance with privacy laws. Frequent, early communication among the internal stake holders, including the Privacy Officer, is advisable.