By the Apra Ethics & Compliance Committee
Well, what a year-and-a-half we have had! The pandemic introduced many new scenarios that our organization was not anticipating: remote work, extended closures of public facilities, Zoom fatigue, child and four-legged coworkers, and new health and safety protocols. As we are heading back into the office, discussions around our COVID-19 experiences and concerns are constant: whether it’s best to continue remote work, go back full time, or to have a hybrid model, as well as the scourge of “mask-ne,” vaccines (rates, efficacy and mandates), and the sad reality that many people we know and love have gotten very sick or passed away.
As our fundraisers connect with donors, they are getting information on vaccination status, COVID-19 diagnosis and long-haul health-related issues. Additionally, I’m vaccinated, but some of my coworkers aren’t and I’m not sure if we’re allowed to openly talk about status. Do you have any ethical recommendations around COVID-related information?
Happy to be out of the House
Your Ethicist is also happy to put on real clothes and venture (safely) into the world again, while crossing our fingers that the vaccine stays strong and variants slow down. That said, there are several elements about returning to the office that we will weigh in on.
Firstly, coworkers discussing individual vaccine status is not illegal. The Health Insurance Portability and Accountability Act (HIPAA) is a privacy law that prevents healthcare professionals from sharing health information without the patient’s permission. The law doesn’t apply outside of a confidential healthcare setting or patient relationship; regardless of your work environment, water cooler discussions between coworkers that are not about prospects or patients aren’t violating the law. Similarly, under GDPR, a person’s COVID status is classed as special category data as it is their private health information, so an individual can disclose their vaccine status if they so choose.
Secondly, it is inevitable that some of our donors and prospects will contract or be affected by COVID-19, and vaccine status will likely be discussed as a safety concern. While a gift officer might want to document every detail, it’s important to consider issues of HIPAA compliance and GDPR, donor strategy, and CRM security before adding health-related information to your database.
You should consider whether you have a compelling reason to record health care-related information on your database. Referencing any personal health information as it pertains to the donor or prospect themselves should be strictly avoided. This includes diagnoses of any kind (even the flu!) and information about treatment or surgical procedures.
However, if you believe there is a justifiable business reason for adding health information to your database, the Ethicist recommends using more general, “couched” language:
- Consider rephrasing “Donor X contracted COVID-19 and is now fully recovered” as “Donor X has been personally impacted by the COVID-19 pandemic.”
- Rather than disclosing vaccination status, state what type of meeting circumstances a donor prefers, such as “Donor X is comfortable meeting in person” or “Would rather meet in an outdoor location.”
- If contact should be paused while a donor cares for a family member with a critical illness (i.e. Alzheimer’s or long-COVID), circumvent the specific diagnosis by stating, “Due to serious personal issues, please do not contact X for six months. Check in with frontline fundraiser or development director for details.”
- If you find inappropriate terminology, consult with the note’s author (or a development manager/director, if necessary) before updating the language to make it less explicit. If the note violates organizational or HIPAA guidelines, simply delete and type “[Redacted].”
While your question was specific to COVID-19, the Ethicist recommends applying these guidelines to all medical and health care information. Even if your organization is only tangentially connected to a health institution, it is still possible to incur a fine if a breach is discovered and your organization’s employees did not receive training. HIPAA and GDPR compliance training should be required for new hires, along with supplementary office-wide training when there is a change in business practices or new rules are issued by applicable country, state and/or regional health governing bodies.
Overall, try to remember compliance standards. While it is fine to discuss freely offered information in person, the Ethicist advises against storing data if it doesn’t move your mission forward or impact interactions with a donor. It is also important to support your frontline fundraisers and other development colleagues with education and consultation as needed.