COVID-19 Update: OCR issues guidance on contacting former COVID-19 patients about blood and plasma donation
On June 12, 2020, the Office for Civil Rights (OCR) issued further guidance on HIPAA compliance during the COVID-19 pandemic. OCR affirmed that HIPAA permits health care providers to use protected health information (PHI) to identify and contact patients who have recovered from COVID-19 to provide them with information regarding blood and plasma donation.
Uses and disclosures for purposes of treatment, payment and health care operations generally do not require the individual’s authorization. Health care operations include population-based activities relating to improving health, and OCR affirmed that contacting patients who have recovered from COVID-19 in order to provide information on blood and plasma donation constitutes a permissible population-based health activity. OCR noted that “facilitating the supply of donated blood and plasma would be expected to improve the provider’s ability to conduct case management for patient populations that have or may become infected with COVID-19.”
The OCR guidance, however, includes two important cautions for providers. First, while these uses and disclosures are permitted, providers must remember to make reasonable efforts to limit the use or disclosure to the minimum necessary to accomplish the intended purpose of the use or disclosure. Second, providers must ensure that these patient communications do not constitute marketing. Generally, the HIPAA Privacy Rule prohibits the use or disclosure of PHI for communications about a product or service that encourages the recipient to purchase or use the product or service without authorization. A communication that informs or encourages patients who have recovered from COVID-19 to use a particular blood or plasma center would constitute marketing unless the communication meets an exception to the definition of marketing. One such exception permits communications for a covered entity’s own population-based case management and related health care operations activities, so long as the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a plasma donation center).
The Privacy Rule permits a covered entity to use PHI to identify and contact its own former COVID-19 patients, but it does not permit the covered entity to give the information to a third party plasma donation center to then contact those patients about its own services. Such disclosure would require patient authorization.
It is important for providers, such as hospitals, to conduct appropriate staff education to ensure adherence to this latest OCR guidance.