The Department of Health and Human Services’ Office for Civil Rights has issued new HIPAA guidance to clear up confusion about whether HIPAA authorizations are required from former COVID-19 patients before they can be contacted about blood and plasma donations.
Blood and plasma from patients who have contracted COVID-19 and have recovered contain antibodies against SARS-CoV-2, the virus that causes COVID-19. Those antibodies can potentially be used to help other patients recover from the disease. Antibodies to other viruses that cause respiratory illnesses have been successfully used in treatments in the past, and research studies are now being conducted to determine whether these antibody treatments are effective against COVID-19.
To support the research, patients who have recovered from COVID-19 need to be contacted and advised about the opportunities to donate blood and plasma, but there is a potential issue with the HIPAA Privacy Rule.
The HIPAA Privacy Rule generally does not permit a covered entity to use or disclose a patient’s protected health information for marketing purposes unless prior authorization has been provided by the patient. Contacting patients to advise them about blood and plasma donation programs could be considered a marketing communication.
OCR explained that in the case of blood and plasma donations from COVID-19 patients, prior authorization is only required in certain circumstances, and generally, authorizations are not required.
OCR explained in the new guidance that the HIPAA Privacy Rule permits healthcare providers to contact former COVID-19 patients to advise them about the opportunities for donating blood and plasma to help in the fight against COVID-19.
HIPAA-covered entities and business associates acting on their behalf are permitted to use and disclose PHI for treatment, payment, and healthcare operations, without first receiving authorization from a patient. In this case, uses and disclosures are not covered under treatment, as treatment will not be provided to the patient who is being contacted.
The purpose of the communication is for population-based health care operations to improve health, case management, and care-coordination, which are covered by healthcare operations, so a prior authorization is not required.
“A covered health care provider is permitted to make such communication for the covered entity’s population-based case management and related health care operations activities, provided that the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a blood and plasma donation center),” explained OCR.
A HIPAA authorization would be required before PHI can be used or disclosed by a third party in relation to marketing communications about the third party’s products and services. “A hospital cannot disclose PHI about individuals who have recovered from COVID-19 to a blood and plasma donation center, so that the donation center can contact the patients to request blood and plasma donations for its own purposes.” Such a use or disclosure would only be permitted by the HIPAA Privacy Rule if prior authorization had been obtained from the patient.
“We’re making sure misconceptions about HIPAA do not get in the way of a promising COVID-19 response. This guidance explains how health care providers can connect COVID-19 survivors with blood and plasma donation opportunities and further public health consistent with patient privacy,” said OCR Director, Roger Severino.