OCR Shares COVID-19 Guide on Contacting Patients for Blood Donations
In light of COVID-19, OCR reminds healthcare providers that HIPAA allows covered entities to contact patients recovering from the Coronavirus to inform them about blood and plasma donations.
By - The Office for Civil Rights released guidance for healthcare covered entities on the HIPAA-permitted ways providers can contact patients recovering from COVID-19 to inform them of blood and plasma donation opportunities.
The guidance joins several other OCR insights designed to assist providers with the COVID-19 response, while remaining HIPAA-compliant. Previously, the agency released guidance around telehealth, first responders, media access, community-based testing sites, and business associates.
Blood donations from recovering COVID-19 patients contain antibodies that could assist with the pandemic response. According to the latest guidance, HIPAA permits covered entities to both identify and contact patients who have recovered from COVID-19 for “population-based activities,” such as case management, care coordination, or improving general health.
Specifically, providers are permitted to use patient health information to identify the applicable patients, and then provide donation information.
The HIPAA Privacy Rule allows covered entities or their business associates, on behalf of the covered entity, to use or disclose PHI for payment, treatment, general healthcare operations, and other purposes, without an individual’s authorization.
“Healthcare operations include population-based activities relating to improving health, and case management and care coordination activities that do not meet the definition of treatment (e.g., where such activities are not connected to the care of a specific patient),” the guidance explains.
“When using or disclosing PHI for healthcare operations, the covered entity must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure,” it adds.
As a result, providers leveraging PHI to contact patients who have recovered from COVID-19 is permitted by HIPAA under population-based healthcare operations activity, “because facilitating the supply of donated blood and plasma would be expected to improve the providers’ ability to conduct case management for patient populations that have or may become infected with COVID-19.”
However, OCR stressed that this information cannot be leveraged for marketing purposes without patient authorization. In particular, marketing refers to communicating with patients encouraging them to purchase or use a specific product or service.
Thus, without patient authorization, providers are not able to receive payment from or on behalf of a blood and plasma donation center in exchange for those communications with recovered patients.
“Communications that inform or encourage patients who have recovered from COVID-19 regarding the means and benefits of donating blood and plasma and encourage such patients to use any particular blood and plasma center(s) for such donations would constitute marketing, unless the communication meets an exception to the definition of marketing,” the guide explains.
One exception to that definition is a provider communicating with patients on behalf of the covered entity’s population-based case management purposes and related to healthcare operations activities. Specifically, providers are not allowed to receive direct or indirect payment from or on behalf of the third-party whose service is described in the communication without patient authorization.
Conversely, providers are not permitted to disclose PHI to a third party, in this case a blood or plasma donation center, without patient authorization to be used for marketing communications.
“For example, a hospital cannot disclose PHI about individuals who have recovered from COVID-19 to a blood and plasma donation center, so that the donation center can contact the patients to request blood and plasma donations for its own purposes,” the guide explains. “In such cases, the covered entity would need to obtain the individuals’ authorization prior to making such a disclosure.”
"We're making sure misconceptions about HIPAA do not get in the way of a promising COVID-19 response,” OCR Director Roger Severino, said in a statement. “This guidance explains how health care providers can connect COVID-19 survivors with blood and plasma donation opportunities and further public health consistent with patient privacy."
