Late last week, the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance aimed at “making sure misconceptions about HIPAA do not get in the way of a promising COVID-19 response,” according to OCR Director Roger Severino. That “promising response” relates to emerging evidence that plasma from recovered patients (often referred to as “convalescent plasma”) may contain antibodies to SARS-CoV-2, the virus that causes COVID-19. Those antibodies could be useful in treating individuals who are sick with COVID-19. The OCR’s guidance addresses how health care providers may contact, in a HIPAA-compliant manner, recovered COVID-19 patients to provide them with information about donating blood and plasma to potentially help other COVID-19 patients.
The guidance explains that the HIPAA Privacy Rule permits HIPAA covered entities or their business associates to use or disclose protected health information (PHI) for health care operations without the individual’s authorization. Population-based activities relating to improving health, along with certain case management and care coordination activities, constitute health care operations. According to the guidance, “[t]he use of PHI to identify and contact patients who have recovered from COVID-19 for this purpose is permitted as a population-based health care operations activity of the covered health care provider because facilitating the supply of donated blood and plasma would be expected to improve the provider’s ability to conduct case management for patient populations that have or may become infected with COVID-19.”
OCR took care to note that the HIPAA Privacy Rule does not allow providers to engage in marketing communications related to blood and plasma donations without the patient’s authorization. Such marketing communications would include, for example, communications from the provider that encourage a patient to use a specific plasma donation center, unless the communication otherwise meets an exception to HIPAA’s marketing definition. The guidance also reminds providers that, without an appropriate authorization, covered entities generally may not disclose PHI to a third party in order for the third party to make marketing communications on its own behalf about its products or services.
As we’ve seen with many federal and state regulators, OCR is actively working to remove or mitigate regulatory roadblocks to a robust and timely pandemic response. This latest guidance should further that goal by giving providers some comfort about reaching out to recovered COVID-19 patients without running afoul of HIPAA.