On June 12, 2020, the Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) issued guidance on whether or not a healthcare provider may use protected health information (PHI) to identify and contact patients who have recovered from COVID-19. The OCR guidance states that HIPAA permits such use of PHI to identify recovered patients, to provide them with information as to how they can donate COVID-19 antibodies to help treat other COVID patients. Circumstances under which former COVID-19 patients may be contacted are discussed below.
OCR Guidance: When Can Providers Use PHI to Identify Former COVID-19 Patients?
According to the new OCR guidance, healthcare providers may use PHI to contact patients who have recovered from COVID-19, so that they may donate their blood and plasma. Blood and plasma from recovered patients contain antibodies to the virus causing COVID-19; it is hoped such donations can help treat patients who currently have the virus.
Do you have an effective HIPAA compliance program?
Find out now by completing the HIPAA compliance checklist.
The HIPAA Privacy Rule allows HIPAA covered entities, including healthcare providers, to use or disclose PHI for treatment, payment, and healthcare operations, without written patient authorization. “Healthcare operations” include, among other things, population-based activities that are related to improving health, case management, and care coordination activities that do not meet the definition of treatment (i.e., where such activities are not connected to the care of a specific patient). Population-based activities and research, while not “treatment” themselves, are used to develop or modify treatment protocols.Â
According to the OCR guidance, the use of PHI to identify and contact former COVID-19 patients is a “population-based” healthcare operations activity. This is because facilitating the supply of donated blood and plasma is expected to improve a provider’s ability to conduct case management, and develop treatment protocols, for patient populations that have or may become infected with COVID-19.
OCR Guidance: Restrictions on Providers’ Use of PHI to Identify Former COVID-19 Patients
When using or disclosing PHI for healthcare operations, including using PHI to identify and contact former COVID-19 patients, a healthcare provider must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary.
In addition, providers may contact identified former COVID-19 patients only to the extent that the contact does not involve marketing. Generally, the HIPAA Privacy Rule prohibits the use or disclosure of PHI for marketing purposes without a patient’s authorization.
Therefore, communications that inform or encourage patients who have recovered from COVID-19 to use any particular blood and plasma center(s) for such donations, would constitute marketing, unless the communication meets an exception to the definition of marketing. Under one exception to the definition, a provider is permitted to make such communication, provided that the provider receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (i.e., a blood and plasma donation center).
