The United States Department of Health and Human Services Office for Civil Rights (OCR) recently issued updated guidance (Guidance) on contacting former COVID-19 patients about blood plasma donation in light of the privacy protections contained in the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations, each as amended (HIPAA). The Guidance explains that a covered entity healthcare provider or health plan may use protected health information (PHI) to identify and contact individuals who have recovered from COVID-19 to provide them with information about donating blood plasma that could be used to help patients with COVID-19, so long as such communications are not used for marketing purposes.
In newly issued Guidance, the OCR explains that the HIPAA Privacy Rule generally does not prohibit a HIPAA covered entity from contacting an individual who has recovered from COVID-19 about donating blood plasma that could be used to help patients with COVID-19, with certain exceptions and attendant cautions regarding prohibited marketing activities.
The HIPAA Privacy Rule permits HIPAA covered entities (or their business associates on the covered entities’ behalf) to use or disclose PHI for treatment, payment and healthcare operations, among other purposes, without the individual’s authorization. Healthcare operations include case management activities and other care coordination that do not meet the definition of “treatment” under HIPAA. When using or disclosing PHI for healthcare operations, the covered entity must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose. According to the Guidance, using PHI to identify and contact individuals who have recovered from COVID-19 to inform them about how to donate blood plasma is a permitted healthcare operations activity, for which individual authorization is not required, to the extent that facilitating the supply of donated blood plasma would be expected to improve the covered entity healthcare provider’s or plan’s ability to conduct case management activities for patients or beneficiaries that have or may become infected with COVID-19.
However, the Guidance warns covered entities against using or disclosing PHI for “marketing” (as defined by HIPAA) purposes and against providing such information to third parties who may in turn use the information for marketing purposes. Generally, the HIPAA Privacy Rule prohibits the use or disclosure of PHI for marketing purposes without an individual’s authorization. Accordingly, when using or disclosing PHI in accordance with the Guidance, a covered entity should be careful not to encourage any individuals to use a particular third party’s blood or plasma donation center. Similarly, a covered entity should not disclose PHI to a third party, including another covered entity, for the third party to make marketing communications about the third party’s products or services without the individual’s authorization. For instance, a covered entity should not disclose to a third-party donation center, for the donation center’s marketing purposes, PHI about an individual who has recovered from COVID-19.
As defined by HIPAA, prohibited “marketing” activity does not include descriptions by a covered entity of its own health-related products or services, and the Guidance does not itself limit a covered entity’s ability to inform its own patients about its own blood or plasma donation centers.
If you have questions about the newly issued OCR Guidance or this OTS, please contact the authors or your regular McDermott lawyer.