Recently, there has been some confusion on whether or not the utilization of personal health information (PHI) to contact patients who have recovered from COVID-19 to provide them with information about donating blood and plasma donations would be permitted under the HIPAA Privacy Rule.
The answer is yes, under certain circumstances. Healthcare providers are permitted to use patient health information to identify the applicable patients, and then provide donation information.
The US Department of Health and Human Services (HHS) has provided guidance regarding the use of protected health information (PHI) to contact patients who have recovered from COVID-19 about donating plasma. According to the HIPAA Privacy Rule, a covered healthcare provider (hospital, pharmacy, laboratory, or health plan) may use PHI to identify and contact individuals who have recovered from COVID-19 to provide them with information about donating plasma for the use of treating other patients suffering from COVID-19.
The HIPAA Privacy Rule permits covered entities to use or disclose PHI specifically for treatment, payment, healthcare operations, and other care purposes without an individual’s authorization. When using or disclosing PHI for healthcare operations, the covered entity must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.
A covered health care provider or health plan may identify and contact individuals for this purpose, without authorization, to the extent that this activity does not constitute marketing.
Marketing is considered a communication about a product or service that encourages the recipient of the communication to purchase or use it. Generally, the HIPAA Privacy Rule prohibits using or disclosing PHI for marketing purposes without an individual’s authorization.
Any communications used to contact COVID-19 patients regarding the benefits of donating plasma, which encourages blood or plasma donations for a particular center(s), would constitute marketing and would not be HIPAA compliant.
EXAMPLE: A covered healthcare provider or health plan cannot disclose PHI about individuals who have recovered from COVID-19 to a blood or plasma donation center for the donation center’s purposes. In such cases, the covered healthcare provider or health plan must obtain the individuals’ prior authorization.
Generally speaking, covered entities cannot disclose PHI to a third party, without the individuals’ authorization for the third party to make marketing communications, unless the third party is making the communication on behalf of the covered entity (i.e., as a business associate).
For more information visit: https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.pdf