Updated Guidance on HIPAA and Contacting Former COVID-19 Patients about Plasma Donation (Aug. 2020)
Available at https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.pdf
HHS’s Office for Civil Rights (OCR) has expanded guidance originally issued in June to clarify that health plans may, under certain circumstances, use and disclose protected health information (PHI) to contact individuals who have recovered from COVID-19 about donating plasma containing antibodies. The guidance, which originally applied only to health care providers, allows the use of PHI as part of the plan’s health care operations if facilitating the supply of donated plasma would be expected to improve the plan’s ability to conduct case management for participants who have or may contract COVID-19. Obtaining an individual’s authorization is not required for this use so long as the plan is not engaged in marketing as defined by the HIPAA privacy rule. Under that rule, “marketing” means encouraging recipients of a communication to purchase or use a product or service—unless (among other exceptions) the communication is for health care operations and the plan does not receive financial remuneration in exchange for making the communication. Therefore, a health plan may use PHI to contact participants about donating plasma without individual authorizations if (1) facilitating the supply of donated plasma is expected to improve case management for infected individuals; and (2) the plan does not receive financial remuneration from, or on behalf of, any blood or plasma donation center. Conversely, a plan receiving direct or indirect payment from, or on behalf of, a blood or plasma donation center would have to obtain the participant’s authorization before sending a communication.
The guidance cautions that plans generally must obtain authorizations before disclosing PHI to a third party (including another HIPAA covered entity) so the third party can send individuals marketing communications about its own products or services. For example, a health plan must obtain authorizations from individuals who have recovered from COVID-19 before disclosing their PHI to a blood or plasma donation center so that the donation center can contact the individuals for its own purposes. This restriction applies regardless of whether the plan receives financial remuneration in exchange for disclosing the PHI. However, if the plan has contracted with a donation center to assist with case management of COVID-19 patients, then it may disclose PHI of recovered patients to the donation center so long as the disclosure is in furtherance of case management, and the plan and donation center have entered into a business associate contract.
EBIA Comment: Although it is unclear whether health plans will be interested in contacting participants for this purpose, this clarification will be welcome news for plans pursuing this type of case management. Plans relying on the guidance should fully document the justification for using and disclosing PHI of recovered COVID-19 patients, including determinations regarding whether a HIPAA authorization is required. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVI.B (“Uses and Disclosures for Treatment, Payment, and Health Care Operations”) and XXVI.E (“Uses and Disclosures Requiring Individual Authorization”). You may also be interested in our webinar “HIPAA Business Associate Contracts: Due Diligence, Upstream Liability, and More” (recorded on 8/27/20).
Contributing Editors: EBIA Staff.