Agency Clarifies What’s Permitted Under Privacy Rule
As healthcare organizations seek out recovered COVID-19 patients for potential donations of blood plasma containing virus antibodies to help treat other patients, they need to ensure these outreach activities comply with HIPAA privacy regulations, according to new federal guidance.
The guidance from the Department of Health and Human Services’ Office for Civil Rights clarifies that HIPAA permits covered healthcare entities to identify and contact patients who have recovered from COVID-19 as part of their population-based activities relating to improving health, case management or care coordination. That includes using protected health information to identify patients who have recovered from COVID-19 and contacting them with information about how they can donate their blood and plasma for the treatment of other patients.
The guidance emphasizes, however, that without patients’ authorization, healthcare organizations cannot receive any payment from blood and plasma donation centers in exchange for such communications with recovered patients.
“This guidance explains how healthcare providers can connect COVID-19 survivors with blood and plasma donation opportunities and further public health consistent with patient privacy.”
Do’s and Don’ts
Under the HIPAA Privacy Rule, covered entities – or their business associates – are permitted to use or disclose PHI for treatment, payment and healthcare operations without an individual’s authorization.
Healthcare operations include population-based activities relating to improving health as well as case management and care coordination activities that do not meet the definition of “treatment” – for example, where such activities are not connected to the care of a specific patient, the guidance explains.
“When using or disclosing PHI for healthcare operations, the covered entity must make reasonable efforts to limit the use or disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure,” the guidance notes.
“The use of PHI to identify and contact patients who have recovered from COVID-19 for this purpose is permitted as a population-based healthcare operations activity of the covered healthcare provider because facilitating the supply of donated blood and plasma would be expected to improve the provider’s ability to conduct case management for patient populations that have or may become infected with COVID-19.”
A healthcare provider may identify and contact its patients who have recovered from COVID-19 for population health and case management purposes without a patient’s authorization, to the extent that this activity does not constitute marketing, the guidance notes.
“Marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service. Generally, the HIPAA Privacy Rule prohibits the use or disclosure of PHI for marketing purposes without a patient’s authorization,” the document states.
Business Associate Concerns
Also, a covered entity needs an individual’s authorization to disclose PHI that a third party will use for marketing its own products and services, unless that third party is a business associate making communication on behalf of the covered entity, the guidance notes.
“For example, a hospital cannot disclose PHI about individuals who have recovered from COVID-19 to a blood and plasma donation center, so that the donation center can contact the patients to request blood and plasma donations for its own purposes,” the guidance says. “In such cases, the covered entity would need to obtain the individuals’ authorization prior to making such a disclosure.”
Privacy and security attorney Helen Oscislawski of law firm Attorneys at Oscislawski says business associates should take note that their authority to query data on their electronic medical records or other data systems that store PHI, including information about COVID-19, would not permit them to independently begin reaching out to patients about potential blood or plasma donations.
“A business associate would have to have been specifically asked by a covered entity to perform this function ‘on behalf of’ the covered entity,” she says. “One would expect that HIPAA business associate agreements do not cover this kind of activity specifically. Therefore a business associate would at a minimum have to get a covered entity’s approval before contacting any patient.”
Some privacy and security experts note that if covered entities reach out to their recovered COVD-19 patients about the individuals potentially donating blood plasma, it is also critical that the actual communication comply with HIPAA security and privacy regulations.
“The biggest danger for covered entities would come if they use unencrypted email or text messaging to contact recovered COVID-19 patients in violation of HIPAA,” says independent HIPAA attorney Paul Hales.
“The privacy rule allows the use of unencrypted< email and text messaging only if a covered entity notified each patient there may be some level of risk that information in the email or text message can be read by a third party – the ‘duty to warn’ – and the patient has agreed to use of unencrypted electronic transmissions,” he says. “It’s a simple three-step safeguard overlooked by many covered entities: Provide a light warning to the patient, follow the patient’s direction and document the warning and patient’s preference,” he says.
Covered entities can easily include the three-step safeguard in their new patient registration and information forms, Hales says. “Some also use a separate form for compliance,” he notes.
“Covered entities that follow the HIPAA three-step safeguard are not responsible if an unencrypted email or text message is intercepted during transmission or disclosed after delivery to the patient,” he adds.
HHS OCR issued the latest guidance to clarify exactly what’s permitted under HIPAA, says privacy attorney Kirk Nahra of the law firm WilmerHale.
“It is a perfect example of some of the complicated aspects of the HIPAA rules,” he says. It’s better for covered entities to make the communication with patients directly, “rather than share the [patient] data with the other party for them to do it.”
Privacy attorney Iliana Peters of the law firm Polsinelli offers a caveat. “I think all types of entities, HIPAA covered or otherwise, should consider how any sharing of COVID-19 information about individuals may affect those individuals, particularly given the sensitivity of the information, and the ramifications for employment issues related to COVID-19 in these difficult economic times,” she says.
In other words, there are important efforts being undertaken currently by all types of entities, from HIPAA covered entities to employers not covered by HIPAA, to address the risks posed by COVID-19, but we all want to be vigilant in ensuring that we continue to protect the privacy and security of information of individuals, while we all do our best to combat the disease.”