On June 12, 2020, the U.S. Department of Health and Human Services, Office for Civil Rights (OCR), issued guidance confirming HIPAA permits a covered healthcare provider (Provider) to use protected health information (PHI) to identify and contact recovered COVID-19 patients to inform them of how they can donate their blood and plasma. As background, HIPAA permits the use of PHI without authorization for “healthcare operations” which include conducting population-based activities relating to improving health and case management. A Provider’s use of PHI to contact former COVID-19 patients qualifies as a population-based activity because facilitating the supply of blood and plasma is likely to improve the Provider’s ability to conduct case management for current and future COVID-19 patients.
However, the OCR noted that marketing communications that encourage former COVID-19 patients to use specific blood and plasma centers are prohibited under HIPAA, unless it meets an exception to the definition of marketing. For example, a Provider can make a marketing communication without a patient’s prior authorization if the Provider does not receive any direct or indirect payment from the third-party blood and plasma center in exchange for such communication. Additionally, the OCR reiterated that as a covered entity, a Provider cannot disclose PHI to a third-party for marketing purposes without the patient’s authorization, unless the third-party making the solicitation is acting on behalf of the covered entity as a business associate.
Link: https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.pdf