When patients contract an infectious respiratory disease such as COVID-19, the immune system develops antibodies that provide protection if the pathogen is encountered again. The antibodies in the blood of patients who recover from such an illness are valuable, as not only will they provide protection for the patient, that protection could potentially be transferred to other patients.
Through the donation of blood and plasma two preparations can be made: Convalescent plasma and hyperimmune immunoglobulin. Convalescent plasma and hyperimmune immunoglobulin have both been used to successfully treat patients who have contracted other viral respiratory diseases. Given the severity of COVID-19 and the high mortality rate, these treatments could be vital for patients who are struggling to fight the infection. Research studies are now underway to test whether antibody treatments are effective against COVID-19.
To participate in these programs, patients who have previously been diagnosed with COVID-19 will need to be contacted and asked if they are willing to donate blood and plasma, but is this contact permitted by the HIPAA Privacy Rule?
On June 12, 2020, the Department of Health and Human Services’ Office for Civil Rights issued guidance to healthcare providers on the HIPAA Privacy Rule and contacting COVID-19 patients to request blood and plasma donations.
OCR explained that the HIPAA Privacy Rule does not prohibit healthcare providers from contacting COVID-19 patients to request blood and plasma donations and prior authorization from the patient is not required.
Healthcare providers can contact patients to advise them about the opportunities for donating blood and plasma to support the response to COVID-19 to improve other patents’ chances of beating the disease.
HIPAA covered entities and business associates acting on their behalf can use or disclose PHI for the purpose of treatment, payment, and healthcare operations, without first receiving authorization to do so from a patient. Requesting a donation of blood or plasma does not fall into the category of treatment, as the blood/plasma will not be used to treat the patient, instead it is being used for population-based health care operations to improve health, case management, and care-coordination, which are included in the definition of healthcare operations.
There is some confusion over whether contacting patients to solicit blood donations would constitute marketing communications, which are generally not permitted by the HIPAA Privacy Rule without prior authorization from a patient.
In this case, an exception to the Privacy Rule’s Marketing provision applies. “A covered health care provider is permitted to make such communication for the covered entity’s population-based case management and related health care operations activities, provided that the covered entity receives no direct or indirect payment from, or on behalf of, the third party whose service is being described in the communication (e.g., a blood and plasma donation center),” explained OCR in the guidance.
An authorization is required from a patient before PHI can be disclosed to a third party, such as a blood and plasma donation center, to allow a COVID-19 patient to be contacted to request blood and plasma donations for the donation center’s own purposes.
The post Guidance on Contacting COVID-19 Patients to Request Blood and Plasma Donations appeared first on HIPAA Journal.