Recent Guidance on Contacting COVID-19 Patients for Blood Donations
The Office for Civil Rights (OCR) at the US Department of Health and Human Services (HHS) recently issued guidance on how providers can contact former COVID-19 patients regarding opportunities for blood and plasma donations. Though healthcare providers can use Protected Health Information (PHI) to identify and contact previous patients, specific guidelines should be followed.
What the guidance outlines
Contacting previous COVID-19 patients to notify them of opportunities for donating blood and plasma is allowed in order to assist healthcare providers in collecting antibodies for treatment of other patients with COVID-19. The use of PHI for this purpose is permitted as a population-based healthcare operations activity, as outlined in the HIPAA Privacy Rule for HIPAA covered entities and their business associates. Furthermore, facilitating the supply of donated blood and plasma is expected to improve the provider’s ability to conduct case management for patients who have been infected with COVID-19.
However, safeguards remain in place when contacting previous COVID-19 patients. The provider can contact its previous patients for this purpose, without authorization, to the extent that the activity is not considered marketing. As defined by HHS, marketing is a communication about a product or service that encourages the recipient of the communication to purchase or use the product or service. However, under one exception, a covered healthcare provider is permitted to make such a communication for the population-based case management and related healthcare operations activities, provided there is no payment associated with the activities.
Additionally, providers are not permitted to share PHI with third parties. For example, a provider cannot release a patient’s PHI to a blood and plasma donation center so that the center can contact the patient for its own purposes, such as collecting the blood and plasma for a profit. For such a transaction to occur, the provider must receive the patient’s authorization prior to making the disclosure of PHI.
For more information, the complete guidance can be found here.
This article was originally published on the MRO Blog and is republished here with permission.