Many a HIPAA covered entity (CE) pulls back from sharing information, even when permitted to do so, because of fear of enforcement action by the HHS Office for Civil Rights (OCR); many a family member is told “HIPAA won’t let me,” when asking for information they are allowed to have.
To be sure, OCR has undertaken dozens of actions against errant CEs (and occasionally a business associate) for a variety of infractions, ranging from recent cases of not sharing patient records in a timely manner to failing to perform a required security risk analysis, leading to a large data breach. But agency officials have always tried to stress that they’ve never pursued a doctor, hospital or other entity for releasing information that, based on professional judgment, was deemed to be for the benefit of a patient.
In fact, in recent guidance, OCR has sought to expand upon the permissive nature of HIPAA (i.e, you can share unless the action is expressly disallowed). This was seen in response to the opioid crisis and now relates to the COVID-19 pandemic, telehealth, sharing information with first responders, certain waivers for enforcement related to hospitalizations and testing sites—to name a few.
Desire to Facilitate Treatment
In mid-June, OCR stepped in again, this time giving providers permission to act in ways to help in the treatment of patients with COVID-19, amid a near universal sense of desperation and helplessness given there are few, if any, treatments found to be truly effective.
On June 12, OCR Director Roger Severino issued “Guidance on HIPAA and Contacting Former COVID-19 Patients about Blood and Plasma Donation,” in recognition that “misconceptions about HIPAA” may “get in the way of a promising COVID-19 response.”[1]
Infusion of blood or plasma from patients who have recovered from COVID-19 and developed antibodies is one strategy physicians have been trying to aid those with active infections. To date, the success of this treatment is unknown, although it has at least been shown to be safe.
Family members have often had to resort to public pleas via Facebook, Twitter and the news media, however, to locate such former patients to ask for donations.
With the new OCR guidance, providers can now feel confident that they can play an active role in contacting those who have recovered from COVID-19.
The new guidance is in the form of an FAQ: “Does HIPAA permit a covered health care provider to use protected health information (PHI) to identify and contact patients who have recovered from COVID-19 to provide them with information about donating blood and plasma that could help other COVID-19 patients?” OCR responds “Yes,” stressing that where a CE may run in trouble is ensuring any contact with a former COVID-19 patient doesn’t cross the line into marketing.
