August 7, 2020 | By By Rachel Rose, JD, MBA
The Health Information Portability and Accountability Act, Pub. L. 104-191 (Aug. 1996) (“HIPAA”) is often times misapplied. Take the COVID-19 pandemic for example. Despite the U.S. Department of Health and Human Services (“HHS”) and the Office for Civil Rights (“OCR”) reiterating the exceptions present in the Privacy Rule through a variety of bulletins, including the February 2020 Bulletin, the number of questions pertaining to the disclosure of a patient’s protected health information (“PHI”) remains astounding.
As articulated in the February 2020 Bulletin, “[t]he HIPAA Privacy Rule protects the privacy of patients’ health information (protected health information) but is balanced to ensure that appropriate uses and disclosures of the information still may be made when necessary to treat a patient, to protect the nation’s public health, and for other critical purposes.” Notably present in this bulletin was a reminder that a person’s PHI or any portion that could identify a particular individual, could not be posted on social media or released publicly without the patient’s written consent and authorization.
Fast forward to May 5, 2020, when HHS issued guidance regarding media access to facilities and patients’ PHI, as a reminder to facilities that the Privacy Rule prohibits media, which includes news outlets, from accessing a facility where PHI is present without patients’ express, written consent. As OCR Director, Roger Severio stated, “[t]he last thing hospital patients need to worry about during the COVID-19 crisis a film crew walking around their bed shooting ‘B-roll’ …[h]ospitals and health care providers must get authorization from patients before giving the media access to their medical information; obscuring faces after the fact just doesn’t cut it.”
How does the aforementioned guidance parlay into the June 2020 Guidance related to covered healthcare providers contacting former COVID-19 patients about donating blood and plasma from individuals who have recovered from the virus? First, the Food and Drug Administration (“FDA”) refers to this as COVID-19 convalescent plasma. Second, the Privacy Rule has several provisions, many of which were identified in the February 2020 bulletin, which enable covered healthcare providers to contact patients regarding COVID-19 convalescent plasma. Specifically, 45 CFR 164.502(a)(1)(ii), 45 CFR 164.506, 45 CFR 164.501, 45 CFR 164.502(b), and 45 CFR 164.514(d). The two caveats – as long as the contact or related activities do not constitute marketing or the sale of PHI.
A covered entity generally cannot disclose PHI to a third party, without the individuals’ authorization, for the third party to make marketing communications about the third party’s products or services, unless the third party is making the communication on behalf of the covered entity (i.e., as a business associate). For example, a hospital cannot disclose PHI about individuals who have recovered from COVID-19 to a blood and plasma donation center, so that the donation center can contact the patients to request blood and plasma donations for its own purposes. In such cases, the covered entity would need to obtain the individuals’ authorization prior to making such a disclosure. See June 2020 Guidance, p. 2.
A key item that covered entities, patients, and other persons alike need to appreciate is that OCR continues to protect a patient’s right to privacy and PHI. Therefore, when in doubt, check the laws and regulations before proceeding. The consequences for blatantly not obtaining prior written authorization for media disclosures, the prohibited types of marketing or the sale of PHI could result in OCR’s discretion being used to issue penalties.