Artificial Intelligence (AI) is widely viewed as a valuable tool for improving health and healthcare. It is being used by major technology companies such as Google, small start-up companies, and researchers to collect and analyze health data collected from a variety of sources.  As stated by Abhimanyu S. Ahjula in this October 2019 article:

AI is poised to play an increasingly prominent role in medicine and healthcare because
of advances in computing power, learning algorithms, and the availability of large datasets (big data) sourced from medical records and wearable health monitors.

However, if the health data involved is subject to HIPAA, extra precautions are required.  Fox Rothschild LLP associate Kristina Neff Burland and I examined the interplay between HIPAA and the use of AI in this article published on January 21, 2021 by OneTrust DataGuidance.   Key take-aways described in the article include:

  1.  Determine whether HIPAA may apply — consumer-generated and submitted data may provide an out
  2.  De-identifying protected health information (PHI)?  Proceed with caution
  3.  Have a business associate agreement in place before transferring PHI to a third party
  4.  Make sure processing PHI for purposes of AI is a permissible “use” under HIPAA

Flo Health, Inc., which marketed an app used by more than 100 million women interested in tracking their personal menstruation and fertility information, seems to be getting off easily as compared with HIPAA-covered entities who misuse individual health information.  The FTC’s January 13, 2021 press release announcing its proposed settlement with Flo Health sidesteps mention (let alone enforcement) of a federal law (and the FTC’s own rule).  This puzzling sidestep deserves attention, not only in light of the proliferation of the use of personal health apps, but given the particularly sensitive nature of the health information collected by the Flo Health app.

The Health Information Technology for Clinical and Economic Health Act (HITECH), enacted as part of the American Recovery and Reinvestment Act of 2009 (the Recovery Act), not only amended HIPAA, but added HIPAA-like breach notification requirements that apply to vendors of “personal health records” (PHRs) that are not covered entities, business associates, or subcontractors subject to HIPAA.  As described by the FTC in a “request for comment” published last May:

The Recovery Act recognized that vendors of personal health records and PHR related entities (i.e., companies that offer products and services through PHR websites or access information in or send information to PHRs) were collecting consumers’ health information but were not subject to the privacy and security requirements of the Health Insurance Portability and Accountability Act (‘‘HIPAA’’).  The Recovery Act directed the FTC to issue a rule requiring these entities, and their third-party service providers, to provide notification of any breach of unsecured individually identifiable health information. Accordingly, the HBN [Health Breach Notification] Rule requires vendors of PHRs and PHR related entities to provide: (1) Notice to consumers whose unsecured individually identifiable health information has been breached; (2) notice to the media, in many cases; and (3) notice to the Commission…

The [HBN] Rule requires notice ‘‘without unreasonable delay and in no case later than 60 calendar days’’ after discovery of a data breach. If the breach affects 500 or more individuals, notice to the FTC must be provided ‘‘as soon as possible and in no case later than ten business days’’ after discovery of the breach.”

Yet, surprisingly, the FTC’s Flo Health press release and proposed settlement is completely silent with respect to Flo Health’s failure to abide by the Recovery Act and the FTC’s own breach notification rule.  Although its impermissible practices seem to have been “discovered” back in February of 2019 (see here for original WSJ revealing Flo Health’s data practices), Flo Health failed to notify its millions of female users that it allowed their personal and uniquely sensitive health information to be used by third parties, including Google and Facebook, for their own purposes, including advertising.

While the proposed settlement requires website notice and individual email/mobile app notice within 14 days after the filing of the Consent Order, such notice would come well beyond the “60-day following discovery” deadline.   In addition, as drafted by the FTC, the notice is focused on what was not improperly disclosed (name, address, or birthday), rather than what was.  When a covered entity notifies individuals, regulators, and the media of a HIPAA breach, it must include a description of the types of information involved in the breach.

Two FTC commissioners, Rohit Chopra and Rebecca Kelly Slaughter, picked up on the FTC’s failure to enforce the Recovery Act and FTC breach notification rule. Their Joint Statement points out that the “explosion in connected health apps” make the breach notification rule “more important than ever”:

[S]ervices like Flo need to come clean when they experience privacy or security breaches.”

Unless they do, health app users will have no idea when their trust is misplaced.

Prior to the holiday, the OCR settled its thirteenth enforcement action under the HIPAA Right of Access Initiative, which involved a primary care physician practicing in the State of Georgia.  Dr. Peter Wrobel, M.D., P.C., operating under the fictitious name of Elite Primary Care, became subject to an OCR investigation (twice) for his alleged violations of the HIPAA Privacy Rule.

In 2019, the OCR received a complaint stating that Elite Primary Care failed to provide a patient timely access to his medical records.  The OCR assisted Elite Primary Care by providing technical assistance, which ultimately led to the OCR closing the complaint.  Just a few months later, the OCR received a second complaint from the same patient stating he still did not receive his medical records.  As a result, Dr. Wrobel must pay a Resolution Amount of $36,000.00 and implement a two year Corrective Action Plan following the OCR’s second investigation.

Again, yet another single  patient complaint leads to a substantial penalty under the Right of Access Initiative.  Although not specifically stated within the Corrective Action Plan, the steep Resolution Amount seems like a by-product of the OCR’s frustration with providing technical assistance and receiving a second complaint involving the same patient and issue.  For the entire press release, please click here.

Additionally, for more information on past enforcement actions under the HIPAA Right of Access Initiative, please click here.

H.R. 7898, sent to the President for signature on December 24, 2020 may be the HIPAA holiday gift covered entities and business associates have been waiting for.  The bill requires the Secretary of the Department of Health and Human Services, when considering penalties, audits and other actions related to HIPAA breaches and security incidents, to take into consideration whether the covered entity or business associate has had “recognized security practices” in place for at least 12 months.

“Recognized security practices” broadly include:

[S]tandards, guidelines, best practices, methodologies, procedures and processes developed under section 2(c)(15) of the National Institute of Standards and Technology Act, the approaches promulgated under section 405(d) of the Cybersecurity Act of 2015, and other programs and processes that address cybersecurity that are developed, recognized, or promulgated through regulations under other statutory authorities.

It is up to the covered entity or business associate to decide which recognized security practices to implement, consistent with the HIPAA Security Rule.

Almost exactly two years ago, HHS announced the publication of “Health Industry Cybersecurity Practices” developed as per the mandate under section 405(d) of the Cybersecurity Act of 2015.  The HICP are practical, cost-effective guidelines to reduce cybersecurity risks.  They include two separate sections: one designed for small health care organizations, and one designed for medium and large organizations.  Though published as “voluntary” practices, entities hoping to avoid HIPAA penalties will have a new reason to voluntarily adopt them if and when H.R. 7898 takes effect.

Since entities must have had HICP or another recognized cybersecurity practice in place for at least 12 months in order to fall within the protections of H.R. 7879, the sooner such practices are implemented, the better.  Every covered entity and business associate should resolve to start 2021 with a renewed commitment to implementing and/or reviewing and updating their cybersecurity practices.

The Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”) recently settled four more investigations under the HIPAA Right of Access Initiative, which totals 11 settlements thus far.  In September, the OCR released a press release detailing its settlement of five additional actions under the HIPAA Right of Access Initiative. In the latest settlements, the OCR came down harder on  providers that failed to provide timely access to a patient’s protected health information by imposing six-figure fines (in two instances) and two year Corrective Action Plans on all four occasions.  In addition, the OCR Director delivered some stern remarks regarding the provider’s obligations with respect to the HIPAA Privacy Rule.

I.         Dignity Health

On October 7th, the OCR announced the settlement of its eighth HIPAA Right of Access Initiative investigation involving Dignity Health d/b/a St. Joseph’s Hospital and Medical Center (“Dignity Health”), which is a large, acute care hospital with various clinics based in Phoenix, Arizona. The OCR received a complaint from a mother stating that she made multiple requests for her son’s medical record in acting as her son’s personal representative, to no avail. Dignity Health provided some documents, but failed to properly respond to the mother’s request.

The OCR  determined that Dignity Health failed to provide the personal representative timely access to her son’s protected health information, which ultimately led to the OCR delivering a $160,000 “Resolution Amount” (as defined in the Corrective Action Plan)  and mandating Dignity Health to enter into a two year Corrective Action Plan.  For the record, this Resolution Amount was higher than all five of the previous settlement amounts announced by the OCR combined. The Corrective Action Plan orders the implementation of additional HIPAA policies and procedures, reporting requirements, training, and the submission of annual reports to HHS.  You can find the entire OCR announcement regarding Dignity Health here.

II.        NY Spine Medicine

Shortly following the OCR’s announcement regarding its settlement with Dignity Health, the OCR released yet another announcement regarding the settlement of its ninth investigation under the HIPAA Right of Access Initiative involving NY Spine Medicine, which is a private medical practice specializing in neurology and pain management with locations in New York, NY and Miami Beach, Florida. Last year, the OCR received a complaint from a woman stating that she made a request to NY Spine Medicine for her medical records, and again, the provider failed to the deliver the requested medical records after the woman made several inquiries.

The OCR determined that NY Spine Medicine failed to provide the patient access to her protected health information in a designated record set.  In fact, as of the settlement date, NY Spine Medicine still had not provided the patient with her requested medical records. Similar to the Dignity Health settlement, the OCR handed down a $100,000 Resolution Amount to NY Spine Medicine along with a two year Corrective Action Plan, which included similar mandated provisions as the Dignity Health Corrective Action Plan.  Most notably, the OCR Director, Roger Severino, provide some colorful commentary in the press release by stating: “No one should have to wait over a year to get copies of their medical records.  HIPAA entitles patients to timely access to their records and we will continue our stepped up enforcement of the right of access until covered entities get the message.” You can find the entire OCR announcement regarding NY Spine Medicine here.

III.      Riverside Psychiatric Medical Group

The OCR announced its tenth enforcement action under the Right of Access Initiative involving Riverside Psychiatric Medical Group, which is a group practice focused in mental health and substance abuse located in Riverside, California.  Last year, the OCR received two complaints from an individual stating that Riverside Psychiatric Medical Group failed to provide her requested medical records. After the initial complaint, the OCR even provided technical assistance to Riverside Psychiatric Medical Group.  However, even after the OCR assistance, the patient still did not receive her medical records and filed a second complaint. As such, the OCR issued a $25,000 Resolution Amount and mandated a two year Corrective Action Plan similar to the mandatory Corrective Action Plans in the Dignity Health and NY Spine settlements. You can find the entire OCR announcement regarding Riverside Psychiatric Medical Group here.

IV.      Dr. Bhayani

Within the past few days, the OCR announced its eleventh enforcement action, which was also the first enforcement against a private practitioner. Dr. Rajendra Bhayani specializes in ear, nose and throat medical services with an office located in New York.  Over two years ago, a patient sent a complaint to the OCR stating that she had failed to receive access to her medical records.  Yet again, the OCR responded by providing Dr. Bhayani with technical assistance.  In the summer of last year, the OCR received a second complaint from the same patient, which stated she still had not received her medical records despite the OCR’s efforts to assist the doctor. The OCR responded by issuing $15,000 Resolution Amount and implementing a two year Corrective Action Plan, which includes a six  year document retention requirement. In other words, the OCR will have a close eye on the doctor until October 2026. You can find the entire OCR announcement regarding Dr. Bhayani here.

V.       Moving Forward

The message is loud and clear, Director Severino. The OCR plans to continue its strict enforcement of the Privacy Rule under the HIPAA Right of Access Initiative.  Based on the latest wave of settlements, it seems that all it takes is the denial or inadequate response to a single patient or personal representative’s request to access their medical records and the provider could be on the hook for a six-figure fine. In addition to the Resolution Amounts, the provider could incur additional expenses relating to the compliance with a Corrective Action Plan, whether it is hiring additional staff, drafting new policies, or revamping its entire recordkeeping processes. Moving forward, all providers should diligently respond to all requests for patient records and ensure its policies and procedures comply with the Privacy Rule.

**** Update: University of Cincinnati Medical Center

Following the initial posting of this blog, the OCR subsequently announced the settlement of its twelfth investigation under the HIPAA Right of Access Initiative, which involved the University of Cincinnati Medical Center, LLC (“UCMC”). UCMC is an affiliate of the University of Cincinnati and offers a wide range of medical services within the Greater Cincinnati metropolitan area.  In 2019, the OCR received a complaint from a patient stating that UCMC failed to deliver an electronic copy of her health records to her lawyers.  Upon further investigation, the OCR determined that UCMC failed to timely respond to the patient’s request to deliver her medical records to a third-party, which is an permissible action under the Privacy Rule.  As a result, the OCR issued a $65,000 Resolution Amount and mandated a two year Corrective Action Plan.  You can find the entire OCR announcement regarding UCMC here.

If you have any questions regarding the Right of Access Initiative and how it affects your practice or healthcare business, please do not hesitate to contact us.

Covered entities beware: a timing pitfall lurks within the recently adopted rules prohibiting information blocking.  We have posted about OCR’s “Right to Access Initiative” and numerous enforcement actions taken to make sure that covered entities respond to patient access requests in a timely manner.  The HIPAA Privacy Rule requires covered entities to respond to access requests within 30 days, but OCR has emphasized that this is an “outer limit and covered entities are encouraged to respond as soon as possible.”

Soon, when compliance with the rules adopted by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC) is required, covered entity health care providers will have another outer limit to contend with when responding to patient access requests.  These rules implement certain provisions of the 21st Century Cures Act and are often referred to as the “Information Blocking rules”, though they also address interoperability of electronic health information and the ONC IT Certification Program.

The Information Blocking rule incorporates and cross-references many of the HIPAA Privacy Rules, including the rule giving individuals the right to access their PHI (45 C.F.R. 164.524).  The Information Blocking rule also provides specific exceptions for activities that will not be considered information blocking.  The exceptions generally align with (and cross-reference) provisions in the HIPAA Privacy Rule.  For example, the “preventing harm” exception aligns with the HIPAA access right exception that allows a covered entity to deny an access request when a licensed health care professional determines, in the exercise of professional judgment, that the access requested is reasonably likely to cause substantial harm to the individual or another person.

Only one exception, however, includes an “outer limit” for response, and the outer limit is much shorter than the 30-day limit for responding to HIPAA access requests.

The “infeasibility exception” applies when certain events or circumstances prevent the health care provider from responding to an access request.  These include “uncontrollable events” such as (among others specified in the rule) public health emergencies, internet service interruptions, and labor strikes; the inability to segment the requested information from certain types of other electronic health information, such as information that cannot be made available by law; or where specified circumstances exist that make responding to the request infeasible.  However, if a health care provider denies an individual’s access request under the infeasibility exception, the provider must respond, in writing, to the individual within ten business days of receipt of the request, explaining why providing the requested access is infeasible.

HHS recently extended the date for compliance with the Information Blocking rule from November 2, 2020 to April 5, 2021, but covered entity health care providers may want to take steps now to account for the shortened response time for access requests that may meet the “infeasibility exception”.  Reviewing and amending business associate agreements and HIPAA policies and procedures to incorporate faster turn-around times are good places to start.  Training personnel about the changes and documenting all activities undertaken by the covered entity to comply are other good ways to demonstrate serious compliance efforts.

A recent conversation with a colleague in California prompted me to write this. He said that as part of its back-to-school plan, his children’s elementary school district “highly encouraged” that all students be tested for COVID-19 before returning to class. The district provided families with an in-home saliva test and asked parents to collect their child’s saliva, place the vial in a plastic bag along with some forms containing identifying information, and drop them off at the district offices before the start of school. He was surprised to see that the drop-off box was an open-lidded container on a table outside the entrance to the school district offices. The forms completed by other parents (listing children’s names, insurance information, addresses, etc.) were visible, folded in half inside clear plastic bags along with the samples, but no staff member was stationed at the table to prevent people from peering into the container, removing or reading through the forms. I said that HIPAA most likely does not apply to this health information, but FERPA might (even though the health information on the forms had apparently not yet been recorded into the students’ school records).  Nevertheless, the conversation reminded me that efforts to keep students healthy and safe must account for privacy.

When Ebola was in the public health spotlight, I posted here about a New Jersey elementary school that posted an announcement about two new students arriving from Rwanda.  The post said that the students would be kept at home for 21 days to allay concerns about infecting other students.  The students were not identified by name, and the school admitted that the kids were symptom-free and not from a part of Africa affected by the Ebola outbreak, but the report raised concerns with how schools protect student privacy as well as the health of other students and staff.

Here in my home state of New Jersey, many elementary and secondary schools are open and doing their best to prevent COVID-19 from spreading in the classroom and the community.  The New Jersey Department of Health issued recommendations to local health departments in early September that involve screening of students and staff and collection and reporting of COVID-19 symptoms and test results. As schools around the country grapple with whether and how to get students back into the classroom, it is easy to overlook data privacy requirements, especially when the privacy law that applies to most individually identifiable health information (HIPAA) and the privacy law that applies to most student records (FERPA) differ.

I noted one key difference in the Ebola posting:  HIPAA allows disclosure of protected health information for public health activities, such as to a public health authority that is authorized by law to collect the information to prevent or control disease, but FERPA creates a slightly higher bar to disclosure of identifiable health information contained in a student’s record.  Under FERPA, parents must provide written consent for disclosures of this information, unless an exception applies.  The FERPA “health or safety emergency” exception allows disclosure without parental consent to a public health agency, for example, if the school determines that the public health agency needs the information to protect the health or safety of the students or other individuals.  The school must determine that there is “an articulable and significant threat to the health or safety of students or other individuals” and, within a reasonable period of time after the disclosure, document in the student’s record the threat that formed the basis for the disclosure.  In other words, while reporting the number of students testing positive for COVID-19 might satisfy the FERPA “health or safety emergency” exception, reporting the students’ names or other information might not.

The U.S. Department of Education published FAQs in March 2020 on FERPA and COVID-19, describing the “health or safety emergency” exception that allows reporting to public health departments, as well as when health information can be disclosed to other parties such as parents of other students.  Interestingly, FAQ 7 states that schools can disclose information about a COVID-19 positive teacher or staff member to parents and students, as FERPA only protects information contained in student records, but points out that state privacy laws may apply.  However, it’s worth noting that if the school has a self-funded health plan and receives the information in that capacity, HIPAA would prevent such a disclosure without the individual’s authorization.

Mental Health/substance abuse providers and providers treating HIV/AIDS patients are held to a higher standard when it comes to protecting medical records, requiring additional levels of consent and analysis prior to productions. However, recent settlements published by the Office of Civil Rights of the Department of Health and Human Services (OCR) on September 15, 2020 remind all providers that patients and their authorized representatives have a right to access their records.

Right to Access Initiative:

In 2019 OCR launched the Right to Access Initiative based on concerns that had arisen that health care providers were not responding to request for records in a timely manner. In 2019, OCR’s Right to Access Initiative resulted in financial penalties and corrective action plans for two providers who had failed to provide patients with timely access to their records as required under HIPAA. Bayfront Health St. Petersburg, a Florida hospital, paid $85,000 and adopted a corrective action plan requiring one year of monitoring after a patient’s complaint to OCR led to the release of records nine months after the initial request. Korunda Medical, LLC., a primary care and pain management provider, also in Florida, paid the same amount and agreed to a similar one-year compliance monitoring arrangement as a result of its delays in forwarding records to a third party, failure to provide records in an electronic format, and overcharging for the records.

The Right to Access Initiative suffered a setback on January 23, 2020 when a federal court vacated the “third-party directive” within the individual right of access “insofar as it expands the HITECH Act’s third-party directive beyond requests for a copy of an electronic health record with respect to [protected health information] of an individual . . . in an electronic format.” Additionally, the court ruled that the fee limitation set forth at 45 C.F.R. § 164.524(c)(4) will apply only to an individual’s request for access to their own records, and does not apply to an individual’s request to transmit records to a third party. Ciox Health, LLC v. Azar, et al., No. 18-cv-0040 (D.D.C. January 23, 2020). OCR has posted a notice that its previous third party directive guidance is restricted by the Ciox order but also reaffirmed that the right of individuals to access their own records and the fee limitations that apply when exercising this right has not changed.

Five New Settlements:

On September 15, 2020, OCR issued a press release announcing five additional settlements pursuant to its HIPAA Right to Access Initiative. All the settlements involved failure to produce records to just one individual. Three of the five settlements involved providers of mental health/psychiatric services, one provider treated HIV/AIDS patients and one provider helped with pain management. Additionally, three of the five settlement involved continued complaints from the same individual after “technical assistance” had been provided by OCR to the providers. The penalties ranged from $3,500 to $80,000. All providers also agreed to sign corrective action plans requiring government oversight for either one or two years.

These five additional settlements demonstrate that OCR continues to take the issue of right to access seriously, and that a complaint from one individual is enough to trigger monetary penalties and a correction action plan with government monitoring. Providers, including those who provide mental health and substance abuse services, should review their HIPAA policies and procedures and ensure that they are being followed and requested documents are being provided in a timely manner.

A tricky issue for mobile health app developers since the Office for Civil Rights (OCR) released its first “Health App Use Scenarios & HIPAA” guidance back in 2016 has been deciphering whether the developer is a business associate if it offers its app on a consumer-facing basis as well as through covered entities (or their business associates).  I wrote about this at the time, highlighting the “maybe”:  whether a health app is acting as a business associate and subject to HIPAA depends on how an individual accesses the app. If the app is offered by or through a covered entity health plan or health care provider, the health data created, received, maintained or transmitted via the app is subject to HIPAA.  If the same app is accessed as a “direct-to-consumer” product, it is not.

This past week, OCR announced a new resource page for mobile health app developers.   The “maybe” is still there — the resource page includes the same “Health App Use Scenarios & HIPAA” guidance from 2016.  However, the OCR has added  a page on “Access Right, Apps, and APIs” that includes new guidance on the relationship between health apps and HIPAA.   As described in my August 17, 2020 post, the 21st Century Cures Act and implementing regulations adopted this past May generally require health care providers, plans, and many types of health information technology vendors to allow individuals to access electronic health information by way of a mobile health app.   Consumer use of health apps, whether provided by a health care provider, health plan, electronic health records company, or other entity subject to HIPAA, or whether purchased or accessed directly by the consumer without involvement of these persons or entities, is likely to steadily increase.

The “Access Right, Apps, and APIs” guidance includes its own tricky “maybe” when it comes to apps developed by or on behalf of an electronic health records system:

Q: Where an individual directs a covered entity to send ePHI to a designated app, does a covered entity’s electronic health record (EHR) system developer bear HIPAA liability after completing the transmission of ePHI to the app on behalf of the covered entity?

A: The answer depends on the relationship, if any, between the covered entity, the EHR system developer, and the app chosen by the individual to receive the individual’s ePHI. A business associate relationship exists if an entity creates, receives, maintains, or transmits ePHI on behalf of a covered entity (directly or through another business associate) to carry out the covered functions of the covered entity. A business associate relationship exists between an EHR system developer and a covered entity. If the EHR system developer does not own the app, or if it owns the app but does not provide the app to, through, or on behalf of, the covered entity – e.g., if it creates the app and makes it available in an app store as part of a different line of business (and not as part of its business associate relationship with any covered entity) – the EHR system developer would not be liable under the HIPAA Rules for any subsequent use or disclosure of the requested ePHI received by the app.

If the EHR system developer owns the app or has a business associate relationship with the app developer, and provides the app to, through, or on behalf of, the covered entity (directly or through another business associate), then the EHR system developer could potentially face HIPAA liability (as a business associate of a HIPAA covered entity) for any impermissible uses and disclosures of the health information received by the app. For example, if an EHR system developer contracts with the app developer to create the app on behalf of a covered entity and the individual later identifies that app to receive ePHI, then the EHR system developer could be subject to HIPAA liability if the app impermissibly uses or discloses the ePHI received.

Understanding whether HIPAA applies to the information accessed (or created, stored, or sent) in this manner is critical for covered entities, business associates, and individuals alike.  And even though a health app developer that markets directly to consumers may not be providing services on behalf of a covered entity or business associate and not be subject to HIPAA, the developer should make sure the individual using the health app understands how their individually identifiable health information is (and is not) protected.

The Office for Civil Rights within the Department of Health and Human Services (OCR) provided guidance in June that reassured covered entity health care providers and that it is generally OK to use or disclose protected health information (PHI) to contact individuals who have recovered from COVID-19 for case management and care coordination.

The OCR has now updated the guidance (“Guidance”) to clarify that health plans may also use or disclose PHI  for purposes of contacting individuals who have recovered from COVID-19 about donating plasma containing antibodies .  The Guidance also emphasizes neither health care providers nor health plans can receive any payment from or on behalf of a blood or plasma donation center in exchange for making  these communications without first getting each individual’s written authorization.   Accordingly, both types of covered entities must carefully navigate when such outreach is considered “marketing” and requires prior authorization.

The HIPAA regulations define “marketing” as making “a communication about a product or service that encourages recipients of the communication to purchase or use the product or service,” unless an exception applies.  Exceptions include situations involving communications for treatment and specified  purposes involving the covered entity’s “health care operations” (as that term is defined in the regulations), as long as the covered entity does not receive “financial remuneration” in exchange for making the communication. The regulations define “financial remuneration” as “any direct or indirect payment from or on behalf of a third party whose product or service is being described,” but does not include “any payment for treatment of an individual.”  45 C.F.R. 164.501.

Interestingly, the Guidance does not precisely track the marketing definition and its exceptions, but interprets the “health care operations” exception for “case management or care coordination … and related functions”  as permitting the use of PHI for this type of outreach, as long as no financial remuneration is involved.

This means that there are certain situations in which a health plan or health care provider that is a covered entity may use and/or disclose PHI of recovered COVID-19 patients to encourage them to donate plasma, and others in which it may not (without first getting the patients’ written HIPAA authorizations):

Allowed:  a covered entity may use member or patient information to contact the covered entity’s own members or patients to encourage them to donate plasma, if: (i) it is to facilitatd the supply of donated plasma would be expected to improve case management for infected individuals; and (ii) the covered entity does not receive financial remuneration from or on behalf of any blood or plasma donation center

 Allowed:  a covered entity may disclose member or patient information to a blood or plasma donation center that is acting as its business associate in order to improve the covered entity’s ability to conduct case management [while not expressly mentioned in the Guidance, if the center pays the covered entity, the existence of a business associate agreement may not protect the center from allegations that it is really an improper marketing arrangement]

X    Not Allowed:  a  covered entity MAY NOT disclose member or patient information to a blood or plasma donation center so that the donation center can reach out to recovered individuals for its own purposes, even if the plan or provider does not receive financial remuneration in exchange for the PHI

X    Not Allowed:  a covered entity MAY NOT use member or patient information to contact those recovered from COVID-19 to encourage them to donate plasma, if the covered entity received financial remuneration from or on behalf of the blood or plasma to make the communication

In all cases, a covered entity that intends to rely upon the Guidance should carefully document all aspects of the planning and execution of the uses and disclosures of member or patient PHI, including the determination as to whether a HIPAA authorization is required, prior to the use or disclosure of PHI related to potential plasma donation.