Skip to main content

Guidance for Donor and Recipient Information Sharing

Introduction and Goals

For years, various organizations and individuals have made efforts to provide guidance to organ procurement organizations (OPO) and transplant centers in how to share information with each other about organ donors and organ recipients. Yet the organ donation and transplantation community still struggles to develop a consistent standard. It is well documented that one of the most powerful ways to advance organ donation is by word of mouth from those who have been personally touched by donation or transplantation. The sharing of basic information, while maintaining appropriate confidentiality protections, is an important part of ensuring a positive donation and transplant experience. At the request of the former Organ Procurement and Transplantation Network (OPTN) President, Charles Alexander RN, MSN, MBA, the Association of Organ Procurement Organizations (AOPO) and its Donor Family Services Council, the Organ Procurement and Transplantation Network and United Network for Organ Sharing were asked to examine the current communication practices and establish recommendations for information sharing between living donors and deceased donor families and the respective recipients.

With the goal of standardizing guidelines for OPO and transplant center staff regarding the routine sharing of information between deceased donor families, living donors and recipients, a Task Force was formed. On April 28, 2011 in Chicago, representatives from the following national organizations convened:

  • Organ Procurement and Transplantation Network (OPTN);
  • United Network for Organ Sharing (UNOS);
  • Health Resources and Services Administration (HRSA);
  • Association of Organ Procurement Organizations (AOPO);
  • National Kidney Foundation (NKF);
  • North American Transplant Coordinators Organization (NATCO);
  • Representatives from transplant centers and OPOs;
  • Individuals with legal and ethical experience; and
  • Donor families and living donors. (Appendix 1)

Background

OPOs have long recognized the benefit of providing feedback about the recipient to the donor family. However, transplant personnel are often concerned about the breach of confidentiality that might occur. Transplant administrators welcome the Task Force’s initiative of standardizing how information is shared as they are aware of the wide variety of practices that exist and would like guidance not only on how to share information but what information can be shared. Reasons why transplant programs may be reluctant to routinely share recipient follow-up information with OPOs include the following:

  • Concerns over potential Health Insurance Portability and Accountability Act (HIPAA) violations and other confidentiality obligations;
  • Previous situations where information shared was not appropriately handled due to a lack of guidelines or inadequate staffing or procedures;
  • Privacy as a top priority risk issue for some hospitals, but for others it is not; and the interpretation of that issue varies widely; and
  • Inadequate staffing and resources.

There is a distinct difference in sharing information in deceased donation as compared to living donation. Living donors are capable of making their own decisions regarding how much information they are willing to share with recipients and because these disclosures are treated differently under HIPAA. Because the living donation event is scheduled and planned in advance, exploring the scope of desired information sharing and the use of HIPAA release forms is possible and appropriate. Further, in the living donation context often the donors and recipients already know each other thus reducing the need in those cases to protect the confidentiality of the donor and recipients’ identities. For this reason, separate standards and guidelines are needed for deceased donation and living donation.

Process

The Task Force formed two work groups that focused on recommendations for deceased donors and non-directed living donors. Each work group was given the following tasks:

  • Developing recommendations for constituent responsibilities;
  • Determining how the exchange of information should be handled;
  • Describing how information should be communicated;
  • Clarifying the legal and ethical issues and identify solutions; and
  • Identifying influential factors in the decision-making process such as potential associated costs to implement best practices.

Although in 2010, there were only about 200 non-directed living donors, it is anticipated that this number will increase. As such, the Task Force recognized that hospital staff who care for this group of donors needs guidance on how to share information. During the meeting, the Task Force Work Groups recognized the value of creating a “Toolkit” that will provide the necessary tools to assist OPOs and transplant centers with donor, donor family and recipient information sharing in developing their own protocols. To this end, they also identified information, resources and aids that will be included in such a “Toolkit.”

Recommendations

The Deceased Donor Work Group recognized that the OPO and transplant center coordinate communication between the donor or donor family and recipient. Information that should be routinely shared should be non-identifiable and general. Information routinely shared should not include any specific information that could contribute to the identification of a donor or recipient or be a potential breach of privacy. For example, information about the cause of death, if a homicide or high profile accident, that might be covered in the media combined with the general geographic area and gender, could enable identification of the donor. As each donation case differs, so may the amount of information the donor family and recipient/recipient’s family is willing to share. However, routine sharing of some basic information is important to the individual experience of donation and transplant and should be standard practice.

Deceased Donor Work Group Recommendations

  1. Donor information should only be shared with those hospital professionals who need the information to perform their individual job in a safe and competent way (i.e. OR nurse).
  2. Deceased donor information routinely shared with the recipients/recipient families should be limited to information required as part of the recipient informed consent process for transplantation. This information should never make it possible to identify the donor and should not include geography information (either the donor’s place of residence or hospital where donation took place), specific age or circumstance of death unless the information is clinically relevant to the transplant recipient informed consent discussion.
  3. Recipient information routinely shared with the donor family should be limited to:
    • age, describe by decade for adults (defined as 19 years and older);
    • “child” would designate a recipient 12 years and under;
    • “adolescent” would designate a recipient ages 13 to 19 years of age;
    • general health status (general condition, not specific medical information), immediately after transplant and 30 days post-transplant;
    • gender; and
    • sex.
  4. The following information should not be disclosed: 1) religion; 2) specific diagnosis; 3) ethnicity and race; 4) sexual orientation; 5) chronic illness unrelated to the donation; and 5) mechanism of injury or death.
  5. The OPO and transplant center should review all letters written by the donor family and recipient to determine the nature of their intent, their desire to communicate more specific information. It should also be confirmed that there are no threats or requests for monetary compensation. Information of concern may include information about family status or employment. Donor families and recipient/recipient families should be advised that some types of information can lead to identification and that once the information is provided neither the OPO nor the transplant center will have control over it.
  6. If the parties mutually agree to communicate directly with each other, the OPO and transplant center can remove them from the process once they are comfortable with the appropriateness of information sharing or the mutual wishes of the parties.
  7. Recognizing that each donor family and recipient has different needs and varying circumstances, requiring a waiting period for communication is optional. Therefore, there are no specific recommendations for a waiting period before the exchange of information takes place. This decision to receive or respond to communication should be made by the parties involved.
  8. OPOs should be responsible for identifying the point-of-contact at each of their transplant centers in their donation service area and identifying the acceptable mode of contact (e.g. secure email, phone call, and letter). Information about “point-of-contact” for each transplant center will be available on the AOPO Portal.
  9. Transplant center points of contact should respond to any OPO request for information sharing in a timely manner.
  10. The deceased donor work group recommends that transplant centers incorporate HIPAA regulations/language and exceptions (Appendix 2) pertinent to organ donation and transplantation into their relevant hospital policy.

Living Donor and Recipient Recommendations

The Living Donor Work Group considered the special circumstances and variables that can come into play when information is exchanged between a living donor and their intended recipient. If the living donor and the intended recipient are socially connected, then the exchange of information can be determined on a case by case basis. However, in the special cases of kidney paired donation and the use of non-directed donors, if and/or what information may be shared about the donor or the intended recipient may become very complicated. Living donors, who initially refuse the exchange of donor and recipient information, may be asked to reconsider exchanging information during their two years of required post donation follow-up. In all cases, not sharing any information about the living donor must be the default.

Living Donor Work Group Recommendations

  1. If the sharing of information occurs, HIPAA authorization is required.
  2. Consider developing a checklist where potential donors and recipients can indicate what information they are willing to share as a component of the consent process. This information could include age, gender, occupation, hobbies, family status, why the transplant was needed or why the donor wished to donate.
  3. Final consent for exchange of their information should be obtained post-operatively because living donors may change their mind after the actual donation.
  4. Ensure that the living donor maintains the ability to “opt out” of the donation process at any time for reasons that will remain confidential.
  5. If the living donor has agreed to the exchange of information about his or herself:
    1. Educate at the beginning of the process about Centers for Medicare and Medicaid Services (CMS) requirements and current and / or future UNOS requirements.
    2. Any information exchanged about a potential living donor and the organ transplant candidate must be revealed in a controlled and private environment that maintains maximum confidentiality to the extent possible.
    3. Only specially trained staff and/or those directly involved in the donation (e.g. surgeons, coordinators, independent donation advocate (IDA)) share information. OPO staff can be involved with information sharing only if the OPO is involved with the living donation (for example, coordination of paired exchange).

Health Insurance Portability and Accountability Act (HIPAA) Privacy Regulations: Legal Summary

  1. Under HIPAA, Transplant Centers are Covered Entities but OPOs are NOT1. This means that Transplant Centers are bound to comply with HIPAA but OPOs do not have the same legal requirements. OPOs are also not considered Business Associates of Transplant Center or hospitals. OPOs may be subject to other general state privacy laws.
  2. Identifiable Personal Health Information (PHI) under HIPAA includes name, UNOS ID (as a unique identifier), date of birth and date of death. A patient’s general status is not considered PHI under HIPAA. The HIPAA regulations extend privacy protections to deceased patients for a period of five years after death.
  3. The following HIPAA exception allows Covered Entities such as hospitals to disclose PHI to OPOs, without authorization from the patient/family, for purposes of coordinating deceased donation. Regulation §164.512 (h): Standard: Uses and disclosures for cadaveric organ, eye, or tissue donation purposes. A covered entity may use or disclose protected health information to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating organ, eye or tissue donation and transplantation.
  4. Information disclosed by the transplant center to the OPO in order to coordinate deceased donation may then be disclosed by the OPO to other parties (for example other recipient centers). These additional disclosures should be made in a manner that protects patient confidentiality even though HIPAA does not specifically govern. OPOs should provide assurance to their hospitals and transplant centers through its Memorandum of Understanding (MOU) that identifiable health information disclosed to the OPO will be maintained as confidential and used and disclosed only as necessary to coordinate the donation and transplant.
  5. The exception under 164.512(h), if interpreted broadly, may include the transplant center’s disclosure of transplant recipient outcome information to the OPO because this is a standard part of the “coordination of the donation” and does not include information more specific than general health status (such as, “no longer hospitalized and doing well at home.”) If there is concern regarding the applicability of the HIPAA exception to this transplant outcome disclosure it can be addressed either in the Memorandum of Understanding between the OPO and the transplant center or by including this disclosure in the HIPAA authorization the transplant recipient signs with the center for use and disclosure of PHI in order to coordinate care.
  6. The use and disclosure of PHI in the living donation context does not have an exception under HIPAA, and therefore requires specific authorization. Given that living donation is planned in advance, there is opportunity to appropriately address HIPAA authorization by the living donor and the recipient in advance of the donation and transplant. The potential need for disclosure in order for insurance coverage and payment should be addressed. Also the authorization should include all of the entities that need to obtain, use and disclose PHI in order to coordinate the donation and transplant (for example, the paired exchange program, the recipient center, the donor center etc).

Toolkit

The Task Force recommended the creation of a “Toolkit” that would include materials to assist hospitals and organ procurement organizations with donor and recipient information sharing. This Toolkit will include:

  • Sample language for information sharing
  • Sample language for the OPO-Transplant Center memorandum of agreement (MOA) addressing confidentiality of donor and recipient information shared as part of coordinating the donation and transplant including recipient outcome information
  • Sample form for routine recipient outcome information exchange
  • Sample of transplant center policies for screening initial contact letters
  • Standard list of “Need to Know” staff at the transplant center
  • Optimal practices for maintaining confidentiality of donor information
  • Sample HIPAA authorization form for living donation
  • Written guidance explaining benefits and considerations of contact between deceased donor families and recipients/recipient families
  • Guidance Document

Conclusions

The OPTN recommends that members strive to ensure that EVERY recipient thanks their donor and/or donor family for their life saving gift.

The sharing of basic recipient outcome information with the deceased donor family is important and should be considered routine. Transplant centers and OPOs must understand the legal and regulatory context for these disclosures and develop a standard process for sharing this information. This may be accomplished by:

  • relying on the HIPAA exception for coordinating deceased donation or
  • addressing recipient outcome disclosures in the OPO-Transplant Center MOA or in a HIPAA authorization form signed by the recipients.

Transplant centers should:

  1. share the minimal amount of necessary information about deceased donors with appropriate persons directly involved with the transplant;
  2. educate staff on HIPAA regulations and their applicability to deceased donor PHI; and
  3. develop their own policy with input from the OPO specifically addressing donor and recipient information sharing.

Living donation programs should develop policies and HIPAA authorization forms to address information sharing in the living donation context. For non-directed living donations, it is important to ask the recipient at their 1-year post transplant follow up if they would be willing to share information about themselves with the living donor that they did not at the time of donation.

Educating and understanding the importance of sharing donor and recipient information needs to occur with surgeons and privacy officers, as well as, OPO staff and administrators.

All transplant-related hospital departments should address donor and recipient information sharing. Confidentiality requirements are incorporated into OPO-Hospital MOAs as warranted.

Appendix 1

Charlie Alexander

Executive Director, Living Legacy Foundation President, OPTN

Elling Eidbo

Executive Director, AOPO

Eleanor Haley

Donor Family Council, AOPO

Raelene Skerda

Public Health Analyst,

Jennifer Martin

Director of Constituent Services, NKF

Alexandra K. Glazier, Esq.

VP & General Counsel for NEOB

Bill Hasskamp

North American Transplant Coordinators Organization

Brian Shepard

Director, UNOS Policy Department

Mary Nachreiner

Vice President for Patient/Donor Affairs, UNOS Board of Directors Community/Donor Family Services for Univ. of Wisconsin Hospital and Clinics

Melissa Roberts, MSN, RN

Transplant Quality and Compliance Officer University of Chicago Medical Center

Mike Thibault

Program Manager, Heart Failure/Heart Transplant VCU Health System

OPTN Transplant Coordinators Committee

Pattie Manning

Transplant Clinical Manager Integris Baptist Medical Center

OPTN Transplant Coordinators Committee

Sara O’Loughlin

Administrative Director

University of Wisconsin Transplant

OPTN Transplant Administrators Committee

Sharon Mathews

Clinical Manager

UMass Memorial Medical Center

OPTN Transplant Administrators Committee

Kim McMahon

Executive Director

William Rollings McMahon Organ Donation Educational Foundation OPTN Patient Affairs Committee

Doni Bell

Senior Donor Services Coordinator The Living Legacy Foundation

OPTN Patient Affairs Committee

Lori Brigham

President / Chief Executive Officer Washington Regional Transplant Community Organ Procurement Organization

Meredith Harrison

Chief Compliance Officer

Howard University Health Sciences Organ Procurement Organization

Catherine Cullen

Living Donor to Mother

OPTN Living Donor Committee

Helen Smunt

Living Donor to Daughter

Appendix 2

§ 164.514 Other requirements relating to uses and disclosures of protected health information.

  1. Standard: De-identification of protected health information. Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual is not individually identifiable health information.
  2. Implementation specifications: Requirements for de-identification of protected health information.

A covered entity may determine that health information is not individually identifiable health information only if:

  1. A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:
    1. Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and
    2. Documents the methods and results of the analysis that justify such determination; or

      (2)(i) The following identifiers of the individual or of relatives, employers, or household members of the individual, are removed:

      1. Names;
      2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
        1. The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
        2. The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
      3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
      4. Telephone numbers;
      5. Fax numbers;
      6. Electronic mail addresses;
      7. Social security numbers;
      8. Medical record numbers;
      9. Health plan beneficiary numbers;
      10. Account numbers;
      11. Certificate/license numbers;
      12. Vehicle identifiers and serial numbers, including license plate numbers;
      13. Device identifiers and serial numbers;
      14. Web Universal Resource Locators (URLs);
      15. Internet Protocol (IP) address numbers;
      16. Biometric identifiers, including finger and voice prints;
      17. Full face photographic images and any comparable images; and
      18. Any other unique identifying number, characteristic, or code, except as permitted by paragraph (c) of this section; and

    (ii) The covered entity does not have actual knowledge that the information could be used alone or in combination with other information to identify an individual who is a subject of the information.

  • Implementation specifications: Re-identification. A covered entity may assign a code or other means of record identification to allow information de-identified under this section to be re-identified by the covered entity, provided that:
    1. Derivation. The code or other means of record identification is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual; and
    2. Security. The covered entity does not use or disclose the code or other means of record identification for any other purpose, and does not disclose the mechanism for re-identification.

(d)(1) Standard: Minimum necessary requirements. In order to comply with §164.502(b) and this section, a covered entity must meet the requirements of paragraphs (d)(2) through (d)(5) of this section with respect to a request for, or the use and disclosure of, protected health information.

  1. Implementation specifications: Minimum necessary uses of protected health information.
    1. A covered entity must identify:
      1. Those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and
      2. For each such person or class of persons, the category or categories of protected health information to which access is needed and any conditions appropriate to such access.
    2. A covered entity must make reasonable efforts to limit the access of such persons or classes identified in paragraph (d)(2)(i)(A) of this section to protected health information consistent with paragraph (d)(2)(i)(B) of this section.
  2. Implementation specification: Minimum necessary disclosures of protected health information.
    1. For any type of disclosure that it makes on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information disclosed to the amount reasonably necessary to achieve the purpose of the disclosure.
    2. For all other disclosures, a covered entity must:
      1. Develop criteria designed to limit the protected health information disclosed to the information reasonably necessary to accomplish the purpose for which disclosure is sought; and
      2. Review requests for disclosure on an individual basis in accordance with such criteria.
    3. A covered entity may rely, if such reliance is reasonable under the circumstances, on a requested disclosure as the minimum necessary for the stated purpose when:
      1. Making disclosures to public officials that are permitted under §164.512, if the public official represents that the information requested is the minimum necessary for the stated purpose(s);
      2. The information is requested by another covered entity;
      3. The information is requested by a professional who is a member of its workforce or is a business associate of the covered entity for the purpose of providing professional services to the covered entity, if the professional represents that the information requested is the minimum necessary for the stated purpose(s); or
      4. Documentation or representations that comply with the applicable requirements of

    §164.512(i) have been provided by a person requesting the information for research purposes.

  3. Implementation specifications: Minimum necessary requests for protected health information.
    1. A covered entity must limit any request for protected health information to that which is reasonably necessary to accomplish the purpose for which the request is made, when requesting such information from other covered entities.
    2. For a request that is made on a routine and recurring basis, a covered entity must implement policies and procedures (which may be standard protocols) that limit the protected health information requested to the amount reasonably necessary to accomplish the purpose for which the request is made.
    3. For all other requests, a covered entity must:
      1. Develop criteria designed to limit the request for protected health information to the information reasonably necessary to accomplish the purpose for which the request is made; and
      2. Review requests for disclosure on an individual basis in accordance with such criteria.
  4. Implementation specification: Other content requirement. For all uses, disclosures, or requests to which the requirements in paragraph (d) of this section apply, a covered entity may not use, disclose or request an entire medical record, except when the entire medical record is specifically justified as the amount that is reasonably necessary to accomplish the purpose of the use, disclosure, or request.

§164.508 (b)(4) Prohibition on conditioning of authorizations. A covered entity may not condition the provision to an individual of treatment, payment, enrollment in the health plan, or eligibility for benefits on the provision of an authorization, except:

  1. A covered health care provider may condition the provision of research-related treatment on provision of an authorization for the use or disclosure of protected health information for such research under this section;
  2. A health plan may condition enrollment in the health plan or eligibility for benefits on provision of an authorization requested by the health plan prior to an individual's enrollment in the health plan, if:
    1. The authorization sought is for the health plan's eligibility or enrollment determinations relating to the individual or for its underwriting or risk rating determinations; and
    2. The authorization is not for a use or disclosure of psychotherapy notes under paragraph (a)(2) of this section; and
  3. A covered entity may condition the provision of health care that is solely for the purpose of creating protected health information for disclosure to a third party on provision of an authorization for the disclosure of the protected health information to such third party.
  1. Revocation of authorizations. An individual may revoke an authorization provided under this section at any time, provided that the revocation is in writing, except to the extent that:
    1. The covered entity has taken action in reliance thereon; or
    2. If the authorization was obtained as a condition of obtaining insurance coverage, other law provides the insurer with the right to contest a claim under the policy or the policy itself.
  2. Documentation. A covered entity must document and retain any signed authorization under this section as required by §164.530(j).

§164.530(j)(1) Standard: Documentation. A covered entity must:

  1. Maintain the policies and procedures provided for in paragraph (i) of this section in written or electronic form;
  2. If a communication is required by this subpart to be in writing, maintain such writing, or an electronic copy, as documentation; and
  3. If an action, activity, or designation is required by this subpart to be documented, maintain a written or electronic record of such action, activity, or designation.

1 There are some hospital-based OPOs that may be considered Covered Entities under HIPAA.

Created: 02/17/2012