Legislation , Privacy

Revised 21st Century Cures Bill Drops HIPAA Privacy Changes

House to Vote on Heavily Revamped Legislation This Week
Revised 21st Century Cures Bill Drops HIPAA Privacy Changes

The House of Representatives is slated to vote this week on a heavily reworked version of the 21st Century Cures bill that's aimed at helping to advance medical innovation. Dropped from the latest iteration of the bill, which was updated through House and Senate committee efforts - is a controversial provision that had called for significant changes to the HIPAA Privacy Rule.

See Also: Addressing the Identity Risk Factor in the Age of 'Need It Now'

The House in July 2015 passed a 309-page version of the measure (see Bill That Changes HIPAA Passes House). But similar legislation had stalled for more than a year in the Senate over funding disagreements and other issues.

The newest version of the now nearly 1,000-page bill, unveiled by the House on Nov. 26, includes new provisions and funding related to the Obama administration's Precision Medicine Initiative and Cancer Moonshot efforts.

"What we have in the 21st Century Cures Act is an innovation game-changer, a transformational bill to bring our health infrastructure light years ahead to best match the incredible breakthroughs that are happening by the day," according to a joint statement from House Energy and Commerce Committee Chairman Fred Upton, R-Mich., and Senate Health Education Labor and Pensions Committee Chairman Lamar Alexander, R-Tenn. "It is critical to remember that passing 21st Century Cures is the best way to ensure some of this funding occurs immediately in Fiscal 2017."

The House is slated to vote on the revised bill, which includes $6.3 billion in funding, on Nov. 30.

HIPAA Privacy Provision Dropped

Dropped from the updated proposal legislation was a controversial provision that called for the Secretary of U.S. Department of Health and Human Services to "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.

"The privacy elements of this [revised] bill are very much a small tail on a much bigger dog," says privacy attorney Kirk Nahra of the law firm Wiley Rein. "The current bill actually removes the two worst privacy provisions in the original legislation - the research provision, which would have had substantial unintended consequences, and a provision related to sale of PHI, which would have allowed drug companies to buy PHI simply by calling it [a] form [of] research purposes," says privacy attorney Kirk Nahra of the law firm Wiley Rein.

Nahra says the drug-research related provision "would have allowed drug companies to pay unlimited amounts to buy PHI for anything they considered research."

Under HIPAA, PHI is allowed to be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. Under the version of the legislation passed by the House last year, research would fall under the banner of "operations," meaning that patient authorization would not have been required for PHI use or disclosure for research purposes, if only covered entities or business associates, as defined under HIPAA, were involved in exchanging and using the data.

That provision has been dropped - and language related to the disclosure of PHI for research purposes has been significantly scaled back - in the newest version of the bill.

Instead, the heavily revised bill proposes to create a new working group to study issues related to the disclosure of PHI for research purposes.

The recrafted bill calls for the new working group to report to the HHS secretary about "recommendations on whether the uses and disclosures of protected health information for research purposes should be modified to allow protected health information to be available, as appropriate, for research purposes, including studies to obtain generalizable knowledge, while protecting individuals privacy rights."

'Kicking Can Down the Road'

Some privacy advocates are not surprised that the research proposal was watered down.

"The revised bill has far less impact on HIPAA than the previous version," notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine notes. Referring to the call for a working group, Greene notes, "Instead of providing for greater use of PHI for research without an individual's authorization, Congress more or less is kicking the can on the issue."

As for other HIPAA-related proposals included in the updated bill, Greene says, "The remaining HIPAA provisions merely call for guidance on remote access to PHI for research purposes that is largely consistent with existing guidance, and guidance on streamlining authorizations for research."

Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, notes that even if the House passes the new proposed legislation, nothing is yet set in stone. "It's important to consider that the draft legislation developed by the committee chairs of the Senate HELP committee and House Energy and Commerce Committee may not be the final version that will receive final passage," he says. "There are a lot of moving pieces and many, many competing interests."

The legislation also would require HHS' Office for Civil Rights to issue guidance to health information exchange organizations on best practices to ensure that electronic health information is protected and also guidance related to patients' rights to access to their health records.

"The requirement to issue guidance on patient access is surprising, in light of OCR having just released a very large guidance document on this topic earlier in the year," Greene says (see Patient Access to Records: The Requirements and Risks).

Other Proposals

Among other provisions in the updated legislation is an emphasis on health IT interoperability and secure health information exchange.

For example, the bill calls upon the National Coordinator for Health IT to convene appropriate public and private stakeholders to develop or support a framework for trust policies and practices, such as a common method for authenticating trusted health information network participants.

The bill also includes potential monetary penalties for organizations that participate in intentional and inappropriate information blocking - preventing or materially discouraging access, exchange or use of electronic health information as permitted by law.

"Any individual or entity ... that the [HHS] Inspector General, following an investigation ... determines to have committed information blocking shall be subject to a civil monetary penalty determined by the [HHS] Secretary for all such violations identified through such investigation, which may not exceed $1 million per violation," the legislation notes.

Mental Health Info Sharing

The updated legislation also proposes reforms aimed at improving the nation's mental health system.

It calls upon HHS' Office for Civil Rights to "ensure that healthcare providers, professionals, patients and their families, and others involved in mental or substance use disorder treatment have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information under HIPAA." That includes requiring OCR to issue new guidance related to the disclosure of mental health and substance abuse PHI.

"The mental health provisions contained in the 21st Century Cures Act direct the OCR to develop methods by which PHI of adults receiving substance abuse treatment can be shared with caregivers," Holtzman notes. "The implication is that Congress wants the privacy rule modified to permit sharing of this type of PHI with family members and others close to the person suffering from addiction."

Deborah Peel, M.D., a psychoanalyst and founder of advocacy group Patient Privacy Rights, says the mental health information proposals in the bill could potentially do more harm than good for some patients.

"If these passages remain, people will do all they can to delay treatment, lie and omit information, and even avoid desperately needed care," she claims. "The more patients feel spied upon, used and sold, the less willing they are to speak with health professionals. ...There is nothing 'compassionate' about stripping people with mental illness and addiction of the very condition, privacy, they desperately need to trust and talk openly with mental health professionals. Privacy is an absolute requirement for trust in therapists and analysts."

Patient Information Matching

The bill also would require that the General Accountability Office study the issue of matching all patient data obtained from various sources, such as through health information exchange, to the correct individual to help ensure appropriate treatment decisions are made.

It would require GAO to study whether ONC could improve patient matching by taking such steps as defining additional data elements to assist in patient data matching; agreeing on a required minimum set of elements that need to be collected and exchanged; requiring electronic health records to have the ability to make certain fields required; and using specific standards.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

Marianne Kolbasuk McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network