Dedicated to providing the latest
HIPAA compliance news

21st Century Cures Bill Could Weaken HIPAA Protections

Share this article on:

Under current HIPAA legislation, Covered Entities (CEs) and their Business Associates (BAs) are not permitted to disclose the Protected Health Information (PHI) of patients without permission, except when PHI is to be used for treatment, payment of CE operations.

However, a new bill has now been drafted which changes the permissible uses of PHI to include research. The new bill is intended to remove some of the roadblocks that are preventing U.S healthcare providers from developing new cures. HIPAA is perceived by many researchers to be detrimental to the healthcare industry, slowing down research, innovation and the development of new drugs and medical treatments.

The aim of the 21st Century Cures Bill is to alter HIPAA Privacy Rules to allow healthcare providers to use PHI for research – or supply it to their BAs – without express permission being obtained from patients. Should the Cures Bill be passed, the Secretary of the Department of Health and Human Services would be required to update HIPAA Privacy Rules within 12 months.

The discussion draft of the bill – released on 29th April – has certainly got healthcare professionals talking. Some researchers are praising the bill for removing some of the legislative obstacles currently hampering medical research. Privacy advocates on the other hand see the new bill as seriously weakening HIPAA protections with the new 21st Century Cures Bill including “new provisions [that] are really out-of-date and clearly designed for paper consents – a total nightmare,” according to consumer advocate, Deborah Peel, M.D., founder of Patient Privacy Rights.

In an interview with Information Security Media Group she saidno data should ever be used except for a single purpose. It’s especially bad because today we have no ‘chain of custody’ for our health data. It’s impossible to know where in the world it is or how it’s being used. The risks of today’s ubiquitous data surveillance and collection systems are unknown. When has it ever been smart to agree to something you have no understanding of?” she also said the new legislation is “a very bad idea”

The bill has been a long time coming. It has taken almost 12 months to pen the new act, with Fred Upton, R-Mich., chairman of the House Energy and Commerce Committee and Rep. Diana DeGette, D-Col., ranking member of the Oversight and Investigations Subcommittee, issuing the bill this week.

The major change introduced in the bill is the lifting on the restriction for PHI to be used for research, essentially this means HIPAA would need to be amended so that research is treated the same as a disclosure made by the CE for billing purposes, provided that a disclosure is only made to a CE or a BA.

The only restriction imposed on a CE is that the disclosure of PHI must be limited to the “minimum necessary information” to achieve the desired purpose, although there is a provision in the bill that would allow patients to sign a one time authorization allowing their PHI to be used for all future research.

The bill also suggests remote accessing of PHI should be allowed so that researchers would not be required to physically visit the CE in order to obtain data. A change is also introduced that would allow a CE to be paid for providing PHI, which currently is not permitted, other than to cover the costs of supplying information.

According to David Holtzman, VP of compliance at CynergisTek, the current legislation “Give[s] an individual a choice when there is remuneration involved. The proposal would roll back important rights requiring patient permission when their health information is disclosed in exchange for payment.”

The discussion draft of the bill has been released, with the markup version expected on Thursday this week.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On