21st Century Cures Bill and HIPAA Privacy

The 21st Century Cures Bill and HIPAA Privacy Rule protections cannot both remain in their current format. The Cures Bill should remove many of the roadblocks that are holding back research, but for that to happen the Privacy Rule must be altered.

The Cures Bill has been introduced to help ensure that the U.S. is at the forefront of medical research, and develops the new cures that will be necessary to protect Americans from new viruses and diseases in the future. However, research is being hindered by poor interoperability and some pesky restrictions that were introduced with the Privacy Rule of the Health Insurance Portability and Accountability Act.

Under HIPAA, patient privacy is protected and Covered Entities (CEs) and their Business Associates (BAs) must not disclose any Protected Health Information (PHI) to any unauthorized third parties without prior consent having been obtained from the patient. Information cannot be shared for research purposes either, unless the data has been de-identified – I.e. Personally Identifiable Information (PII) has been stripped out first. The Cures Bill will remove this restriction.

21st Century Cures Bill and HIPAA Privacy Rule Protections

The discussion draft of the 21st Century Cures Bill has now been released and detailed in that draft is the need for a change to the HIPAA Privacy Rule – within 12 months of the passing of the bill – to allow PHI to be used by healthcare providers for research purposes.

CEs will therefore be able to use data without de-identification or having to obtain patient authorization. The bill also allows the covered entity to charge an organization for providing PHI for research purposes and it would not be necessary for the research organization to visit the CE for the data, which could be transmitted securely instead.

There is a restriction placed on the use of PHI, which must be restricted to “minimum necessary information,” but otherwise healthcare providers would be able to use PHI as they see fit. The legislation does include a provision which would allow a patient to sign a single consent form allowing their data to be used for any and all future research.

Not Everyone is in Favor of the Cures Bill

Medical research ultimately benefits patients as new treatments and cures can be brought to the market faster. The use of PHI for research is essential according to many medical professionals, and the new bill has received a considerable amount of support from the healthcare industry.

Not everyone is happy with the bill. Privacy groups have protested over the bill as it weakens the protections provided by HIPAA. According to Deborah Peel, M.D., founder of Patient Privacy Rights. The bill’s “new provisions are really out-of-date and clearly designed for paper consents – a total nightmare.”

The discussion draft will be followed by a mark-up version later this week and after the full discussion period the bill with go before the House for the vote, with proponents of the bill hopeful it will sail through and be on Obama’s desk before the end of the year.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news