21st Century Cures Act Awaits President's SignatureSenate Enacts Bill Containing Several Privacy, Security Provisions
President Obama is expected to soon sign the 21st Century Cures Act, which, among its long list of provisions, lays out a number of privacy and security-related projects for the Department of Health and Human Services, including fining organizations that intentionally block health data information sharing.
While some privacy experts call the bill's privacy and security provisions "modest," others say its new funding for HIPAA compliance training could help address lingering confusion about allowable uses and disclosures of certain information, especially mental health and substance abuse records.
The measure, which passed the Senate Dec. 7 in a 94 to 5 vote, won House approval on Nov. 30. The White House says Obama expects to sign the legislation on Dec. 13. The wide-ranging legislation provides $6.3 billion to accelerate the advancement of medical innovation as well as reform the nation's mental health system and address the opioid and heroin addiction crisis.
The Obama administration has been a strong supporter of the bill, which is designed, in part, to speed up approval of new medications and medical devices by the Food and Drug Administration. It also contains provisions for the President's Precision Medicine Initiative and Vice President Joe Biden's Cancer Moonshot effort.
Senate Health Committee Chairman Lamar Alexander, R-Tenn. called the legislation "the most important bill of the year." In a statement following the Senate's passage, he said, "This bipartisan legislation ... will help us take advantage of the breathtaking advances in biomedical research and bring those innovations to doctors' offices and patients' medicine cabinets around the country ... and it will help states in the fight against opioid abuse and the one in five adults in this country suffering from a mental illness."
HIPAA Provision Replaced
Legislators have been working on the bill for nearly three years. Stripped from the bill that ultimately was passed by both chambers of Congress was a controversial proposed change to HIPAA. The dropped provision would have allowed patients' protected health information to be used and disclosed for research purposes without their authorization under certain circumstances.
Instead, the bill now calls for a working group to report to the HHS secretary about "recommendations on whether the uses and disclosures of protected health information for research purposes should be modified to allow protected health information to be available, as appropriate, for research purposes, including studies to obtain generalizable knowledge, while protecting individuals' privacy rights."
Privacy attorney Kirk Nahra of the law firm Wiley Rein notes: "There will be ongoing reports about potential future changes related to research, but any actual change - if any change is needed at all - is a long way away."
Privacy, Security Provisions
Among the provisions related to privacy and security in the bill are:
- Imposing civil monetary penalties for organizations that participate in intentional and inappropriate information blocking - preventing or materially discouraging access, exchange or use of electronic health information as permitted by law;
- Improving the sharing of mental health data, including requiring HHS' Office for Civil Rights to issue new guidance related to the disclosure of mental health and substance abuse protected health information under HIPAA;
- Requiring that the General Accountability Office study the issue of matching all patient data obtained from various sources, such as through health information exchange, to the correct individual to help ensure appropriate treatment decisions are made.
Nahra contends the bill contains only "relatively modest" privacy provisions that "won't have any large impact."
In reference to the provision calling for financial penalties for information blocking violations, Lee Kim, director of privacy and security at the Healthcare Information and Management Systems Society, suggests that additional HHS guidance might be needed.
"It would be interesting to see if there is any clarification by rulemaking in terms of what does not constitute information blocking and especially if there are any intellectual property ramifications," she says. "If health information technology is patented, for example, then the patent owner has the right to exclude others from making, using, or selling the claimed invention."
The legislation calls upon HHS' Office for Civil Rights to "ensure that healthcare providers, professionals, patients and their families, and others involved in mental or substance use disorder treatment, have adequate, accessible, and easily comprehensible resources relating to appropriate uses and disclosures of protected health information under HIPAA."
Specifically, the bill proposes appropriation authorized funding totaling $10 million over four years for OCR to work with experts to develop and disseminate HIPAA training for healthcare providers, as well as patients and their families, regarding the permitted uses and disclosures of PHI of patients seeking or undergoing mental health or substance use-related treatment.
Some experts say the HIPAA training provision will prove helpful as long as it addresses common areas of confusion among different types of healthcare entities and professionals.
"My hope is that the money can be used to create user-tested training that is specific to each job function. The training for regulatory compliance staff, for example, should be very different than the training for a therapist," says privacy attorney Adam Greene of the law firm Davis Wright Tremaine.
Due to limited time and resources, organizations often deploy "cookie-cutter training" that is not tailored to particular job functions, he contends. "For example, training of a nurse may need to focus on recognizing when a patient makes a request for access or amendment that falls under the [HIPAA] Privacy Rule and to whom to refer the patient. In contrast, a health information management director may need to understand how to respond to the request, including what fees may be charged and how to distinguish between a patient request and a third-party request. Instead, organizations often reply on a generic 'HIPAA 101' training that does not meet the needs of either job function."
Greene says his biggest concern with the provision is that generic training, even specific to different job functions, cannot address an organization's unique policies and procedures. "Especially with respect to security practices, it will be imperative to supplement any government-provided training with education on the organization's specific policies and procedures."
But Nahra questions whether a new mandate for additional OCR-developed guidance and training material is necessary.
"The problem with the mental health provisions and the training proposal is that there is perfectly fine flexibility in the rules now, but that is often hard to apply in practice," he says. "HIPAA provides an opportunity to use professional judgment to provide information to people like caregivers."
On the other hand, "there isn't a 'safe harbor' if someone gets this wrong - although there also isn't any realistic risk of enforcement either," Nahra adds.
Among other provisions in the legislation is an emphasis on health IT interoperability and secure health information exchange.
For example, the bill calls upon HHS' Office of the National Coordinator for Health IT to convene appropriate public and private stakeholders to develop or support a framework for trust policies and practices, such as a common method for authenticating trusted health information network participants.
The bill also includes potential monetary penalties for organizations that participate in intentional and inappropriate information blocking - preventing or materially discouraging access, exchange or use of electronic health information as permitted by law.
"Any individual or entity ... that the [HHS] Inspector General, following an investigation ... determines to have committed information blocking shall be subject to a civil monetary penalty determined by the [HHS] Secretary for all such violations identified through such investigation, which may not exceed $1 million per violation," the legislation notes.