Bill Altering HIPAA Privacy Rule AdvancesLegislation Is Designed to Boost Medical Research, Innovation
An amended version of the bipartisan 21st Century Cure bill, which aims to advance medical innovation, has passed its first Congressional hurdle without any revisions to controversial provisions that propose to make significant changes to the HIPAA Privacy Rule.
In addition to the privacy provisions, the bill calls for penalizing vendors of electronic health records and other health IT systems that fail to meet standards for interoperable and secure information exchange. Plus, the bill also contains provisions for potential civil monetary penalties against healthcare entities that inappropriately block information sharing.
Removing Research Barriers
The House Energy and Commerce's health subcommittee on May 14 approved a 302-page "markup," or amended, version of the 21st Century Cure bill that was first unveiled on April 29 and forwarded it to the full committee for the next round of work on the legislation (see: Health Research Bill Would Alter HIPAA). The full committee is expected to prepare its markup of the bill next week.
The version of the bill approved by the subcommittee proposes that the Secretary of Health and Human Services would "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.
Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.
That provision - as well as many others in the bill - aim to help fuel more speedy research development and availability to patients of promising medical treatments and devices, in part, by removing barriers. But some privacy advocates are opposed to the HIPAA-related provisions because of the potential of watering down patient control over how sensitive health information is used or disclosed.
"This legislation will bring into the public forum the question of whether the road to developing the 21st century advances in healthcare requires removing individual choice and control in how health information is disclosed and whether [individuals] have a say when their treatment information is sold by healthcare providers, insurers or the business associates who have access to this information," says privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek.
If the legislation is signed into law with the existing proposals related to the use and disclosure of PHI for research purposes, healthcare entities and business associates would need to change their policies related to how they handle PHI.
"If the bill is enacted, it will not place additional responsibilities on covered entities and business associates. Rather, it will provide them with greater flexibility to use and disclose protected health information for research," says privacy attorney Adam Greene, partner at law firm Davis Wright Tremaine. "Covered entities and business associates who seek to take advantage of these changes would need to revise their policies and procedures accordingly." For instance, some covered entities also may need to revise their notices of privacy practices if their notices get into great detail on research, Greene notes.
Legislation that requires significant changes to the HIPAA privacy regulations could result in "significant administrative hurdles and burdens," Holtzman says.
"For example, if there would be significant changes to when healthcare providers and health plans can use or disclose PHI, they would be required under existing regulations to update their notices of privacy practices," he says. "As we saw with the implementation of the Omnibus Rule in 2013, there are significant costs in developing and distributing the notices."
If the legislation is approved, it could take some time for the privacy changes to affect healthcare providers and business associates.
"If the bill is passed into law - always a big if - it provides HHS with a year to implement the law through regulations," Greene notes. "Realistically, though, it may take far longer before HHS is able to publish a final rule."
Info Exchange Blocking Provisions
In addition to proposing less restrictive rules for healthcare entities to use or disclose PHI for research purposes, as part of the aim to remove various barriers to medical innovation, the 21st Century Cures legislation also promotes electronic health record interoperability and secure data transfer and discourages so-called "information blocking" that prevents patient data from being shared.
The bill calls for the Department of Health and Human Services to develop methods to measure whether EHRs and other health information technology are interoperable, and authorizes HHS to penalize EHR vendors with decertification of their products if their software fails to meet interoperability requirements.
Under the HITECH Act financial incentive program for "meaningful use" of EHRs, participating healthcare providers must attest to using software that has been certified as meeting ONC's criteria. Under the proposed bill, HHS would be able to "decertify" software that fails to meet interoperability requirements.
"Health information interoperability is fundamental to advancing healthcare," said Rep. Gene Green, D-Texas, during the May 14 house subcommittee markup hearing for the bill. The legislation provides HHS' Office of the National Coordinator for Health IT "the tools to hold EHR vendors accountable for interoperability," noted Rep. Doris Matsui, D-Calif.
But it's not just vendors that can be penalized under enforcement provisions of the bill. The measure also would allow HHS to impose civil monetary penalties on healthcare providers that engage in inappropriate blocking of information sharing.
ONC last month issued a report to Congress about information blocking by technology vendors and healthcare providers, noting that organizations sometimes intentionally and unreasonably block patient data from being shared. In some cases, the players are inappropriately invoking HIPAA privacy and security concerns, the report said (see Overcoming Health Info Exchange Blocking).
A Congressional source tells Information Security Media Group that the bill doesn't specify dollar figures for the potential civil monetary penalties. Rather, the amounts would follow "current parameters" for other enforcement activities at HHS' Centers for Medicare and Medicaid Services and Office of Inspector General.