Governance & Risk Management , HIPAA/HITECH , Privacy
House Committee OK's Bill Altering HIPAAResearch-Boosting Legislation Calls for Changing Privacy Rule
The 21st Century Cure bill, which aims to advance medical research and innovation, has passed another Congressional hurdle without any revisions to controversial provisions that call for significant changes to the HIPAA Privacy Rule.
By unanimous vote, the full House Committee on Energy and Commerce on May 21 approved the legislation that calls for the Secretary of Health and Human Services to "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes.
A version of the bill containing with the same HIPAA-related provisions was approved on May 14 by the committee's health subcommittee (see: Bill Altering HIPAA Privacy Rule Advances). Next, the legislation will head to the full House of Representatives.
Under the current HIPAA Privacy Rule, PHI is allowed be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed provision in the draft legislation is signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved.
That provision - as well as many others in the bill - aim to help speed up research that could lead to the availability of promising medical treatments and devices, in part, by removing barriers (see Health Research Bill Would Alter HIPAA).
But some privacy advocates are opposed to the HIPAA-related proposals because of the potential of watering down patient control over how sensitive health information is used or disclosed.
"There is good and bad in the provisions," says Michelle DeMooy, deputy director of the privacy project of the Center for Democracy & Technology.
"The bill addresses the big demand for researchers having access to PHI for medical research, and having their PHI used for research is something that many people generally want to do," she says. However, because the bill also promotes the advancement of personalized medicine, also known as precision medicine, that research undoubtedly will involve use of "highly sensitive, highly identifiable genetic data," which some patients will want more control over in terms of its use and disclosure, she says. "The patient control is being relaxed, yet it's unclear to me where the data will go," she says.
DeMooy says she'd like to see data de-identification requirements added to the legislation so that researchers "cannot identify or contact the people whose data they have."
A Closer Look?
Currently, there is no Senate version of the bill. However, if the House passes the legislation and sends it to the Senate, DeMooy says she anticipates that "some privacy champions" will take a closer look at the HIPAA privacy changes being proposed and their possible ramifications.
In addition to the privacy provisions, the bill calls for penalizing vendors of electronic health records systems and other health IT systems that fail to meet standards for interoperable and secure information exchange. Plus, the bill also contains provisions for potential civil monetary penalties against healthcare entities that inappropriately block information sharing (see Overcoming Health Info Exchange Blocking).