On December 13, 2016, President Obama signed the 21st Century Cures Act (the Cures Act) into law. The Cures Act addresses a wide range of healthcare topics including clinical research, treatment of mental health and substance use disorders, and health information technology (HIT). A number of provisions of the Cures Act relate to the privacy of protected health information (PHI) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This article highlights several of these provisions, which will likely create new challenges for healthcare industry participants as well as provide relief from regulatory frustration, in some cases.
Patient Access to PHI and Business Associates1
The Cures Act contains provisions intended to promote access by patients to their health records, including information contained in Electronic Health Records (EHR). In particular, the Cures Act adds a new subsection to the HITECH Act specifying that when a provider or other covered entity maintains patient records in an EHR, business associates may directly provide PHI to a patient or the patient’s designee in response to an access request from the patient.2 Providers should review their existing business associate agreement templates to confirm wording intended to promote coordination between the covered entity and business associate when responding to patient requests does not unintentionally conflict with this new statutory provision. Although it may be some time before additional guidance is provided in updated regulations, this section of the Cures Act does not depend on the Office for Civil Rights (OCR) issuing guidance or revised regulations.
Information Blocking3
The Cures Act also escalates existing tension between government initiatives intended to promote the efficient exchange of health information (such as the Meaningful Use program) and legal restrictions on disclosing PHI, including those proscribed by HIPAA. In most cases, HIPAA permits but does not require disclosures of PHI. In contrast, the Cures Act prohibits or restricts “information blocking” by providers, HIT developers, health information exchanges (HIEs) or networks. For healthcare providers, “information blocking” involves conduct known by the provider to be unreasonable and “likely to interfere with, prevent, or materially discourage access, exchange, or use of electronic health information.” The Cures Act authorizes the Inspector General of the U.S. Department of Health and Human Services (OIG) to investigate and penalize providers, HIT developers, HIEs or networks for information blocking. Providers may be faced with choosing between (1) disclosing PHI with the risk of enforcement by OCR if the provider is viewed after the fact as having disclosed the PHI to the wrong recipient or without appropriately verifying the recipient’s authority to receive the PHI and (2) declining to make a disclosure but being second guessed as unreasonable with the risk of enforcement by the OIG. The Cures Act authorizes the OIG to refer providers found to have engaged in information blocking to the appropriate agency for “appropriate disincentives” and allows the OIG to “consult” with OCR regarding HIPAA to resolve an information blocking claim. In contrast, developers, exchanges and networks may face penalties of up to $1,000,000 per violation. Time will tell how this provision will be enforced.
Studies and Guidance
The Cures Act requires the publication of various guidance and studies addressing patient privacy. For example, the Cures Act requires OCR to issue new guidance to clarify the circumstances when providers can provide PHI to family members and caregivers of patients receiving mental health or substance abuse treatment.4 The Cures Act also requires the U.S. Department of Health and Human Services (HHS) to evaluate the effect of changes made to the strict regulations governing the confidentiality of alcohol and drug abuse patient records found at 42 CFR Part 2 (commonly known, as the Part 2 Regulations).5
The final version of the Cures Act establishes a working group to study and report on the use and disclosure of PHI for research purposes under HIPAA, requires HHS to issue guidance clarifying the “preparatory to research” portion of the HIPAA research exception to allow greater flexibility, and requires HHS to issue guidance related to authorizations to use and disclose PHI for research. These provisions appear to have replaced provisions in an earlier version of the Act, that would have more broadly liberalized restrictions on the use and disclosure of PHI for research, including a provision that would have revised the definition of “health care operations” to include certain research and as a result would have allowed disclosure of PHI for research without patient consent.6 The Cures Act also creates a HIT Advisory Committee that will issue recommendations focusing on the promotion and protection of privacy, including disclosures and access of PHI under HIPAA.7 Further, the Cures Act requires a Government Accountability Office (GAO) study on patient access to health information, including fees charged for record requests and third party requests of PHI.8
Collectively, this guidance should be helpful for providers and others subject to HIPAA and other patient privacy laws. In most instances, publication and findings are not required for at least one year following enactment of the Cures Act. Those interested should stay tuned for final guidance to trickle in through 2017 and beyond.
Stricter Research Privacy Protections9
The Cures Act also establishes stronger privacy protections for individuals participating in research, including research involving mental health and the use of alcohol or other psychoactive drugs. Previously, the National Institutes of Health (NIH) would only issue “certificates of confidentiality” that protect the privacy of any information that may identify research subjects in limited circumstances. Unlike HIPAA, which generally allows disclosure of certain PHI in the course of judicial proceedings, certificates of confidentiality protect researchers from being required to release research subjects’ names or other identifying characteristics (e.g. address, social security number or photograph). The Cures Act will now require the NIH to automatically issue a certificate of confidentiality for all federally funded research, but certificates will still be issued at the NIH’s discretion for research without federal funding.10 The Cures Act clarifies that this information cannot be used in any legal or administrative proceedings without the consent of the individual subject. The Cures Act also expands the types of protected information to include other sensitive information if there is a “small risk” that current scientific practices would allow discovery of a research participant’s identity.11
1 H.R. 34 at Sec. 4006.
2 Id. at Sec. 4006(b); see also 45 CFR §164.524 (detailing individual right to access PHI in a designated record set under HIPAA).
3 Id. at Sec. 4004.
4 Id. at Sec. 11003(b).
5 Id. at Sec. 11002.
6 H.R. 6 at Sec. 13442.
7 H.R. 34 at Sec. 4003(e).
8 Id. at Sec. 4008(a).
9 Id. at Sec. 2012 and 2013.
10 Id. at Sec. 2012.
11 Id. at Sec. 2013.