Last week, the House passed the 21st Century Cures Act, a bill supporting healthcare innovation infrastructure. The bill is widely heralded for extending funding for the National Institutes of Health by $8.75 billion over the next five years to support biomedical research. However, a handful of HIPAA provisions in the bill may be cause for concern.
Kirk Nahra, a privacy attorney, spoke with Healthcare Info Security to discuss four key privacy concerns in the 21st Century Cures Act. Of the four provisions, Mr. Narha says two are limited with smaller impact, and the other two are more complicated and raise questions about whether they address problems with the privacy rules.
The first concern, Mr. Nahra said, is the HIPAA privacy rule is impeding the ability to do healthcare research, which he said is a questionable statement. "There was this sense that we need to make information more available for research purposes. In the first provision dealing with research, what it does is it will open up the ability of healthcare providers and health insurers to share information for research purposes with other healthcare providers and other heath insurers. There's some complexity there," Mr. Nahra said. "I think the real question is one, how much value will there be, and two, are there privacy concerns that are raised with that."
Mr. Nahra said the second provision appears to allow disclosures of information for research purposes to pharmaceutical companies and device manufacturers. What's more, it appears to allow them to pay unlimited amounts to obtain that data while paying for health data typically is not permitted. "That's a real complicated provision and it's creating some significant potential privacy concerns there," he said.
Thirdly, current provisions in the HIPAA rule make it easier for researchers to get access to information to develop study protocols. While researchers have to follow a full set of rules to conduct the research, there are limitations on the ability to look at data to prepare a research protocol. Mr. Nahra said these rules were written back when the healthcare industry was still working with paper records instead of electronic ones, and now the industry wants to make sure researchers can access that same information electronically. "Good idea, helpful idea, not that complicated, and not particularly controversial," he said. "We can debate whether it's going to make a lot of difference, but the impact will be positive, whatever that impact is."
The fourth concept centers on authorizations. A core HIPAA concept is that research is only done with patient authorization, and historically the rules have largely been read to indicate patient authorization is only applicable for a particular research project. The new bill proposes allowing patients to give a one-time authorization for future research studies, Mr. Nahra said. "Which I think again will make information more easily available for those patients that want to make it available on a broader basis. [It] certainly will help, certainly will make some things easier. Not clear how broad that is just because it assumes there is information about particular patients that will be used or multiple studies. That may not in fact be the case for a lot of people," Mr. Nahra said.
More articles on HIPAA:
Is HIPAA abused as a code of silence?
St. Elizabeth's to settle alleged HIPAA violation for $218,000
Did an ESPN reporter violate HIPAA? The case of the NFL player Jason Pierre-Paul's amputated finger