Privacy & Information Security Law Blog

On July 10, 2015, the United States House of Representatives passed the 21st Century Cures Act (the “Act”), which is intended to ease restrictions on the use and disclosure of protected health information (“PHI”) for research purposes.

Currently, the HIPAA Privacy Rule permits the use and disclosure of PHI for research purposes without requiring authorization from an individual but does require that any waiver of the authorization requirement be approved by an institutional review board or a privacy board.

The Act amends the Health Information Technology for Economic and Clinical Health (“HITECH”) Act to obligate the Secretary of the Department of Health and Human Services to revise or clarify the HIPAA Privacy Rule to:

• Allow the use and disclosure of PHI by a covered entity for research purposes to be treated as that entity’s “health care operations.”
• Enable research activities that are related to the quality, safety, or effectiveness of a product or activity that is regulated by the Food and Drug Administration (“FDA”) to be considered public health activities so that the activities can be disclosed to a person subject to the FDA’s jurisdiction for the purposes of collecting or reporting adverse events, tracking FDA-regulated products, enabling product recalls or repairs or conducting post-marketing surveillance.
• Permit remote access to PHI so long as the covered entity and researcher maintain “appropriate security and privacy safeguards” and the PHI is “not copied or otherwise retained by the researcher."
• Specify that an authorization for the use or disclosure of PHI for future research purposes is deemed to sufficiently describe the purpose of the use or disclosure of PHI if the authorization (1) sufficiently describes the purposes such that it would be reasonable for the individual to expect that the PHI could be used or disclosed for such future research, and (2) states that the authorization will either expire on a particular date or at a particular event or will remain valid “unless and until it is revoked by the individual.”

The Act also requires the Office of the National Coordinator for Health Information Technology to publish guidance that clarifies the HIPAA Privacy and Security Rules with respect to information blocking, which includes any business or technical practices that “prevent or materially discourage the exchange of electronic health information” and “do not serve to protect patient safety, maintain the privacy and security of individuals’ health information or promote competition and consumer welfare.”

The Act, which garnered widespread bipartisan support, now moves to the Senate, which is expected to take up the legislation this fall.

Several groups, including the Pharmaceutical Research and Manufacturers of America and the Association of American Medical Colleges, support the 21st Century Cures Act.