Privacy and Security Impacts of the 21st Century Cures Legislation
The 21st Century Cures bill is not about privacy. It is about medical innovation and faster drug approval and health care technology and mental health. As President Obama said in signing the bill, “We are bringing to reality the possibility of new breakthroughs to some of the greatest health challenges of our time.”
It is also a very important and wide-ranging bill. It covers dozens of topics in the health care field, some large, some small, some subtle, some not very well understood. According to CBS News and the Center for Responsive Politics, the 21st Century Cures Act is also one of the most lobbied pieces of legislation in recent history. The Center for Responsive Politics said that more than 1,455 lobbyists representing 400 companies made their case for or against the Cures Act. “That adds up to three lobbyists for every lawmaker on Capitol Hill.” My take — health care lawyers and lobbyists will be dealing with Cures for the next five years at least.
While privacy and security clearly is not the focus of the legislation, there are a handful of privacy-related provisions that will impact certain elements of the health care privacy world. There is also a constant reminder throughout the law of the importance of personal data in all aspects of health care and the public interest in appropriate utilization of this information.
First, let’s get the easy part out of the way. The original Cures bill that passed the House of Representatives contained a provision — little noticed and even less understood — that would have been terrible for individual privacy. No one clearly took responsibility for authoring this provision and hardly anyone on the Hill could explain it or knew it was there. The provision — when you pieced all the parts together — would essentially have allowed pharmaceutical companies to buy individually identifiable health information — without any limits on payment — for anything they determined was research or public health purposes. This would have created a massive hole in the privacy protections of the HIPAA structure. This provision never got traction in the Senate, and disappeared from the final legislation. Good riddance.
What remained on privacy has less overall impact. We may see some small and carefully tailored changes. We may see some additional guidance from the HHS Office for Civil Rights. We may see some broader overall changes in medical research privacy provisions (most of which were already underway). We may also see broader HIPAA reform efforts if OCR is forced to delve into HIPAA changes (but there’s a long way to go before we get there).
So what are the details?
First, Cures gives medical researchers the ability to review certain data to develop research protocols remotely. Today, they have the right to go on site and look at paper records. This provision makes the simple but logical additional step to move closer to the end of the 20th century by allowing remote access, with appropriate security. (Oddly, the law requires the covered entity (often a hospital) to have appropriate security, even though HIPAA requires them to have that already — Oh well). Good step, not very important or significant.
The law also requires certain steps from OCR in connection with mental health patients. The law asserts that “There is confusion in the health care community regarding permissible practices [under HIPAA]” and that “This confusion may hinder appropriate communication of health care information or treatment preferences with appropriate caregivers.” There is a “sense of Congress” that “clarification is needed regarding the privacy rule … regarding existing permitted uses and disclosures of health information by health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.” The law requires OCR to issue new guidance on these issues (which will mainly serve to explain professional discretion that is built into the rule today), creates some new working groups on these issues, and even sets aside federal money for model training programs. An elaborate solution where there isn’t a clear problem, but no real concerns other than a question as to whether this is time and money well spent.
There’s also a lot of discussion of privacy issues in connection with research activities. There clearly has been confusion in the field about the interplay of HIPAA and the federal “Common Rule” governing research studies. More guidance may be useful, and the review boards that evaluate privacy compliance need to better understand how privacy can be protected in reasonable ways. With that said, the Cures bill does a couple of things. For the Precision Medicine Initiative and research in general, the law creates a new “certificate of confidentiality” process to protect privacy in the research field (sort of a “mini-HIPAA” that applies to researchers generally not covered by the HIPAA Rules). The rule also requires more guidance in connection with patient authorizations under HIPAA for research purposes (which OCR has given before).
On a broader level, the law requires HHS to “convene a working group to study and report on the uses and disclosures of protected health information for research purposes [under HIPAA.]” This working group will review how the HIPAA rules work for research (presumably in connection with both the Common Rule and the ongoing rulemaking proceeding to modify the Common Rule to make it more consistent with HIPAA), and will make recommendations for desired changes, if any. We don’t often see a lot of specific changes resulting from these working group efforts, and any change will at a minimum take a couple years, but this effort certainly may be worthwhile to ensure that privacy details do not adversely impact important healthcare research – where the standards can and should both reasonably protect privacy and permit appropriate research.
There’s a variety of other provisions that can impact privacy going forward. There is a requirement for a new study to address “patient matching,” a topic that generates disproportionate concern about privacy even in the face of important data indicating that mis-matching of patients causes meaningful medical errors. There is another required study on individual access to medical records (even though this topic has been addressed several times in regulations and guidance). There are instructions to address concerns about information blocking in electronic health records – where business tensions and other concerns sometimes prevent the appropriate flow of patient data. There are more instructions to the Office of the National Coordinator (an office rumored to be on the budget chopping block in any event) to create new “trusted exchange frameworks” in the exchange of electronic medical records, even though these efforts have been undertaken in the past. There is a real tension in the bill between concerns about over-regulation of electronic records and interoperability and instructions to have new working groups and others to create new and improved regulations. But, so it goes.
So, we have an enormous bill for the health care and pharmaceutical industries, with impact across a wide variety of interested audiences. There are specific privacy issues that will be addressed over the next year, and a broader array of situations where the law demonstrates how important personal data is to healthcare measurement, new technology and health care research. We can only hope that the new administration will be able to assess these challenging issues with a careful and thoughtful eye, ideally relying on experts with a broad understanding of both privacy and the healthcare industry to develop reasonable solutions to any problems that do in fact exist.
It’s not clear that the legislation is well tailored to find specific solutions to actual problems, but there are smart, talented experts in government today who can ensure that we don’t take any wrong steps in this area and that the best opportunities to achieve 21st Century Cures can be realized.