On December 13, 2016, President Obama signed the 21st Century Cures Act (“Cures Act”), Pub. L. 114-255, which aims to expand medical research and expedite the approvals of drug therapies for patients.  The Cures Act also contains several provisions related to the HIPAA Privacy and Security Rules.  None of these provisions make substantive changes to the HIPAA regulations at this time; in several instances, they direct the Secretary of Health and Human Services (“HHS”) to study whether the HIPAA regulations should be revised or clarified to remove any potential barriers to optimal patient care and communication or to the availability of patient information for medical research.

HIPAA and Mental Health

Title XI of the Cures Act is entitled “Compassionate Communication on HIPAA” and aims to clarify HIPAA’s requirements governing the delivery of mental health services. In Section 11002 of the bill, Congress directs HHS to convene “relevant stakeholders” to discuss the effect of HIPAA on mental health care.  The Cures Act specifies that such meeting shall occur no later than one year after HHS finalizes proposed updates to SAMHSA confidentiality rules governing mental health and substance abuse services.  We previously discussed the proposed changes to these rules on the Inside Privacy blog.

Congress also directs HHS to issue guidance that clarifies the circumstances under which HIPAA permits a covered entity to disclose information to family members and caregivers. This provision stems from a concern by Congress, expressed in the legislation, that “there is confusion in the health care community” regarding permissible practices under HIPAA that may hinder appropriate communication between health care providers and caregivers.

In addition, Congress directs HHS to develop model training programs that focus on permitted uses and disclosures of protected health information (“PHI”) of patients seeking or undergoing mental health or substance abuse treatment. The Cures Act specifically calls for HHS to consider the input of relevant organizations and associations–such as medical societies, licensing boards, and providers–in developing and reviewing these training programs.

HIPAA and Research

Section 2063 of the Cures Act directs HHS to issue guidance clarifying that HIPAA does not prohibit a covered entity’s granting remote access to PHI to a researcher for activities taken as reviews preparatory to research. (The current regulations provide that PHI may not be removed from the covered entity in the course of such review, and there had been some concern that remote access might be viewed as removing PHI from the covered entity.)  The Cures Act specifies that remote access to PHI must meet minimum safeguards consistent with HIPAA’s Privacy and Security Rules.

This section also directs HHS to issue guidance on “streamlining” authorizations for the use of PHI for research. In particular, the section directs that the guidance should address how valid authorizations should communicate whether PHI can be used for future research purposes.

Finally, section 2063 directs HHS to convene a working group to study and report on the uses and disclosures of PHI for research purposes. The working group must include representatives from relevant federal agencies (NIH, CDC, FDA) as well as researchers, patients, health care providers, and experts in health care privacy, security, and technology.  The working group is expected to release a report on whether HIPAA should be modified to permit greater use of PHI for research purposes.