Shortly before the end of his term on December 13, 2016, President Obama signed the Twenty-First Century Cures Act into law. This legislation, designed to promote medical advancement, also contains several provisions that apply to protected health information (PHI) and HIPAA.
Earlier versions of the bill proposed including medical research under the blanket of “healthcare operations” under the HIPAA Privacy law. Doing so would have allowed PHI to be used and disclosed for medical research without requiring patient authorization.
This was changed, however, in the current version that was signed into law. Instead, it requires the U.S. Department of Health and Human Services (HHS) to assemble a working group to study and release a report on the use and disclosure of PHI for research. The report will include recommendations on whether HIPAA should be modified in this regard. The group will include representatives from federal agencies, as well as those who are involved in healthcare and research.
The Cures Act also directs HHS to release guidance clarifying that researchers may access PHI remotely from a covered entity’s electronic record system for research preparatory purposes, as long as safeguards are in place. Current HIPAA legislation states that PHI may not leave the covered entity’s premise, but the Cures Act modernizes this legislation since most providers now use digital patient records.
Additionally, HHS is instructed to release guidance on “streamlining” authorizations for using PHI for research.
Mental health is also addressed in the Cures Act. HHS is required to issue guidance regarding how health care professionals can use and disclose mental health information with patients’ caregivers and relatives. HHS is to develop training programs that address the use and disclosure of PHI of patients seeking mental health or substance abuse treatment.