On December 13, 2016, President Obama signed the 21st Century Cures Act ("Cures Act"), H.R. 34, into law. It enjoyed bipartisan support and was overwhelmingly approved by the House and Senate in recent weeks. The expansive law includes a myriad of provisions aimed at encouraging research and medical innovation. To advance these goals, the law contains a series of changes to existing law with regard to health information technology (HIT) and the privacy of health information which will impact a wide range of health care industry stakeholders, including almost all organizations subject to HIPAA.
Changes to HIPAA – Research Data
The Cures Act includes several directives to the Secretary of Department of Health and Human Services ("Secretary") requiring clarification of privacy issues related to protected health information (PHI) used and disclosed as part of research. One such change will provide additional protection to sensitive PHI collected during research, such as mental health and substance abuse information. When federally-funded research will involve identifiable sensitive information, the Secretary will be required to issue a certificate of confidentiality. Researchers issued certificates of confidentiality will be precluded from disclosing sensitive information without the patient's consent, except in limited circumstances, such as when required by law, necessary to treat the individual or for other research conducted in compliance with federal regulations. Information subject to a certificate of confidentiality would be immune from legal process and inadmissible in judicial or administrative proceedings without the individual's consent. The Secretary will also be permitted to issue certificates of confidentiality for privately-funded research based on an application process. Organizations engaged in research should be amending their policies and procedures accordingly.
Modified HIPAA regulations and guidance concerning research are likely forthcoming as well. The law directs the Secretary to issue guidance clarifying that remote access to data by researchers is permissible under HIPAA, subject to certain conditions. The Secretary is further directed to clarify what is required for an authorization to permit use and disclosure of PHI for future research in guidance to be issued within one year. A prior version of the bill also included more expansive provisions that would have required revision of the HIPAA regulations to place uses and disclosures for research under the definition of health care operations. However, the version of the bill ultimately passed instead requires the Secretary to establish a working group of relevant stakeholders to study the relationship between HIPAA and research. The working group will issue a report with recommendations on potential modifications to HIPAA requirements that make PHI more available for research, while maintaining adequate protection of individual privacy.
Mental Health and Substance Abuse
Clarification of permitted uses and disclosures of mental health and substance abuse treatment information is also addressed. The Secretary, in connection with the Office for Civil Rights, is directed to issue new guidance that provides a road map to help health care providers understand when and what they can communicate to family members and caregivers of individuals receiving mental health or substance abuse treatment.
EHRs
With regard to electronic health records (EHRs), regulatory changes will be implemented to encourage interoperability, develop standards and prevent so-called "information blocking." The law directs the Secretary, in consultation with relevant stakeholders, to create a goal and strategy regarding the reduction of regulatory and administrative burdens related to the use and implementation of EHRs.
The law also requires development of a voluntary model framework and common agreement to encourage the secure exchange of health information between networks. The Secretary is instructed to defer to standards developed in the private sector and create a digital health care provider directory to facilitate information exchange. The Cures Act provides $15 million for creation of a grant program to engage independent entities in creating a reporting system to gather information from stakeholders about EHR use, interoperability and security issues.
To combat attempts to restrict information access, new enforcement authority is given to the Office of the Inspector General (OIG), allowing it to penalize developers of HIT and providers that attempt to block or restrict access and exchange of information. The Secretary will issue regulations implementing this authority, which may include imposition of civil monetary penalties up to $1 million for committing "information blocking."
Medical Software Regulation
The regulation of medical devices by the Food and Drug Administration (FDA) continues to be an evolving issue for the government. In an attempt to create some additional clarity, the Cures Act includes provisions excluding certain categories of medical software believed to have low risk for patients from FDA regulation as medical devices. Five categories of software are excluded from regulation as a "device," including certain administrative software for health care providers and software designed to encourage healthy lifestyle choices, such as fitness trackers, if the software meets specifically delineated criteria. However, under the new provisions, the FDA retains authority to regulate software in these categories if safety concerns are discovered.