Earlier this month, an act with the intent to lighten restrictions on the use and exposure of protected health information for research motivations was passed through the United States House of Representatives called the 21st Century Cures Act.
Presently, the HIPAA Privacy Rule allows the use and exposure of protected health information for research purposes without the necessity of authorization from the patient but does mandate any waiver of the authorization stipulation be approved by an institutional review or privacy board.
This amendment to the Health Information Technology for Economic and Clinical Health (HITECH) obligates the Secretary of the Department of Health and Human Services to revise/elucidate the HIPAA Privacy Rule to:
- Permit the utility and exposure of protected health information by a covered entity for the purposes of research to be considered the entity’s “health care operations”
- Allow research activities that are in relation to quality, safety, or effectiveness of a product or activity that is managed by the Food and Drug Administration to be regarded public health activities so that the activities can be imparted to a person subject under the FDA’s jurisdiction of the purposes of gathering or announcing adverse events, tracking FDA regulated products, enabling product recalls, or mending/undergoing post-marketing surveillance.
- Enable removed access to protected health information as long as the covered entity and researcher preserve appropriate security and privacy safeguards and the protected health information is not plagiarized or otherwise held by the researcher.
- Identify that an authorization for the utility and exposure of protected health information for forecasted research purposes. is believed to sufficiently describe the purpose of the utility or exposure of protected health information if the authorization 1) adequately describes the purposes as that if would be appropriate for the patient to expect their protected health information could be used or exposed for stated future research, and 2) clarifies that the permissions will either expire on a specified date or event, or will remain valid unless revoked by the individual.
This new legislation will also call for the Office of the National Coordinator for Health Information Technology to publicize clarification for the HIPAA Privacy and Security Rules in regards to information blocking, including any business or technical practices that prevent or materially discourage the transmission of electronic health information and do now serve the purpose to guard safety, keep privacy and security of patients’ health information or promote competition and consumer welfare.
This Act is on its way to the Senate, which is presumed to take the legislation on this fall. Many groups are also in support of the new proposed laws, including the Association of American Medical Colleges and the Pharmaceutical Research and Manufactures of America.
Are you a HIPAA expert? Want to be one? Find out all you need to know from our HIPAA resources page written by the team of HIPAA compliance experts here at Datica.