21st Century Cures Act Proposes to Affect HIPAA Privacy Rule, PHI Restrictions, & ONC Certifications
On May 14, 2015, The House Energy and Commerce’s Health Subcommittee approved an amended version of the 21st Century Cures Act. This bill, which has been under development since April of 2014, was created with the intention of expediting research of and access to new medicines (especially for conditions that currently have no cures or effective treatments). The overhauled draft has now been forwarded on to the full committee, who have conducted their own markup of the bill and are scheduled to vote on it on May 21, 2015.
This bill, once passed, will activate a number of significant policy changes that are meant to expedite the development and release of new medical treatments, cures, and devices. It would affect a number of governmental agencies, including the NIH and FDA. Perhaps more importantly (to our readers, anyway), it will also have a direct effect on both Health IT vendors and healthcare providers alike by introducing new rules and provisions related to HIPAA, PHI, and interoperability.
This revised draft of the bill, as approved by the subcommittee, includes a proposal that would task the Secretary of Health and Human Services (HHS) with revising and clarifying certain provisions of the HIPAA Privacy Rule. More specifically, they are requesting revisions that would loosen restrictions on the release of Protected Health Information (PHI) for purposes of medical research. The primary intention behind these changes is to remove or loosen certain HIPAA Privacy Rule restrictions that could (or already do) slow down medical research development and/or delay the availability of new medical treatments and devices to those patients who need them.
There are, of course, those who oppose these changes. Many who advocate for patient privacy point to this revision as a potentially dangerous and slippery slope that will eventually lead to patients losing control over how their personal PHI is shared, used, or disclosed. They feel that the current HIPAA Privacy Rule should remain unchanged, and claim that any anticipated healthcare benefits would not be enough to outweigh the risks it would pose to patient privacy.
HIPAA Privacy Rule and PHI
The HIPAA Privacy Rule, in its current form, states that PHI may only be shared, used, or disclosed by a covered entity (without the expressed and written authorization of the patient) for purposes related to treatment, payment, and operations. This new revision of the rule, if passed into law, would remove the patient authorization requirement for the sharing, use, or disclosure of PHI by HIPAA-defined covered entities when that information is being used for purposes of medical research.
Interoperability
The amended 21st Century Cures Act also calls for HHS to develop a specific methodology for measuring the interoperability of EHR/EMR and other Health Information Technology (HIT). It also grants the HHS the authority to penalize vendors, up to and including the decertification of their products or services, if they fail to meet set interoperability standards. This is part of the ONC’s continuing effort to push for better and more widespread interoperability in the healthcare industry.
Some of you may remember (from a blog article I posted back in January) that the “Omnibus” federal funding bill passed by Congress back in December 2014 required the ONC to “submit a detailed report on the problem of information blocking, including an estimate of the number of vendors, eligible hospitals, and/or healthcare providers who participate in information blocking. This report is also supposed to include a proposal for a comprehensive strategy on how to address this issue and improve health information exchange.”
Well… they did just that.
Last month, the ONC handed over to Congress their report on how and why information blocking was being conducted by certain Health IT vendors and healthcare providers. Their report included a number things that made certain folks in the healthcare industry rather unhappy. Turns out the report led the ONC to discover that a fair amount of healthcare vendors and organizations have actually been intentionally participating in information blocking and have actively prevented the sharing of all patient data (even for what should’ve be considered valid and legal reasons). The report also states that the biggest information blockers have been, rather inappropriately, pointing to the HIPAA Privacy Rule, and related PHI security issues, as giving them the reason (and the legal right) for doing so. And it looks like these opponents to interoperability may soon regret that decision.
The abovementioned ONC report is one of the main reasons that the new draft of the 21st Century Cures Act now includes provisions that give the HHS and ONC a bunch of awesome new superpowers to help them combat this kind of healthcare information blocking.
ONC Certification Penalties
As you may know, all healthcare providers who attest to Meaningful Use are required to use software that has been certified by the ONC. Therefore, the HHS would be granted the authority to revoke the ONC certification of any HIT vendors found to be participating in information blocking. However, they’re not stopping at the HIT vendors. This new bill, if passed into law, would also give the HHS the power to inflict heavy monetary fines on any healthcare organization and/or providers who are caught participating in information blocking.
Of course, this new draft of the 21st Century Cures Act is still only a bill (here’s an explanation of how that whole process works, for those who need it, courtesy of Schoolhouse Rock). This thing is not yet a law, not by a longshot. There is also, of course, the small (though unlikely) possibility that it will never become a law. It’s more than likely that it will be passed (whether in whole or at least in a partial or revised form).
Keep in mind, however, that it will likely take months (perhaps even a year) for a final draft of this bill to finally be approved and brought before the Senate for a vote. After that, if it receives enough votes to pass, it could take the HHS as much as another year (or more) to actually plan for and implement the law’s various new regulations. If history teaches us anything, it’s that the wheels of bureaucracy often turn very slowly. So we probably still have plenty of time before we get to watch people have the usual round of unnecessary panic attacks that often seem to follow stuff like this.
For now, though, we all just need to be prepared for when and if these changes do go into effect.
And exactly when will that be, you ask?
Well… that is an excellent question.
Just stay tuned, boys and girls, and we will continue to post further developments as they occur.
HERE ARE SOME RELATED ARTICLES YOU MAY FIND INTERESTING
MedSpa | Regulatory & Compliance | Aesthetics | podcast
The Current & Future State of the Medical Spa Business with Alex Thiersch
By: Hannah Celian | April 24th, 2024
Ophthalmology | Plastic Surgery | Compliance | Dermatology | MIPS | Regulatory & Compliance | Orthopedics
2024 Changes to MIPS Reporting Criteria
By: Heather Miller | November 8th, 2023
CMS | MIPS | Regulatory & Compliance
How to Handle Confusing Cost Scoring in Your MIPS Preview
By: Heather Miller | July 24th, 2023