Analyzing 'Cures' Bill's Privacy Impact

Privacy attorney Kirk Nahra says largely overlooked provisions in the 21st Century Cures bill recently passed by the U.S. House of Representatives could have a significant impact on patient privacy.

The 309-page bill, now heading to the Senate, primarily aims to speed up the development of promising medical treatments for patients. But it contains four privacy-related provisions, including proposals calling for changes to the HIPAA Privacy Rule (see Bill That Changes HIPAA Passes House).

The bill calls upon the Secretary of Health and Human Services to "revise or clarify" the HIPAA Privacy Rule's provisions on the use and disclosure of protected health information for research purposes. Currently under HIPAA, protected health information is allowed to be used or disclosed by a covered entity for healthcare treatment, payment and operations without authorization by the patient. If the proposed legislation is eventually signed into law, patient authorization would not be required for PHI use or disclosure for research purposes if covered entities or business associates, as defined under HIPAA, are involved in exchanging and using the data.

"The concern [addressed in the bill] is that that the HIPAA Privacy Rule is somehow impeding the ability to do healthcare research," says Nahra, a partner at law firm Wiley Rein, in an interview with Information Security Media Group. "First of all, that's a questionable statement. People have a variety of perspectives on whether the rule is helpful, harmful, or neutral. So there was this sense that we need to make information more available for research purposes."

Experts are now analyzing the complexities of the legislation to determine how much value there is in that provision and whether it raises privacy concerns," he says.

A second provision allows disclosures of health information for research purposes to pharmaceutical companies and medical device manufacturers, which are regulated by the Food and Drug Administration. The provision "seems to allow [these companies] to pay an unlimited amount [of money] to obtain that data," he says. "Usually you can't pay for protected health information, so that's a really complicated provision and it's creating some significant potential privacy concerns."

Another provision of the bill would make it easier for medical researchers to access health information electronically in order to develop research study protocols. And a fourth provision deals with allowing patients to give one-time authorization for their information to be used in all appropriate research studies.

In the interview, Nahra also discusses in detail:

• The complexity of the bill's privacy provisions, which leads to uncertainty about their impact;
• The potential privacy and security risks posed to patient genomic data as genomic testing becomes more widely used; and
• The likelihood that the privacy provisions will be approved by the Senate and signed into law.

As a partner at law firm Wiley Rein, Nahra specializes in privacy and information security issues, along with other healthcare, insurance fraud and compliance issues. He's a long-time member of the board of directors of the International Association of Privacy Professionals and was co-chair of the Confidentiality, Privacy and Security Workgroup, a former panel of government and private-sector privacy and security experts advising the American Health Information Community on privacy and security issues.