Privacy experts worry 21st Century Cures Act could weaken HIPAA

Some patient privacy advocates worry the language in the revised 21st Century Cures Act could significantly weaken the HIPAA privacy protections for patient data, according to an article at

Most notably, the draft legislation, designed to accelerate the discovery, development and delivery of new drugs and treatments would allow protected health information to be used for research purposes without patient consent as long as it's being used by covered entities or their business associates.

"Because PHI used for research could involve genetic information, the [research exemption] could potentially provide [use and disclosure] of information on the genetic traits of family members," privacy attorney David Holtzman told HealthcareInfoSecurity. "Once that data is out, you can't get it back."

Deborah Peel, M.D., founder of the advocacy group Patient Privacy Rights, said it's an especially bad idea, pointing out that there is "no 'chain of custody' for our health data. It's impossible to know where in the world it is or how it's being used," she said.

Another provision in the draft bill would give researchers remote access to PHI maintained by a covered entity if "appropriate security and privacy safeguards are maintained by the covered entity and the researcher, and the protected health information is not copied or otherwise retained by the researcher."

In cases where the disclosure of PHI is to a researcher that is not a covered entity or business associate, the statute appears to allow covered entities to make the decision to grant remote access, rather than requiring it go through a review board, according to privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

The bill also appears to allow covered entities and business associates to receive payments in exchange for disclosing protected health information for research. As it stands now, payments are limited to the reasonable cost of preparing and transmitting PHI.

The bill's current language requires the changes to be made to HIPAA within 12 months of passage.

The American Medical Informatics Association (AMIA) has been lobbying for allowing the changes for certain types of "observational" research.

"The intent was never to open up all research and all data without patients' consent," AMIA president and CEO Douglas Fridsma told Healthcare Info Security.

Currently, patient PHI can be used without consent only for improving operations within a particular healthcare organization, but if an organization discovers a method--say a surgical checklist--that improves care for all patients, it cannot publish a paper on that without the consent of every patient studied, he explained.

To learn more:
- read the article