Healthcare Information Security

HIPAA and Compliance News

HIPAA Privacy Changes Not in Recent 21st Century Cures Act

Wording that would have allowed for changes to the HIPAA Privacy Rule were not included in the recently passed version of the 21st Century Cures bill.

By Elizabeth Snell

The House of Representatives passed the 21st Century Cures Act yesterday with a vote of 392 to 26. This latest version of the legislation did not include wording that could have made it possible to change the HIPAA Privacy Rule and potentially affect PHI sharing options.

HIPAA Privacy Rule not changed in recent 21st Century Cures Act

A previous version of the bill stated that the Secretary of U.S. Department of Health and Human Services could "revise or clarify" Privacy Rule provisions in how PHI was shared for research purposes.

The latest legislation instead calls for a working group “to study and report on the uses and disclosures of protected health information for research purposes” under HIPAA regulation.

“The working group shall conduct a review and submit a report to the Secretary containing recommendations on whether the uses and disclosures of protected health information for research purposes should be modified to allow protected health information to be available, as appropriate, for research purposes, including studies to obtain generalizable knowledge, while protecting individuals’ privacy rights,” the bill explains.

The working group will also need to consider the expectations and preferences on how an individual’s protected health information is shared and used, as well as relevant Federal and State laws.

READ MORE: Increased Patient Data Access Requires Strong Health Data Security

Issues related to specific subgroups, such as children, incarcerated individuals, and individuals with a cognitive or intellectual disability that impacts their consenting capacity, will also need to be discussed by the work group.

Finally, the potential uses of the PHI and potential impacts of disclosure and non-disclosure of PHI on access to health care services will need to be reviewed.

Under HIPAA, providers can communicate with a patient’s family, friends, or others involved in their care or payment for care. However, there are requirements to ensure entities do not inadvertently withhold information or release too much.

“A covered entity must obtain the individual’s written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule,” HHS states on its website. “A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual granting an authorization, except in limited circumstances.”

The Privacy Rule also maintains that a covered entity does not need to obtain an individual’s authorization to use or disclose psychotherapy notes when the covered entity who originated the notes may use them for treatment.

READ MORE: OCR Urges Disaster Recovery, Health Data Backup in Storm Prep

Authorization is also not needed if a covered entity needs the psychotherapy notes for its own training or to defend itself in legal proceedings the individual in question brings forward.

The revised legislation also notes that there is some current confusion regarding permissible practices under HIPAA in terms of PHI. This confusion “may hinder appropriate communication of healthcare information or treatment preferences with appropriate caregivers.”

However, it used wording to show that clarification, and not necessarily change is needed to help ensure proper patient care:

It is the sense of Congress that clarification is needed regarding the privacy rule promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d–2 note) regarding existing permitted uses and disclosures of health information by health care professionals to communicate with caregivers of adults with a serious mental illness to facilitate treatment.   

Other bill provisions include aiming to bring cures to diseases that afflict a significant population.

READ MORE: How HIPAA Information Sharing Regulations Impact the Opioid Crisis

“This legislation will advance Vice-President Biden’s moonshot to find cures for cancer, President Obama’s Precision Medicine Initiative, and Alzheimer’s research – and it will help states in the fight against opioid abuse and the one in five adults in this country suffering from a mental illness,” said Lamar Alexander, chairman of the Senate committee on Health, Education, Labor, and Pensions. “It’s time for the Senate to deliver on the promise of 21st Century Cures for patients.”

Interoperability was also a key provision of the revised legislation. For example, a condition of the bill is that health IT certification for 21st Century Cures programs is that systems do not prohibit or restrict their interoperability with other technology among other prohibitions and restrictions relative to health IT usability, security, and information exchange.

The Department of Health and Human Services (HHS) will also need to address the EHR Incentive Programs, Merit-based Incentive Payment Systems, Alternative Payment Models, and Hospital Value-Based Purchasing Program, and other value-based care programs to develop a strategy for assisting providing in care quality improvements in amended changes to the Health Information Technology for Economic and Clinical Health Act.

Dig Deeper:


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks