Today we published a post on the Covington eHealth blog regarding a recent report by the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC). The ONC report highlights “large gaps” in policies and oversight surrounding access to and security and privacy of health information held
Paige Jennings is an associate in Covington’s Washington office. She works with the firm’s Federal–State Programs, Health Care, Antitrust, and Litigation practice groups. Ms. Jennings joined the firm after a number of years working on health policy matters in the government and private sectors. Prior to earning her law degree and Master of Public Affairs, she worked in the U.S. Senate for over four years, advising Senators John Breaux and Tom Carper on health and social policy matters. Ms. Jennings later handled federal health policy issues at WellPoint, Inc. During law school, she worked with the U.S. Office of Management and Budget during consideration of the Affordable Care Act, and with the Federal Trade Commission for then-Chairman Jon Leibowitz.
On September 8, 2015, sixteen federal agencies published a long-awaited Notice of Proposed Rulemaking (NPRM) to modernize the Federal Policy for the Protection of Human Subjects, known as the “Common Rule.” The proposal, available here, includes a number of changes related to privacy and data security and other changes relevant to entities seeking to conduct secondary research using collected data.
Continue Reading Proposed Rule Would Amend Federal “Common Rule” Requirements
As we discussed in two prior posts (here and here), the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would relax limitations on payment for PHI disclosed for research purposes and that would expand the purposes for which covered entities may disclose PHI to FDA-regulated entities without individual authorization. We also discuss several provisions included in a prior draft of the Cures bill that have been excluded from the April 29 draft.
Continue Reading Draft House Cures Legislation Would Amend Federal Privacy Laws (Third Post in a Series)
As we discussed in a prior post, the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would allow remote access to PHI for purposes preparatory to research and that would permit individuals to make a one-time authorization of the use and disclosure of their PHI for research purposes.
Continue Reading Draft House Cures Legislation Would Amend Federal Privacy Laws (Second Post in a Series)
On April 29, 2015, the U.S. House Energy and Commerce Committee released a revised discussion draft of the 21st Century Cures Act (“Cures”). The Cures bill would make several changes to existing federal privacy regulations promulgated under the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act. These changes would primarily affect the use and disclosure of protected health information (PHI) for “research purposes.” This post discusses a provision that would expand covered entities’ ability to use or disclose PHI for research purposes without authorization from the subject individual. Future posts will discuss provisions that would allow remote access to PHI for certain research purposes; allow a one-time authorization of the use and disclosure of PHI for research; eliminate limitations on remuneration for PHI disclosed for research purposes; and allow disclosure of PHI to FDA-regulated entities for research purposes such as comparative effectiveness analysis.
Continue Reading Draft House Cures Legislation Would Amend Federal Privacy Laws (First Post in a Series)
In response to the recent Ebola outbreak and other events, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has released guidance regarding the use and sharing of patient information in emergency situations. The guidance emphasizes that HIPAA requirements are not suspended during an emergency. However, the Privacy Rule includes several provisions that affect the use and disclosure of patient information in emergencies. Additionally, the Secretary of HHS may temporarily waive certain Privacy Rule provisions during emergencies, such as sanctions or penalties against providers that fail to comply with particular requirements. OCR has created an interactive, online decision-support tool to assist covered entities, business associates, and others in determining how information may be accessed, used, or disclosed consistent with the HIPAA Privacy Rule in emergency situations.