21st Century Cures Act

Health information technology companies should carefully follow the 21st Century Cures Act, which passed the House of Representatives on July 10 with a vote of 344-77 and is now before the Senate for consideration. The bill aims “to accelerate the discovery, development, and delivery” of “innovative cures, treatments, and preventive measures.” This article describes provisions of the Act that have significant impacts on health information technology companies.

The Act would stimulate research with funding through the National Institutes of Health, and make research easier by removing certain HIPAA barriers to sharing health information for research purposes. The Act would result in revisions to HIPAA that: 1) clarify research as “health care operations,” which are an exception to the limitations on a covered entity’s right to use and disclose health information; 2) permit remuneration for health information for research purposes; 3) clarify permission for remote access to health information; and 4) allow patient authorizations for research with unlimited duration, subject to revocation by the patient.

The Act would also improve the FDA’s process to reduce the time for drug and device approval and for patient access to treatments. Part of the process improvement would be to exclude certain “health software” from FDA regulation, with limited exceptions. This would be good news for software companies, who need the clarification provided by the Act to know when they need to seek FDA approval.

The Act seeks to overcome interoperability problems that have plagued attempts to share health data by establishing interoperability standards, specifications, and certification criteria. In order to be interoperable, software must: 1) allow secure transfer of patient data, 2) allow access to the entirety of a patient’s available data authorized for use under applicable law without special effort, and 3) not be configured or implemented to engage in “information blocking.” Information blocking, which is the intentional interference with the ability to access, exchange, or use electronic health information without reasonable justification, has been a fairly recent focus for the government. See The Office of the National Coordinator for Health Information Technology – Report to Congress on Information Blocking, April 2015, available here. Under the Act, software vendors could be fined and could lose their certification for the government’s electronic health record incentive program if they engage in information blocking. The Act also requires the Secretary to issue guidance to clarify the relationship between HIPAA privacy and security and information blocking.

Patient Data
Finally, the Act provides that it is the “sense of Congress” that in order for health information to be interoperable, patients have to be able to access all of their health information, including that which is stored in electronic format, both structured and unstructured. Patients should control their data, and should be able to share their data with any provider, health plan, researcher, etc. This would resolve competing claims of ownership of patient information between various providers, health plans, and others in the health care industry that exist today.