Anna Kraus and Paige Jennings write:
As we discussed in a prior post, the April 29, 2015, draft House 21st Century Cures bill would make several changes to federal health privacy law. This post focuses on provisions that would allow remote access to PHI for purposes preparatory to research and that would permit individuals to make a one-time authorization of the use and disclosure of their PHI for research purposes.
Remote Access for Purposes Preparatory to Research
Section 1124 of the Cures bill would add a new section 13444 to the HITECH Act to modify the rules governing the use and disclosure of PHI for purposes preparatory to research. Current law allows covered entities to use or disclose PHI for such purposes as long as no PHI is removed from the covered entity by the researcher. The Cures bill would permit researchers to “remote[ly] access” health information, as long as the covered entity and researcher maintain “appropriate security and privacy safeguards” and the PHI “is not copied or otherwise retained by the researcher.” The draft bill does not define what it means to “copy” or “retain” PHI, or for example, whether the temporary caching of files on a remote portal would violate the new requirements.
Read more on Covington & Burling Inside Privacy.