21st Century Cures Act Impacts Access, Uses and Disclosures under HIPAA


On December 13th, President Obama signed H.R. 34, the 21st Century Cures Act (“Cures Act”), into law. The bill provides funding and reform for drug and mental health research initiatives, and aims to strengthen treatment and resources for substance use disorders. The bill also contains a number of health IT provisions, especially with respect to electronic health records (EHRs), data interoperability, and information access. The implications of such provisions for the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are notable.

In large part, the provisions of the bill impacting HIPAA relate to development of a national information technology infrastructure, electronic health records, and data sharing. Therefore, they be of primary interest to the Health IT and provider communities. However, two themes emerge from such provisions, which may impact – or at least interest – sponsors of group health plans: 1) Clarification on permitted uses and disclosures of PHI; and 1) Accessibility of PHI.

Clarification on permitted uses and disclosures of PHI

The Cures Act requires OCR to issue guidance clarifying the permitted uses and disclosures of PHI for purposes of communicating with family members, caregivers, and others involved in the care of a patient for mental health or substance use disorder treatment. While this clarification appears primarily directed toward providers, there could be changes broad enough to affect permitted uses and disclosures of PHI by employer-sponsored group health plans. Plan sponsors should be aware of this forthcoming guidance and review it for potential impact to their policies and procedures.

In addition, HHS is required to convene within 1 year of the date of enactment a Working Group on PHI to study and report on the uses and disclosures of PHI for research purposes. The report will contain recommendations on whether uses and disclosures of PHI for research purposes should be modified. Again, plan sponsors should be aware of this study, as there may be broader impacts to any resulting changes to current use and disclosure rules.

Accessibility of PHI

In order to promote awareness of an individual’s right to access their PHI, the Cures Act requires OCR to assist individuals and health care providers in understanding this right, which includes providing best practices for requesting Phi in a computable format.

For this purpose, the Cures Act amends existing provisions in HITECH to provide that if an individual makes a request to a business associate for access to, or a copy of, PHI about the individual, or if the individual makes a request to a business associate to grant access to or send a copy of the PHI to a third party, the business associate may provide the individual with such access or copy, which may be in an electronic form, or grant or transmit such access or copy to such person or entity designated by the individual.

Currently, most business associates are directed in their business associate agreements with covered entities to direct any request for access to PHI to the covered entity. The revised HITECH provision would permit business associates to respond directly to such requests. Plan sponsors may want review and revise the terms of their business associate agreements if they wish to permit their business associates to respond directly to any individual access requests in accordance with this provision.


While the Cures Act doesn’t implement any immediate changes (except with respect to a Business Associate’s ability to directly respond to an individual’s request to access PHI), it is clear that current rules related to the privacy of PHI are being reviewed, and that future changes may be forthcoming. To what extent these changes will impact employer-sponsored health plans remains to be seen, but it will be important to monitor any developments nonetheless.