Text: S.2141 — 114th Congress (2015-2016)All Information (Except Text)

There is one version of the bill.

Text available as:

Shown Here:
Introduced in Senate (10/06/2015)


114th CONGRESS
1st Session
S. 2141


To amend the Public Health Service Act with respect to health information technology.


IN THE SENATE OF THE UNITED STATES

October 6, 2015

Mr. Cassidy (for himself and Mr. Whitehouse) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions


A BILL

To amend the Public Health Service Act with respect to health information technology.

Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled,

SECTION 1. Short title.

This Act may be cited as the “Transparent Ratings on Usability and Security to Transform Information Technology Act of 2015” or the “TRUST IT Act”.

SEC. 2. Definitions.

Section 3000 of the Public Health Service Act (42 U.S.C. 300jj) is amended—

(1) by redesignating paragraphs (10) through (14) as paragraphs (12) through (16), respectively; and

(2) by inserting after paragraph (9) the following:

“(10) INFORMATION BLOCKING.—The term ‘information blocking’ means, with respect to the development, configuration, implementation, and use of qualified electronic health records and other health information technology, business, technical, and organizational practices that—

“(A) except as required by law, prevent or materially discourage the access, exchange, or use of electronic health information; and

“(B) the person knows or should know (as defined in section 1128A(i)(7) of the Social Security Act) are likely to interfere with the access, exchange, or use of electronic health information.

“(11) INTEROPERABILITY.—The term ‘interoperability’ means the ability of 2 or more health information systems or components to exchange clinical and other information and to use the information that has been exchanged using common standards to provide access to longitudinal or requested information to health care providers, patients, and other authorized users when such persons need such information in order to facilitate coordinated care and improved patient outcomes.”.

SEC. 3. Enhancements to testing and certification.

Section 3001(c)(5) of the Public Health Service Act (42 U.S.C. 300jj–11) is amended—

(1) in subparagraph (A)—

(A) by striking “The National Coordinator” and inserting the following:

“(i) VOLUNTARY CERTIFICATION PROGRAM.—The National Coordinator”; and

(B) by adding at the end the following:

“(ii) TRANSPARENCY OF PROGRAM.—

“(I) IN GENERAL.—To enhance transparency in the compliance of health information technology with certification criteria adopted under this subtitle, the National Coordinator, in coordination with authorized certification bodies, may make information demonstrating how health information technology meets such certification criteria publicly available. Such information may include summaries, screenshots, video demonstrations, or any other information the National Coordinator determines appropriate.

“(II) PROTECTION OF PROPRIETARY INFORMATION.—Nothing in this paragraph shall be construed to require the release of trade secrets or any other protected intellectual property.”;

(2) in subparagraph (B), by adding at the end the following: “Beginning 18 months after reporting criteria are finalized under section 3009A, certification criteria shall include, in addition to criteria to establish that the technology meets such standards and implementation specifications, criteria consistent with section 3009A(b) to establish that technology meets applicable security requirements, incorporates user-centered design, and achieves interoperability.”; and

(3) by adding at the end the following:

    “(C) CONDITIONS OF CERTIFICATION.—Beginning 1 year after the date of enactment of the TRUST IT Act, the Secretary shall require that each vendor of health information technology and entity seeking certification of health information technology, as a condition of certification and maintenance of certification of such technology, provide to the Secretary an attestation that—

    “(i) the vendor or entity, unless for a legitimate purpose specified by the Secretary, has not taken and will not take any action that constitutes information blocking with respect to health information technology;

    “(ii) the vendor or entity will not engage in business practices or impose binding business relationship obligations that seek to intentionally limit communication between health information technology users and an authorized certification body regarding the usability, interoperability, security, business practices, or other relevant information about the health information technology or users’ experience with the health information technology; and

    “(iii) health information from such technology may be exchanged, accessed, and used through the use of application programming interfaces and other standards without special effort, as authorized under applicable law.

    “(D) INSPECTOR GENERAL AUTHORITY.—

    “(i) IN GENERAL.—The Inspector General of the Department of Health and Human Services may investigate any claim that—

    “(I) a vendor of, or other entity offering, certified health information technology—

    “(aa) violated an attestation made under subparagraph (C); or

    “(bb) engaged in information blocking with respect to the use of such health information technology by a health care provider, unless for a legitimate purpose specified by the Secretary;

    “(II) a health care provider engaged in information blocking with respect to the use of certified health information technology, unless for a legitimate purpose specified by the Secretary;

    “(III) a health information system provider engaged in information blocking with respect to the use of such certified health information technology, unless for a legitimate purpose specified by the Secretary.

    “(ii) PENALTY.—Any person or entity determined by the Inspector General to have committed an act described in subclause (I), (II), or (III) of clause (i) shall be subject to a civil monetary penalty of not more than $10,000 for each such act. The provisions of section 1128A of the Social Security Act (other than subsections (a) and (b)) shall apply to a civil money penalty applied under this subsection in the same manner as such provisions apply to a civil money penalty or proceeding under section 1128A(a).”.

SEC. 4. Health information technology rating program.

Subtitle A of title XXX of the Public Health Service Act (42 U.S.C. 300jj–11 et seq.) is amended by adding at the end the following:

“SEC. 3009A. Health information technology rating program.

“(a) Establishment.—Not later than 180 days after the date of enactment of the TRUST IT Act, the Secretary shall recognize a development council made up of one representative from each of the accredited certifying bodies accredited by the Office and the testing laboratories accredited under section 13201(b) of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17911(b)), and one representative from the Office of the National Coordinator, for the purpose of establishing a health information technology rating program to evaluate, based on the methodology established under subsection (d), the field performance of certified health information technology with regard to interoperability, usability, and security, in accordance with the following:

“(1) 1 STAR RATING.—Certified health information technology shall receive a 1 star rating if an authorized certification body determines that the health information technology is less than satisfactory.

“(2) 2 STAR RATING.—Certified health information technology shall receive a 2 star rating if the authorized certification body determines that the health information technology is satisfactory.

“(3) 3 STAR RATING.—Certified health information technology shall receive a 3 star rating if the authorized certification body determines that the health information technology is excellent.

“(b) Reporting criteria.—

“(1) Not later than 1 year after the date of enactment of the TRUST IT Act, the Secretary, in consultation with the development council described in subsection (a), shall convene stakeholders as described in paragraph (2) for the purpose of developing the reporting criteria in accordance with paragraph (3).

“(2) DEVELOPMENT OF REPORTING CRITERIA.—The reporting criteria under this subsection shall be developed through a public, transparent process that reflects input from relevant stakeholders, including—

“(A) primary care and specialty care health care professionals;

“(B) hospitals;

“(C) health information technology vendors;

“(D) advocates for patients or consumers;

“(E) data sharing networks, such as health information exchanges;

“(F) authorized certification bodies and testing laboratories;

“(G) security experts; and

“(H) other entities or persons, as the Secretary, in consultation with the development council, determines appropriate.

“(3) CONSIDERATIONS FOR REPORTING CRITERIA.—The reporting criteria developed under this subsection—

“(A) may include measures that reflect categories including, with respect to the technology—

“(i) security;

“(ii) usability and user-centered design;

“(iii) interoperability;

“(iv) conformance to certification testing; and

“(v) other categories as appropriate to measure the performance of health information technology;

“(B) may include measures such as—

“(i) enabling the user to order and view the results of laboratory tests, imaging tests, and other diagnostic tests;

“(ii) submitting, editing, and retrieving data from registries for quality of care, such as physician registries;

“(iii) accessing and exchanging information and data from medical devices;

“(iv) accessing and exchanging information and data held by Federal, State, and local agencies and other applicable entities useful to a health care provider or other applicable user in the furtherance of patient care;

“(v) accessing and exchanging information from other health care providers or applicable users;

“(vi) accessing and exchanging patient generated information;

“(vii) providing the patient with a complete copy of their electronic record in a computable format; and

“(viii) other appropriate func­tion­al­i­ties; and

“(C) shall be designed to ensure that small and start up vendors of health information technology are not unduly disadvantaged by the reporting criteria or rating scale methodology.

“(4) PUBLIC COMMENT.—The Secretary shall conduct a 60-day public comment period during which any member of the public may provide comments on the proposed reporting criteria and the methodology for authorized certification bodies to use in determining the star ratings. The Secretary shall provide timely responses to such comments before issuing a final rule.

“(5) MODIFICATIONS.—After the reporting criteria have been established, the Secretary, in consultation with the development council, may convene stakeholders and conduct a public reporting period for the purpose of modifying the reporting criteria developed in this subsection and methodology for determining the star ratings proposed under subsection (d).

“(6) CONSIDERATION OF DEVELOPMENT COUNCIL RECOMMENDATIONS.—In promulgating final rules under this subsection, including modifications to such rules under paragraph (5), the Secretary may accept or reject the recommendations of the development council, but may not promulgate a rule that does not represent a complete recommendation of such council.

“(c) Collection of feedback.—The Secretary, in consultation with the development council, shall establish a process for authorized certification bodies to collect and verify confidential feedback from—

“(1) health care providers, patients, and other users of health information technology on the usability, security, and interoperability of health information technology products; and

“(2) vendors or other entities offering health information technology on practices of health information technology users that may inhibit interoperability.

“(d) Methodology.—The Secretary, in consultation with the development council, shall develop a methodology for authorized certification bodies to use to calculate the star ratings for certified health information technology described in subsection (a). The methodology shall use the reporting criteria developed in subsection (b) and confidential feedback collected under subsection (c).

“(e) Participation.—Each vendor of, or entity offering, health information technology that is certified under section 3001(c)(5) of the Public Health Service Act after the date of enactment of the TRUST IT Act shall report on the criteria developed under subsection (b) on the date that is 2 years after such certification and every 2 years thereafter.

“(f) One star rating.—Each vendor of, or entity offering, health information technology that receives a 1 star rating shall take action, through a corrective action plan developed with the authorized certification body and approved by the Secretary, to improve the health information technology rating within a timeframe that the Secretary determines appropriate.

“(g) Enforcement authorities.—

“(1) IN GENERAL.—The Secretary may assess fines on any vendor of, or entity offering, certified health information technology and decertify health information technology in accordance with paragraphs (2) and (3).

“(2) FINES.—

“(A) IN GENERAL.—The Secretary may assess fines against such a vendor or entity if the vendor or entity—

“(i) does not meet the requirements of the corrective action plan described in subsection (f);

“(ii) does not improve from a one star rating in accordance with subsection (f); or

“(iii) does not report on criteria in accordance with subsection (e).

“(B) FINE AMOUNTS.—Not later than 1 year after the date of enactment of the TRUST IT Act, the Secretary shall establish fine amounts for violations of clauses (i), (ii), and (iii) of subparagraph (A). In setting such amounts, the Secretary shall consider the amounts necessary to reimburse, in part or in full, the users of decertified health information technology for the amounts invested in purchasing new certified health information technology, as applicable.

“(3) DECERTIFICATION.—The Secretary may decertify health information technology if—

“(A) the health information technology does not improve from a one star rating within the timeframe established under subsection (f);

“(B) does not report on criteria in accordance with subsection (b); or

“(C) in other circumstances, as the Secretary determines appropriate.

“(h) GAO reports.—The Comptroller General of the United States shall submit to Congress a report every 4 years on the rating scale methodology developed pursuant to subsection (b), providing observations on the appropriateness of the current methodology and recommendations for changes to the methodology.

“(i) Internet Website.—The Secretary shall publish the star rating for each certified health information technology and methodology to determine the star rating on the Internet website of the Office of the National Coordinator. Following the biannual reporting described in subsection (e), authorized certified bodies shall have 30 days to calculate and submit updated ratings to the Secretary, and updated ratings shall be published on such Internet website not later than 30 days following such submission.

“(j) User compensation fund.—The Secretary shall establish a revolving user compensation fund in which amounts collected under subsection (g)(2) shall be directed and used to assist users of health information technology that are decertified under subsection (g)(3) to reimburse users for the costs of purchasing new certified health information technology products.

“(k) Hardship exemption.—The Secretary shall, on a case-by-case basis, exempt an eligible professional, eligible hospital, or critical access hospital from the application of the payment adjustment under the Meaningful Use of Certified EHR Technology program under sections 1848(a)(7)(A), 1886(b)(3)(B)(ix)(I), and 1814(l)(4), respectively, of the Social Security Act for 1 year if the eligible professional, eligible hospital, or critical access hospital uses health information technology that becomes decertified under subsection (g)(3), to help such eligible professional, eligible hospital, or critical access hospital transition to a new certified electronic health record technology.

“(l) Appeals.—The Secretary shall establish a process whereby any vendor of, or entity offering, health information technology can appeal—

“(1) the health information technology product’s star rating; or

“(2) the Secretary’s decision to decertify a product, as applicable.”.

SEC. 5. Updating information on accessing personal health information.

Subtitle A of title XXX of the Public Health Service Act (42 U.S.C. 300jj–11 et seq.), as amended by section 4, is further amended by adding at the end the following:

“SEC. 3009B. Updating information on accessing personal health information.

“The National Coordinator, in consultation with the Director of the Office of Civil Rights, shall, as appropriate, update the Internet website of the Office with information to assist individuals in understanding their rights to access and protect their personal health information under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104–191), including best practices for requesting their personal health information in a computable format and using patient portals, among other information.”.


Share This