[Congressional Bills 114th Congress] [From the U.S. Government Publishing Office] [S. 2511 Introduced in Senate (IS)] <DOC> 114th CONGRESS 2d Session S. 2511 To improve Federal requirements relating to the development and use of electronic health records technology. _______________________________________________________________________ IN THE SENATE OF THE UNITED STATES February 8, 2016 Mr. Alexander (for himself, Mrs. Murray, Mr. Cassidy, Mr. Whitehouse, Mr. Hatch, and Mr. Bennet) introduced the following bill; which was read twice and referred to the Committee on Health, Education, Labor, and Pensions _______________________________________________________________________ A BILL To improve Federal requirements relating to the development and use of electronic health records technology. Be it enacted by the Senate and House of Representatives of the United States of America in Congress assembled, SECTION 1. SHORT TITLE. This Act may be cited as the ``Improving Health Information Technology Act''. SEC. 2. ASSISTING DOCTORS AND HOSPITALS IN IMPROVING THE QUALITY OF CARE FOR PATIENTS. (a) In General.--Part 1 of subtitle A of title XIII of the Health Information Technology for Economic and Clinical Health Act (Public Law 111-5) is amended by adding at the end the following: ``SEC. 13103. ASSISTING DOCTORS AND HOSPITALS IN IMPROVING THE QUALITY OF CARE FOR PATIENTS. ``(a) Reduction in Burdens Goal.--The Secretary of Health and Human Services (referred to in this section as the `Secretary'), in consultation with providers of health services, health care suppliers of services, health care payers, health professional societies, health information technology developers, health care quality organizations, health care accreditation organizations, public health entities, States, and other appropriate entities, shall, in accordance with subsection (b)-- ``(1) establish a goal with respect to the reduction of regulatory or administrative burdens (such as documentation requirements) relating to the use of electronic health records; ``(2) develop a strategy for meeting the goal established under paragraph (1); and ``(3) develop recommendations for meeting the goal established under paragraph (1). ``(b) Strategy and Recommendations.-- ``(1) In general.--To achieve the goals established under subsection (a)(1), the Secretary, in consultation with the entities described in such subsection, shall, not later than 12 months after the date of enactment of this section, develop a strategy and recommendations to meet the goals in accordance with this subsection. ``(2) Strategy.--The strategy developed under paragraph (1) shall address the regulatory and administration burdens (such as documentation requirements) relating to the use of electronic health records. Such strategy shall include broad public comment and shall prioritize burdens related to-- ``(A) the Medicare and Medicaid EHR Meaningful Use Incentive programs or the Merit-based Incentive Payment System, the Alternative Payment Models, the Hospital Value-Based Purchasing Program, and other value-based payment programs determined appropriate by the Secretary; ``(B) health information technology certification programs; ``(C) standards, and implementation specifications, as appropriate; ``(D) activities that provide individuals access to their electronic health information; ``(E) activities related to protecting the privacy of electronic health information; ``(F) activities related to protecting the security of electronic health information; ``(G) activities related to facilitating health and clinical research; ``(H) activities related to public health; ``(I) activities related to aligning and simplifying quality measures across Federal programs and other payers; ``(J) activities related to reporting clinical data for administrative purposes; and ``(K) other areas determined appropriate by the Secretary. ``(3) Recommendations.--The recommendations developed under paragraph (1) shall address-- ``(A) actions that improve the clinical documentation experience; ``(B) actions that improve patient care; ``(C) actions to be taken by the Secretary and by other entities; and ``(D) other areas determined appropriate by the Secretary to reduce the reporting burden required of health care providers. ``(4) FACA.--The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the development of the goal, strategies, or recommendations described in this section. ``(c) Application of Certain Regulatory Requirements.--A physician (as defined in section 1861(r)(1) of the Social Security Act) may delegate electronic medical record documentation requirements specified in regulations promulgated by the Department of Health and Human Services to a person who is not such physician if such physician has signed and verified the documentation.''. (b) Certification of Health Information Technology for Medical Specialties and Sites of Service.--Section 3001(c)(5) of the Public Health Service Act (42 U.S.C. 300jj-11(c)(5)) is amended by adding at the end the following: ``(C) Health information technology for medical specialties and sites of service.-- ``(i) In general.--The National Coordinator shall encourage, keep, or recognize, through existing authorities, the voluntary certification of health information technology under the program developed under subparagraph (A) for use in medical specialties and sites of service for which no such technology is available or where more technological advancement or integration is needed. ``(ii) Specific medical specialties.--The HIT Policy and Standards Committees shall make recommendations on specific medical specialties and sites of service, in addition to those described in clause (iii), applicable under this paragraph. ``(iii) Certified health information technology for pediatrics.--Not later than 18 months after the date of enactment of this subparagraph, the HIT Policy and Standards Committees, in consultation with relevant stakeholders, shall make recommendations for the voluntary certification of health information technology for use by pediatric health providers to support the health care of children. Not later than 24 months after the date of enactment of this subparagraph, the Secretary shall adopt certification criteria (under section 3004) to support the voluntary certification of health information technology for use by pediatric health providers to support the health care of children.''. (c) Meaningful Use Statistics.-- (1) In general.--Not later than 6 months after the date of enactment of this Act, the Secretary of Health and Human Services shall submit to the HIT Policy Committee of the Office of the National Coordinator for Health Information Technology, a report concerning attestation statistics for the Medicare and Medicaid EHR Meaningful Use Incentive programs to assist in informing standards adoption and related practices. Such statistics shall include attestation information delineated by State, including the number of providers who did not meet the minimum criteria necessary to attest for the Medicare and Medicaid EHR Meaningful Use Incentive programs for a calendar year, and shall be made publicly available on the Internet website of the Secretary on at least a quarterly basis. (2) Authority to alter format.--The Secretary of Health and Human Services may alter the format of the reports on the attestation of eligible health care professionals following the first performance year of the Merit-based Incentive Payment System to account for changes arising from the implementation of such payment system. SEC. 3. TRANSPARENT RATINGS ON USABILITY AND SECURITY TO TRANSFORM INFORMATION TECHNOLOGY. (a) Enhancements to Certification.--Section 3001(c)(5) of the Public Health Service Act (42 U.S.C. 300jj-11), as amended by section 2(b), is further amended-- (1) in subparagraph (A)-- (A) by striking ``The National Coordinator'' and inserting the following: ``(i) Voluntary certification program.--The National Coordinator''; and (B) by adding at the end the following: ``(ii) Transparency of program.-- ``(I) In general.--To enhance transparency in the compliance of health information technology with certification criteria and other requirements adopted under this subtitle, the National Coordinator, in coordination with authorized certification bodies, may make information demonstrating how health information technology meets such certification criteria or other requirements publicly available. Such information may include summaries, screenshots, video demonstrations, or any other information the National Coordinator determines appropriate. ``(II) Protection of proprietary information.--The National Coordinator shall take appropriate measures to ensure that there are in effect effective procedures to prevent the unauthorized disclosure of any trade secret or confidential information that is obtained by the Secretary pursuant to this section.''; (2) in subparagraph (B), by adding at the end the following: ``Beginning 18 months after reporting criteria are finalized under section 3009A, certification criteria shall include, in addition to criteria to establish that the technology meets such standards and implementation specifications, criteria consistent with section 3009A(b) to establish that technology meets applicable security requirements, incorporates user-centered design, and achieves interoperability.''; and (3) by adding at the end the following: ``(D) Conditions of certification.--Beginning 1 year after the date of enactment of the Improving Health Information Technology Act, the Secretary shall require, as a condition of certification and maintenance of certification for programs maintained or recognized under this paragraph, that-- ``(i) the health information technology developer or entity does not take any action that constitutes information blocking with respect to health information technology; ``(ii) the health information technology developer or entity permits unimpeded communication among and between health information technology users, and for the purposes of health information technology users communicating with an authorized certification body, the Office of the National Coordinator, and the Office of the Inspector General, the health information technology developer or entity permits unimpeded communication regarding the usability, interoperability, security, business practices, or other relevant information about the health information technology or users' experience with the health information technology; ``(iii) health information from such technology may be exchanged, accessed, and used through the use of application programming interfaces or successor technology or standard as provided for under applicable law; ``(iv) the health information technology developer or entity provides to the Secretary an attestation that the developer or entity-- ``(I) has not engaged in any of the conduct described in clause (i); ``(II) allows for communication as described in clause (ii); and ``(III) ensures that its technology allows for health information to be exchanged, accessed, and used, in the manner described in clause (iii); and ``(v) the health information technology developer or entity submits reporting criteria in accordance with section 3009A(f).''. (b) Health Information Technology Rating Program.--Subtitle A of title XXX of the Public Health Service Act (42 U.S.C. 300jj-11 et seq.) is amended by adding at the end the following: ``SEC. 3009A. HEALTH INFORMATION TECHNOLOGY RATING PROGRAM. ``(a) Establishment.--Not later than 180 days after the date of enactment of the Improving Health Information Technology Act, the Secretary shall recognize a development council made up of one representative from each of the certification bodies authorized by the Office of the National Coordinator and the testing laboratories accredited under section 13201(b) of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17911(b)), one representative from the National Institute of Standards and Technology, and one representative from the Office of the National Coordinator. The development council shall meet as needed for the purposes of carrying out its activities in accordance with this section. ``(b) Reporting Criteria.-- ``(1) In general.--The Secretary shall, using the procedures prescribed in this subsection, issue rules establishing reporting criteria for health information technology products. ``(2) Convening of stakeholders.--Not later than 1 year after the date of enactment of the Improving Health Information Technology Act, the Secretary, in consultation with the development council described in subsection (a), shall convene stakeholders as described in paragraph (3) for the purpose of developing the reporting criteria in accordance with paragraph (4). ``(3) Development of reporting criteria.--The reporting criteria under this subsection shall be developed through a public, transparent process that reflects input from relevant stakeholders, including-- ``(A) health care providers, including primary care and specialty care health care professionals; ``(B) hospitals and hospital systems; ``(C) health information technology developers; ``(D) patients, consumers, and their advocates; ``(E) data sharing networks, such as health information exchanges; ``(F) authorized certification bodies and testing laboratories; ``(G) security experts; ``(H) relevant manufacturers of medical devices; ``(I) experts in health information technology market economics; ``(J) public and private entities engaged in the evaluation of health information technology performance; ``(K) quality organizations, including the consensus based entity described in section 1890 of the Social Security Act; ``(L) experts in human factors engineering and the measurement of user-centered design; and ``(M) other entities or persons, as the Secretary, in consultation with the development council, determines appropriate. ``(4) Considerations for reporting criteria.--The reporting criteria developed under this subsection-- ``(A) shall include measures that reflect categories including, with respect to the technology-- ``(i) security; ``(ii) usability and user-centered design; ``(iii) interoperability; ``(iv) conformance to certification testing; and ``(v) other categories as appropriate to measure the performance of health information technology; ``(B) may include measures such as-- ``(i) enabling the user to order and view the results of laboratory tests, imaging tests, and other diagnostic tests; ``(ii) submitting, editing, and retrieving data from registries such as clinician-led clinical data registries; ``(iii) accessing and exchanging information and data from and through Health Information Exchanges; ``(iv) accessing and exchanging information and data from medical devices; ``(v) accessing and exchanging information and data held by Federal, State, and local agencies and other applicable entities useful to a health care provider or other applicable user in the furtherance of patient care; ``(vi) accessing and exchanging information from other health care providers or applicable users; ``(vii) accessing and exchanging patient generated information; ``(viii) providing the patient or an authorized designee with a complete copy of their health information from an electronic record in a computable format; ``(ix) providing accurate patient information for the correct patient, including exchanging such information, and avoiding the duplication of patients records; and ``(x) other appropriate functionalities; and ``(C) shall be designed to ensure that small and start-up health information technology developers are not unduly disadvantaged by the reporting criteria or rating scale methodology. ``(5) Consideration of development council recommendations.--In promulgating proposed rules under this subsection, including modifications to such rules under subsection (e), the Secretary may accept, reject, or modify the recommendations of the development council, but may not promulgate a proposed rule that does not represent a complete recommendation of such council. ``(6) Public comment.--In promulgating proposed rules under this subsection, the Secretary shall conduct a public comment period of not less than 60 days during which any member of the public may provide comments on the proposed reporting criteria and the methodology for the rating body (defined in subsection (g)) to use in determining the star ratings. ``(7) Final rules.--The final rule promulgated under this subsection shall be accompanied by timely responses to the public comments described in paragraph (6). ``(8) FACA.--The Federal Advisory Committee Act (5 U.S.C. App.) shall not apply to the development council described in this section. ``(c) Feedback.-- ``(1) In general.--The Secretary, in consultation with the development council, shall establish a process for the rating body (described in subsection (g)) to collect and verify confidential feedback from-- ``(A) health care providers, patients, and other users of certified health information technology on the usability, security, and interoperability of health information technology products; and ``(B) developers of certified health information technology on practices of health information technology users that may inhibit interoperability. ``(2) Paperwork reduction act.--The Paperwork Reduction Act (44 U.S.C. 3501 et seq.) shall not apply to the collection of feedback described in this subsection. ``(d) Methodology.--The Secretary, in consultation with the development council, shall develop a methodology to be used by the rating body described in subsection (g) to calculate the star ratings for certified health information technology described in subsection (a). The methodology shall use the reporting criteria developed in subsection (b), and the confidential feedback collected under subsection (c). In developing such methodology, the Secretary, in consultation with the development council, shall-- ``(1) provide for appropriate weighting of user feedback submitted under subsection (c) and reporting criteria submitted under subsection (f), including consideration of the number of users who submitted such feedback; ``(2) consider the impact of customization or adaptation by users of certified health information technology on performance; ``(3) account for the intended function, scope, and type of certified health information technology; ``(4) in consultation with the development council and after seeking comment from developers of health information technology in a manner that ensures appropriate industry feedback, establish a timeframe, but in no case less frequent than once every 3 years, for the submission of reporting criteria under subsection (f); and ``(5) establish a timeframe for incorporating user feedback submitted under subsection (c) and reporting criteria submitted under subsection (f) into the star ratings for certified health information technology that accounts for updates to such technology in order to encourage innovation and maximize the utility of the star ratings. ``(e) Modifications.-- ``(1) To the number of stars in the rating program.--The development council may modify the number of star ratings employed by the system, but not more frequently than every 4 years. In no case shall the rating system employ fewer than 3 stars. ``(2) To the reporting criteria.--After the final reporting criteria have been established under this section, the Secretary, in consultation with the development council, may convene stakeholders and conduct a public reporting period for the purpose of modifying the reporting criteria developed under subsection (b) and methodology for determining the star ratings proposed under subsection (e). ``(3) To the methodology.--After the final methodology to be used by the rating body is established under subsection (e), the Secretary, in consultation with the development council, may modify the methodology used to calculate the star ratings for certified health information technology using the reporting criteria developed under subsection (b) and the confidential feedback collected under subsection (c). ``(4) Consideration of gao report.--The Secretary and the development council shall take into account the recommendations from the Comptroller General under subsection (k), where available, for the purposes of this paragraph. ``(f) Participation.--As a condition of maintaining their certification under section 3001(c)(5)(D), a developer of certified health information technology shall report on the criteria developed under subsection (b) for all such certified technology offered by such developer pursuant to the timeframe established under subsection (d). ``(g) Rating Body.-- ``(1) In general.--The National Coordinator shall recognize an independent entity with appropriate expertise to carry out the rating program established by the development council under subsection (a) and shall redetermine such recognition at least every 4 years. ``(2) Consultation.--The entity recognized under paragraph (1) may consult with organizations with expertise in the measurement of interoperability, usability, and security of health information technology in carrying out activities under this section. ``(h) One Star Rating.--Each health information technology developer, or entity offering health information technology for certification, that receives a 1 star rating shall take action, through an improvement plan developed with the rating body and approved by the Secretary, to improve the health information technology rating within a timeframe that the Secretary determines appropriate. ``(i) Decertification.-- ``(1) Mandatory.--The Secretary shall decertify health information technology if the developer or entity offering health information technology does not submit reporting criteria in accordance with subsection (f) within 90 days of the timeline established under subsection (d). ``(2) Other decertification.--The Secretary may decertify health information technology if-- ``(A) the health information technology does not improve from a one star rating within the timeframe established under subsection (h); or ``(B) in other circumstances, as the Secretary determines appropriate. ``(j) GAO Reports.--During the 12-year period beginning on the date of enactment of the Improving Health Information Technology Act, the Comptroller General of the United States shall submit to Congress a report every 4 years on the rating scale methodology developed pursuant to subsection (d), providing observations on the appropriateness of the current methodology and recommendations for changes to the methodology. The Development Council shall recommend to Congress and the Secretary if additional reports are needed after the expiration of such 12-year period. ``(k) Internet Website.--On the Internet website of the Office of the National Coordinator, the Secretary shall publish the criteria and methodology used to determine the star ratings, and, for each certified health information technology, the final star rating, and a report outlining such technology's performance with regard to the reporting criteria developed under subsection (b), and if an improvement plan has been administered. Following the reporting described in subsection (f), the rating body shall have 30 days to calculate and submit updated ratings to the Secretary and each developer of health information technology, and updated ratings shall be published on such Internet website not later than 30 days following such submission, notwithstanding an appeal of a rating by a developer or entity through the process developed under subsection (m). ``(l) Hardship Exemption.--Decertification of an adopted health information technology product under subsection (i) shall be considered a significant hardship resulting in a blanket exemption from the payment adjustment pursuant to section 1848(a)(7)(B) of the Social Security Act for eligible professionals, section 1886(b)(3)(ix)(II) of such Act for eligible hospitals, and 1814(l)(4)(C) of such Act for critical access hospitals. ``(m) Notification and Appeals.--The Secretary shall establish a process whereby any health information technology developer, or entity offering health information technology, is notified not less than 30 days before being made public and can appeal-- ``(1) the health information technology product's star rating; or ``(2) the Secretary's decision to decertify a product, as applicable.''. SEC. 4. INFORMATION BLOCKING. Subtitle C of title XXX of the Public Health Service Act (42 U.S.C. 300jj-51 et seq.) is amended by adding at the end the following: ``SEC. 3022. INFORMATION BLOCKING. ``(a) Definition.-- ``(1) In general.--The term `information blocking' means-- ``(A) with respect to a health information technology developer, exchange, or network, business, technical, or organizational practices that-- ``(i) except as required by law or specified by the Secretary, interferes with, prevents, or materially discourages access, exchange, or use of electronic health information; and ``(ii) the developer, exchange, or network knows, or should know, are likely to interfere with or prevent or materially discourage the access, exchange, or use of electronic health information; and ``(B) with respect to a health care provider, the person or entity knowingly and unreasonably restricts electronic health information exchange for patient care or other priorities as determined appropriate by the Secretary. ``(2) Rulemaking.--The Secretary shall, through rulemaking-- ``(A) identify reasonable and necessary activities that do not constitute information blocking for purposes of paragraph (1)(A); and ``(B) identify actions that meet the definition of information blocking with respect to health care providers for purposes of paragraph (1)(B). ``(b) Inspector General Authority.-- ``(1) In general.--The Inspector General of the Department of Health and Human Services may investigate any claim that-- ``(A) a health information technology developer of, or other entity offering certified health information technology-- ``(i) submits a false attestation made under section 3001(c)(5)(D); or ``(ii) engaged in information blocking with respect to the use of such health information technology by a health care provider, unless for a legitimate purpose specified by the Secretary; ``(B) a health care provider engaged in information blocking with respect to access or exchange of certified health information technology, unless for a legitimate purpose specified by the Secretary; and ``(C) a health information network or exchange provider engaged in information blocking with respect to the access, exchange, or use of such certified health information technology, unless for a legitimate purpose specified by the Secretary. ``(2) Jurisdiction of the inspector general.--For purposes of this section, the Office of the Inspector General shall have jurisdiction with respect to exchanges and networks, as well as any developer or entity offering health information technology for certification under a program or programs kept or recognized by the National Coordinator under section 3001(c)(5). The National Coordinator shall notify developers of health information technology as appropriate regarding the jurisdiction of the Inspector General under this paragraph. ``(3) Penalty.-- ``(A) Developers, networks, and exchanges.--With respect to a health information technology developer, exchange, or network, a person or entity determined by the Inspector General to have committed information blocking as described in subparagraph (A) or (C) of paragraph (1) shall be subject to a civil monetary penalty in an amount determined, through notice-and- comment rulemaking, by the Secretary which may take into account factors such as the extent and duration of the information blocking and the number of patients and providers potentially affected. ``(B) Providers.--With respect to health care providers, any person or entity determined by the Inspector General to have committed information blocking as described in subparagraph (B) of paragraph (1) shall be subject to appropriate incentives and disincentives using authorities under applicable Federal law, as determined appropriate by the Secretary through notice and comment rulemaking. ``(C) Procedure.--The provisions of section 1128A of the Social Security Act (other than subsections (a) and (b)) shall apply to a civil money penalty applied under this subsection in the same manner as such provisions apply to a civil money penalty or proceeding under section 1128A(a). ``(D) Recovery of funds.--Notwithstanding section 3302 of title 31, United States Code, or any other provision of law affecting the crediting of collections, the Inspector General of the Department of Health and Human Services may receive and retain for current use any amounts recovered under subparagraphs (A) and (C). In addition to amounts otherwise available to the Inspector General, funds received by the Inspector General under this paragraph shall be deposited, as an offsetting collection, to the credit of any appropriation available for purposes of carrying out this subsection and shall be available without fiscal year limitation and without further appropriation. ``(4) Resolution of claims.-- ``(A) In general.--The Office of the Inspector General, if such Office determines that a simple consultation regarding the health privacy and security rules promulgated under section 264(c) of the Health Insurance Portability and Accountability Act of 1996 (42 U.S.C. 1320d-2 note) will resolve the claim at issue, may refer instances of information blocking to the Office for Civil Rights of the Department of Health and Human Services for resolution. ``(B) Limitation on liability.--If a health information technology developer makes information available based on a good faith reliance on consultations with the Office for Civil Rights of the Department of Health and Human Services with respect to such information, the developer shall not be liable for such disclosure. ``(c) Identifying Barriers to Exchange of Certified Health Information Technology.-- ``(1) Trusted exchange defined.--In this section, the term `trusted exchange' with respect to certified health information technology means that the certified health information technology has the technical capability to enable secure health information exchange between users and multiple certified health information technology systems. ``(2) Guidance.--The National Coordinator, in consultation with the Office for Civil Rights of the Department of Health and Human Services, shall issue guidance on common legal, governance, and security barriers that prevent the trusted exchange of electronic health information. ``(3) Referral.--The National Coordinator and the Office for Civil Rights of the Department of Health and Human Services may refer to the Inspector General instances or patterns of refusal to exchange health information with an individual or entity using certified health information technology that is technically capable of trusted exchange and under conditions when exchange is legally permissible. ``(4) HIT standards committee consideration.--Not later than 1 year after the date of enactment of the Improving Health Information Technology Act, the HIT Standards Committee shall begin consideration of issues related to trusted exchange.''. SEC. 5. INTEROPERABILITY. (a) Definition.--Section 3000 of the Public Health Service Act (42 U.S.C. 300jj) is amended-- (1) by redesignating paragraphs (10) through (14), as paragraphs (11) through (15), respectively; and (2) by inserting after paragraph (9) the following: ``(10) Interoperability.--The term `interoperability' with respect to health information technology means such health information technology that has the ability to securely exchange electronic health information with and use electronic health information from other health information technology without special effort on the part of the user.''. (b) Support for Interoperable Network Exchange.--Section 3001(c) of the Public Health Service Act (42 U.S.C. 300jj-11(c)) is amended by adding at the end the following: ``(9) Support for interoperable networks exchange.-- ``(A) In general.--The National Coordinator shall, in collaboration with the National Institute of Standards and Technology and other relevant agencies within the Department of Health and Human Services, for the purpose of ensuring full network-to-network exchange of health information, convene public-private and public-public partnerships to build consensus and develop a trusted exchange framework, including a common agreement among health information networks nationally. Such convention may occur at a frequency determined appropriate by the Secretary. ``(B) Establishing a trusted exchange framework.-- ``(i) In general.--Not later than six months after the date of enactment of this paragraph, the National Coordinator shall convene appropriate public and private stakeholders to develop a trusted exchange framework for trust policies and practices and for a common agreement for exchange between health information networks. The common agreement may include-- ``(I) a common method for authenticating trusted health information network participants; ``(II) a common set of rules for trusted exchange; ``(III) organizational and operational policies to enable the exchange of health information among networks, including minimum conditions for such exchange to occur; and ``(IV) a process for filing and adjudicating noncompliance with the terms of the common agreement. ``(ii) Technical assistance.--The National Coordinator, in conjunction with the National Institute of Standards and Technology, shall provide technical assistance on how to implement the trusted exchange framework and common agreement under this paragraph. ``(iii) Pilot testing.--The National Coordinator, in collaboration with the National Institute of Standards and Technology, shall provide for the pilot testing of the trusted exchange framework and common agreement established under this subsection (as authorized under section 13201 of the Health Information Technology for Economic and Clinical Health Act). The National Coordinator, in collaboration with the National Institute of Standards and Technology, may delegate pilot testing activities under this clause to independent entities with appropriate expertise. ``(C) Publication of a trusted exchange framework and common agreement.--Not later than one year after convening stakeholders under subparagraph (A), the National Coordinator shall publish on its public Internet website, and in the Federal register, the trusted exchange framework and common agreement developed under subparagraph (B). Such trusted exchange framework and common agreement shall be published in a manner that protects proprietary and security information, including trade secrets and any other protected intellectual property. ``(D) Directory of participating health information networks.-- ``(i) In general.--Not later than two years after convening stakeholders under subparagraph (A), and annually thereafter, the National Coordinator shall publish on its public Internet website a list of those health information networks that have adopted the common agreement and are capable of trusted exchange pursuant to the common agreement developed under paragraph (B). ``(ii) Process.--The Secretary shall, through notice-and-comment rulemaking, establish a process for health information networks that voluntarily elect to adopt the trusted exchange framework and common agreement to attest to such adoption of the framework and agreement. ``(E) Application of the trusted exchange framework and common agreement.--As appropriate, Federal agencies contracting or entering into agreements with health information exchange networks may require that as each such network upgrades health information technology or trust and operational practices, it may adopt, where available, the trusted exchange framework and common agreement published under subparagraph (C). ``(F) Rule of construction.-- ``(i) General adoption.--Nothing in this paragraph shall be construed to require a health information network to adopt the trusted exchange framework or common agreement. ``(ii) Adoption when exchange of information is within network.--Nothing in this paragraph shall be construed to require a health information network to adopt the trusted exchange framework or common agreement for the exchange of electronic health information between participants of the same network. ``(iii) Existing frameworks and agreements.--The trusted exchange framework and common agreement published under subparagraph (C) shall take into account existing trusted exchange frameworks and agreements used by health information networks to avoid the disruption of existing exchanges between participants of health information networks. ``(iv) Application by federal agencies.-- Notwithstanding clauses (i), (ii), and (iii), Federal agencies may require the adoption of the trusted exchange framework and common agreement published under subparagraph (C) for health information exchanges contracting with or entering into agreements pursuant to subparagraph (E). ``(v) Consideration of ongoing work.--In carrying out this paragraph, the Secretary shall ensure the consideration of activities carried out by public and private organizations related to exchange between health information exchanges to avoid duplication of efforts.''. (c) Provider Digital Contact Information Index.-- (1) In general.--Not later than 36 months after the date of enactment of this Act, the Secretary of Health and Human Services shall either directly, or through a partnership with a private entity, establish a provider digital contact information index to provide digital contact information for health professionals, health facilities, and other individuals or organizations. (2) Use of existing index.--In establishing the initial index under paragraph (1), the Secretary of Health and Human Services may utilize an existing provider directory to make such digital contact information available. (3) Contact information.--An index established under this subsection shall ensure that contact information is available at the individual health care provider level and at the health facility or practice level. (4) Rule of construction.-- (A) In general.--The purpose of this subsection is to encourage the exchange of electronic health information by providing the most useful, reliable, and comprehensive index of providers possible. In furthering such purpose, the Secretary of Health and Human Services shall include all health professionals, health facilities, and other individuals or organizations applicable to provide a useful, reliable, and comprehensive index for use in the exchange of health information. (B) Limitation.--In no case shall exclusion from the index of providers be used as a measure to achieve objectives other those described in subparagraph (A). (d) Standards Development Organizations.--Section 3004 of the Public Health Service Act (42 U.S.C. 300jj-14) is amended by adding at the end the following: ``(c) Deference to Standards Development Organizations.--In adopting and implementing standards under this section, the Secretary shall give deference to standards published by Standards Development Organizations and voluntary consensus-based standards bodies.''. SEC. 6. LEVERAGING HEALTH INFORMATION TECHNOLOGY TO IMPROVE PATIENT CARE. (a) Requirement Relating to Registries.-- (1) In general.--To be certified in accordance with title XXX of the Public Health Service Act, health information technology (as defined by section 3000(5) of the Public Health Service Act (42 U.S.C. 300jj(5))) shall be capable of transmitting to, and where applicable, receiving and accepting data from registries in accordance with standards recognized by the Office of the National Coordinator for Health Information Technology, including clinician-led clinical data registries, that are also certified to be technically capable of receiving and accepting from, and where applicable, transmitting data to certified health information technology in accordance with such standards. (2) Rule of construction.--Nothing in this subsection shall be construed to require the certification of registries beyond the technical capability to exchange data in accordance with applicable endorsed standards. (b) Definition.--For purposes of this Act (including amendments made to title XXX of the Public Health Service Act (42 U.S.C. 300jj et seq.)), the term ``clinician-led clinical data registry'' means a clinical data repository-- (1) that is established and operated by a clinician-led or controlled, tax-exempt (pursuant to section 501(c) of the Internal Revenue Code of 1986), professional society or other similar clinician-led or -controlled organization, or such organization's controlled affiliate, devoted to the care of a population defined by a particular disease, condition, exposure or therapy; (2) that is designed to collect detailed, standardized data on an ongoing basis for medical procedures, services, or therapies for particular diseases, conditions, or exposures; (3) that provides feedback to participants who submit reports to the repository; (4) that meets standards for data quality including-- (A) systematically collecting clinical and other health care data, using standardized data elements and has procedures in place to verify the completeness and validity of those data; and (B) being subject to regular data checks or audits to verify completeness and validity; and (5) that provides ongoing participant training and support. (c) Treatment of Health Information Technology Developers With Respect to Patient Safety Organizations.-- (1) In general.--In applying part C of title IX of the Public Health Service Act (42 U.S.C. 299b-21 et seq.), a health information technology developer shall be treated as a provider (as defined in section 921 of such Act) for purposes of reporting and conducting patient safety activities concerning improving clinical care through the use of health information technology that could result in improved patient safety, health care quality, or health care outcomes. (2) Report.--Not later than 48 months after the date of enactment of this Act, the Secretary of Health and Human Services shall submit to the Committee on Health, Education, Labor, and Pensions of the Senate and the Committee on Energy and Commerce of the House of Representatives, a report concerning best practices and current trends voluntarily provided, and without identifying individual providers or disclosing or using protected health information or individually identifiable information, by Patient Safety Organizations to improve the integration of health information technology into clinical practice. SEC. 7. EMPOWERING PATIENTS AND IMPROVING PATIENT ACCESS TO THEIR ELECTRONIC HEALTH INFORMATION. (a) Use of Health Information Exchanges for Patient Access.-- Section 3009 of the Public Health Service Act (42 U.S.C. 300jj-19) is amended by adding at the end the following: ``(c) Promoting Patient Access to Electronic Health Information Through Health Information Exchanges.-- ``(1) In general.--The National Coordinator, in coordination with the Office for Civil Rights of the Department of Health and Human Services, shall use existing authorities to encourage partnerships between health information exchange organizations and networks and health care providers, health plans, and other appropriate entities to offer patients access to their electronic health information in a single, longitudinal format that is easy to understand, secure, and may update such information automatically. ``(2) Education of providers.--The National Coordinator, in coordination with the Office for Civil Rights of the Department of Health and Human Services, shall-- ``(A) educate health care providers on ways in which to leverage the capabilities of health information exchanges (or other relevant platforms) to provide patients with access to their electronic health information; ``(B) clarify misunderstandings by health care providers about using health information exchanges (or other relevant platforms) for patient access to electronic health information; and ``(C) to the extent practicable, educate providers about health information exchanges (or other relevant platforms) that employ some or all of the capabilities described in paragraph (1). ``(3) Requirements.--In carrying out paragraph (1), the National Coordinator, in coordination with the Office for Civil Rights, shall issue guidance to health information exchanges related to best practices to ensure that the electronic health information provided to patients is-- ``(A) private and secure; ``(B) accurate; ``(C) verifiable; and ``(D) where a patient's authorization to exchange is required by law, easily exchanged pursuant to such authorization. ``(4) Rule of construction.--Nothing in this subsection shall be construed to preempt State laws applicable to patient consent for the access of information through a Health Information Exchange (or other relevant platforms) that provide protections to patients that are greater than the protections otherwise provided for under applicable Federal law. ``(d) Efforts To Promote Access to Health Information.--The National Coordinator and the Office for Civil Rights of the Department of Health and Human Services shall jointly, through the development of policies that support dynamic technology solutions, promote patient access to health information in a manner that would ensure that such information is available in a form convenient for the patient, in a reasonable manner, and without burdening the health care provider involved. ``(e) Accessibility of Patient Records.-- ``(1) Accessibility and updating of information.-- ``(A) In general.--The Secretary, in consultation with the National Coordinator, shall promote policies that ensure that a patient's electronic health information is accessible to that patient, and their designees, in a manner that facilitates communication with the patient's health care providers and such patient's consent, including with respect to research. ``(B) Updating education on accessing and exchanging personal health information.--To promote awareness that an individual has a right of access to inspect, obtain a copy of, and transmit to a third party a copy of protected health information pursuant to the Health Information Portability and Accountability Act Privacy Rule (45 C.F.R. 164.524 et seq.), the Director of the Office for Civil Rights, in consultation with the National Coordinator, shall assist individuals and health care providers in understanding a patient's rights to access and protect their personal health information under the Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191), including providing best practices for requesting personal health information in a computable format, including using patient portals or third-party applications and common cases when a provider is permitted to exchange and provide access to health information. ``(2) Certifying usability for patients.--In carrying out certification programs under section 3001(c)(5), the National Coordinator shall require, where applicable, that such program or programs require the following: ``(A) That certification criteria support patient access to their electronic health information, including in a single longitudinal format that is easy to understand, secure, and may be updated automatically. ``(B) That developers of health information technology support patient access to an electronic health record in a longitudinal format that is easy to understand, secure, and may be updated automatically. ``(C) That certification criteria support patient access to their personal electronic health information for research at the option of the patient. ``(D) That certification criteria support patient and health care provider communication, including-- ``(i) the ability for the patient to electronically communicate patient reported information (such as family history and medical history); and ``(ii) the ability for the patient to electronically share patient health information, at the option of the patient. ``(E) That certified health information technology used for health programs where certified health information technology is required, include the function for patient access to their own health information, including-- ``(i) ensuring that, as a condition of certification, health care providers have options for making such information accessible for patients; ``(ii) ensuring that patients have options for accessing such information; and ``(iii) ensuring that patients have access to information regarding their legal rights and responsibilities, as well the options available to them for accessing their electronic health information. ``(F) That the HIT Standards Committee develop and prioritize standards, implementation specifications, and certification criteria required to help support patient access to electronic health information, patient usability, and support for technologies that offer patients access to their electronic health information in a single, longitudinal format that is easy to understand, secure, and may be updated automatically.''. (b) Access to Information in an Electronic Format.--Section 13405(e) of the Health Information Technology for Economic and Clinical Health Act (42 U.S.C. 17935) is amended-- (1) in paragraph (1), by striking ``and'' at the end; (2) by redesignating paragraph (2) as paragraph (3); and (3) by inserting after paragraph (1), the following: ``(2) if the individual makes a request to a business associate for access to, or a copy of, protected health information about the individual, or if an individual makes a request to a business associate to grant such access to, or transmit such copy directly to, a person or entity designated by the individual, a business associate may provide the individual with such access or copy, which may be in an electronic form, or grant or transmit such access or copy to such person or entity designated by the individual; and''. SEC. 8. GAO STUDY ON PATIENT MATCHING. (a) In General.--Not later than 1 year after the date of enactment of this Act, the Comptroller General of the United States shall conduct a study to review the policies and activities of the Office of the National Coordinator for Health Information Technology and other relevant stakeholders to ensure appropriate patient matching to protect patient privacy and security with respect to electronic health records and the exchange of electronic health information. (b) Areas of Concentration.--In conducting the study under subsection (a), the Comptroller General shall-- (1) evaluate current methods used in certified electronic health records for patient matching based on performance related to factors such as-- (A) the privacy of patient information; (B) the security of patient information; (C) improving matching rates; (D) reducing matching errors; and (E) reducing duplicate records; and (2) determine whether the Office of the National Coordinator for Health Information Technology could improve patient matching by taking steps including-- (A) defining additional data elements to assist in patient data matching; (B) agreeing on a required minimum set of elements that need to be collected and exchanged; (C) requiring electronic health records to have the ability to make certain fields required and use specific standards; or (D) other options recommended by the relevant stakeholders consulted pursuant to subsection (a). (c) Report.--Not later than 2 years after the date of enactment of this Act, the Comptroller General shall submit to the appropriate committees of Congress a report concerning the findings of the study conducted under subsection (a). <all>