[Congressional Bills 114th Congress]
[From the U.S. Government Publishing Office]
[S. 2141 Introduced in Senate (IS)]

<DOC>






114th CONGRESS
  1st Session
                                S. 2141

     To amend the Public Health Service Act with respect to health 
                        information technology.


_______________________________________________________________________


                   IN THE SENATE OF THE UNITED STATES

                            October 6, 2015

 Mr. Cassidy (for himself and Mr. Whitehouse) introduced the following 
  bill; which was read twice and referred to the Committee on Health, 
                     Education, Labor, and Pensions

_______________________________________________________________________

                                 A BILL


 
     To amend the Public Health Service Act with respect to health 
                        information technology.

    Be it enacted by the Senate and House of Representatives of the 
United States of America in Congress assembled,

SECTION 1. SHORT TITLE.

    This Act may be cited as the ``Transparent Ratings on Usability and 
Security to Transform Information Technology Act of 2015'' or the 
``TRUST IT Act''.

SEC. 2. DEFINITIONS.

    Section 3000 of the Public Health Service Act (42 U.S.C. 300jj) is 
amended--
            (1) by redesignating paragraphs (10) through (14) as 
        paragraphs (12) through (16), respectively; and
            (2) by inserting after paragraph (9) the following:
            ``(10) Information blocking.--The term `information 
        blocking' means, with respect to the development, 
        configuration, implementation, and use of qualified electronic 
        health records and other health information technology, 
        business, technical, and organizational practices that--
                    ``(A) except as required by law, prevent or 
                materially discourage the access, exchange, or use of 
                electronic health information; and
                    ``(B) the person knows or should know (as defined 
                in section 1128A(i)(7) of the Social Security Act) are 
                likely to interfere with the access, exchange, or use 
                of electronic health information.
            ``(11) Interoperability.--The term `interoperability' means 
        the ability of 2 or more health information systems or 
        components to exchange clinical and other information and to 
        use the information that has been exchanged using common 
        standards to provide access to longitudinal or requested 
        information to health care providers, patients, and other 
        authorized users when such persons need such information in 
        order to facilitate coordinated care and improved patient 
        outcomes.''.

SEC. 3. ENHANCEMENTS TO TESTING AND CERTIFICATION.

    Section 3001(c)(5) of the Public Health Service Act (42 U.S.C. 
300jj-11) is amended--
            (1) in subparagraph (A)--
                    (A) by striking ``The National Coordinator'' and 
                inserting the following:
                            ``(i) Voluntary certification program.--The 
                        National Coordinator''; and
                    (B) by adding at the end the following:
                            ``(ii) Transparency of program.--
                                    ``(I) In general.--To enhance 
                                transparency in the compliance of 
                                health information technology with 
                                certification criteria adopted under 
                                this subtitle, the National 
                                Coordinator, in coordination with 
                                authorized certification bodies, may 
                                make information demonstrating how 
                                health information technology meets 
                                such certification criteria publicly 
                                available. Such information may include 
                                summaries, screenshots, video 
                                demonstrations, or any other 
                                information the National Coordinator 
                                determines appropriate.
                                    ``(II) Protection of proprietary 
                                information.--Nothing in this paragraph 
                                shall be construed to require the 
                                release of trade secrets or any other 
                                protected intellectual property.'';
            (2) in subparagraph (B), by adding at the end the 
        following: ``Beginning 18 months after reporting criteria are 
        finalized under section 3009A, certification criteria shall 
        include, in addition to criteria to establish that the 
        technology meets such standards and implementation 
        specifications, criteria consistent with section 3009A(b) to 
        establish that technology meets applicable security 
        requirements, incorporates user-centered design, and achieves 
        interoperability.''; and
            (3) by adding at the end the following:
                    ``(C) Conditions of certification.--Beginning 1 
                year after the date of enactment of the TRUST IT Act, 
                the Secretary shall require that each vendor of health 
                information technology and entity seeking certification 
                of health information technology, as a condition of 
                certification and maintenance of certification of such 
                technology, provide to the Secretary an attestation 
                that--
                            ``(i) the vendor or entity, unless for a 
                        legitimate purpose specified by the Secretary, 
                        has not taken and will not take any action that 
                        constitutes information blocking with respect 
                        to health information technology;
                            ``(ii) the vendor or entity will not engage 
                        in business practices or impose binding 
                        business relationship obligations that seek to 
                        intentionally limit communication between 
                        health information technology users and an 
                        authorized certification body regarding the 
                        usability, interoperability, security, business 
                        practices, or other relevant information about 
                        the health information technology or users' 
                        experience with the health information 
                        technology; and
                            ``(iii) health information from such 
                        technology may be exchanged, accessed, and used 
                        through the use of application programming 
                        interfaces and other standards without special 
                        effort, as authorized under applicable law.
                    ``(D) Inspector general authority.--
                            ``(i) In general.--The Inspector General of 
                        the Department of Health and Human Services may 
                        investigate any claim that--
                                    ``(I) a vendor of, or other entity 
                                offering, certified health information 
                                technology--
                                            ``(aa) violated an 
                                        attestation made under 
                                        subparagraph (C); or
                                            ``(bb) engaged in 
                                        information blocking with 
                                        respect to the use of such 
                                        health information technology 
                                        by a health care provider, 
                                        unless for a legitimate purpose 
                                        specified by the Secretary;
                                    ``(II) a health care provider 
                                engaged in information blocking with 
                                respect to the use of certified health 
                                information technology, unless for a 
                                legitimate purpose specified by the 
                                Secretary;
                                    ``(III) a health information system 
                                provider engaged in information 
                                blocking with respect to the use of 
                                such certified health information 
                                technology, unless for a legitimate 
                                purpose specified by the Secretary.
                            ``(ii) Penalty.--Any person or entity 
                        determined by the Inspector General to have 
                        committed an act described in subclause (I), 
                        (II), or (III) of clause (i) shall be subject 
                        to a civil monetary penalty of not more than 
                        $10,000 for each such act. The provisions of 
                        section 1128A of the Social Security Act (other 
                        than subsections (a) and (b)) shall apply to a 
                        civil money penalty applied under this 
                        subsection in the same manner as such 
                        provisions apply to a civil money penalty or 
                        proceeding under section 1128A(a).''.

SEC. 4. HEALTH INFORMATION TECHNOLOGY RATING PROGRAM.

    Subtitle A of title XXX of the Public Health Service Act (42 U.S.C. 
300jj-11 et seq.) is amended by adding at the end the following:

``SEC. 3009A. HEALTH INFORMATION TECHNOLOGY RATING PROGRAM.

    ``(a) Establishment.--Not later than 180 days after the date of 
enactment of the TRUST IT Act, the Secretary shall recognize a 
development council made up of one representative from each of the 
accredited certifying bodies accredited by the Office and the testing 
laboratories accredited under section 13201(b) of the Health 
Information Technology for Economic and Clinical Health Act (42 U.S.C. 
17911(b)), and one representative from the Office of the National 
Coordinator, for the purpose of establishing a health information 
technology rating program to evaluate, based on the methodology 
established under subsection (d), the field performance of certified 
health information technology with regard to interoperability, 
usability, and security, in accordance with the following:
            ``(1) 1 star rating.--Certified health information 
        technology shall receive a 1 star rating if an authorized 
        certification body determines that the health information 
        technology is less than satisfactory.
            ``(2) 2 star rating.--Certified health information 
        technology shall receive a 2 star rating if the authorized 
        certification body determines that the health information 
        technology is satisfactory.
            ``(3) 3 star rating.--Certified health information 
        technology shall receive a 3 star rating if the authorized 
        certification body determines that the health information 
        technology is excellent.
    ``(b) Reporting Criteria.--
            ``(1) Not later than 1 year after the date of enactment of 
        the TRUST IT Act, the Secretary, in consultation with the 
        development council described in subsection (a), shall convene 
        stakeholders as described in paragraph (2) for the purpose of 
        developing the reporting criteria in accordance with paragraph 
        (3).
            ``(2) Development of reporting criteria.--The reporting 
        criteria under this subsection shall be developed through a 
        public, transparent process that reflects input from relevant 
        stakeholders, including--
                    ``(A) primary care and specialty care health care 
                professionals;
                    ``(B) hospitals;
                    ``(C) health information technology vendors;
                    ``(D) advocates for patients or consumers;
                    ``(E) data sharing networks, such as health 
                information exchanges;
                    ``(F) authorized certification bodies and testing 
                laboratories;
                    ``(G) security experts; and
                    ``(H) other entities or persons, as the Secretary, 
                in consultation with the development council, 
                determines appropriate.
            ``(3) Considerations for reporting criteria.--The reporting 
        criteria developed under this subsection--
                    ``(A) may include measures that reflect categories 
                including, with respect to the technology--
                            ``(i) security;
                            ``(ii) usability and user-centered design;
                            ``(iii) interoperability;
                            ``(iv) conformance to certification 
                        testing; and
                            ``(v) other categories as appropriate to 
                        measure the performance of health information 
                        technology;
                    ``(B) may include measures such as--
                            ``(i) enabling the user to order and view 
                        the results of laboratory tests, imaging tests, 
                        and other diagnostic tests;
                            ``(ii) submitting, editing, and retrieving 
                        data from registries for quality of care, such 
                        as physician registries;
                            ``(iii) accessing and exchanging 
                        information and data from medical devices;
                            ``(iv) accessing and exchanging information 
                        and data held by Federal, State, and local 
                        agencies and other applicable entities useful 
                        to a health care provider or other applicable 
                        user in the furtherance of patient care;
                            ``(v) accessing and exchanging information 
                        from other health care providers or applicable 
                        users;
                            ``(vi) accessing and exchanging patient 
                        generated information;
                            ``(vii) providing the patient with a 
                        complete copy of their electronic record in a 
                        computable format; and
                            ``(viii) other appropriate functionalities; 
                        and
                    ``(C) shall be designed to ensure that small and 
                start up vendors of health information technology are 
                not unduly disadvantaged by the reporting criteria or 
                rating scale methodology.
            ``(4) Public comment.--The Secretary shall conduct a 60-day 
        public comment period during which any member of the public may 
        provide comments on the proposed reporting criteria and the 
        methodology for authorized certification bodies to use in 
        determining the star ratings. The Secretary shall provide 
        timely responses to such comments before issuing a final rule.
            ``(5) Modifications.--After the reporting criteria have 
        been established, the Secretary, in consultation with the 
        development council, may convene stakeholders and conduct a 
        public reporting period for the purpose of modifying the 
        reporting criteria developed in this subsection and methodology 
        for determining the star ratings proposed under subsection (d).
            ``(6) Consideration of development council 
        recommendations.--In promulgating final rules under this 
        subsection, including modifications to such rules under 
        paragraph (5), the Secretary may accept or reject the 
        recommendations of the development council, but may not 
        promulgate a rule that does not represent a complete 
        recommendation of such council.
    ``(c) Collection of Feedback.--The Secretary, in consultation with 
the development council, shall establish a process for authorized 
certification bodies to collect and verify confidential feedback from--
            ``(1) health care providers, patients, and other users of 
        health information technology on the usability, security, and 
        interoperability of health information technology products; and
            ``(2) vendors or other entities offering health information 
        technology on practices of health information technology users 
        that may inhibit interoperability.
    ``(d) Methodology.--The Secretary, in consultation with the 
development council, shall develop a methodology for authorized 
certification bodies to use to calculate the star ratings for certified 
health information technology described in subsection (a). The 
methodology shall use the reporting criteria developed in subsection 
(b) and confidential feedback collected under subsection (c).
    ``(e) Participation.--Each vendor of, or entity offering, health 
information technology that is certified under section 3001(c)(5) of 
the Public Health Service Act after the date of enactment of the TRUST 
IT Act shall report on the criteria developed under subsection (b) on 
the date that is 2 years after such certification and every 2 years 
thereafter.
    ``(f) One Star Rating.--Each vendor of, or entity offering, health 
information technology that receives a 1 star rating shall take action, 
through a corrective action plan developed with the authorized 
certification body and approved by the Secretary, to improve the health 
information technology rating within a timeframe that the Secretary 
determines appropriate.
    ``(g) Enforcement Authorities.--
            ``(1) In general.--The Secretary may assess fines on any 
        vendor of, or entity offering, certified health information 
        technology and decertify health information technology in 
        accordance with paragraphs (2) and (3).
            ``(2) Fines.--
                    ``(A) In general.--The Secretary may assess fines 
                against such a vendor or entity if the vendor or 
                entity--
                            ``(i) does not meet the requirements of the 
                        corrective action plan described in subsection 
                        (f);
                            ``(ii) does not improve from a one star 
                        rating in accordance with subsection (f); or
                            ``(iii) does not report on criteria in 
                        accordance with subsection (e).
                    ``(B) Fine amounts.--Not later than 1 year after 
                the date of enactment of the TRUST IT Act, the 
                Secretary shall establish fine amounts for violations 
                of clauses (i), (ii), and (iii) of subparagraph (A). In 
                setting such amounts, the Secretary shall consider the 
                amounts necessary to reimburse, in part or in full, the 
                users of decertified health information technology for 
                the amounts invested in purchasing new certified health 
                information technology, as applicable.
            ``(3) Decertification.--The Secretary may decertify health 
        information technology if--
                    ``(A) the health information technology does not 
                improve from a one star rating within the timeframe 
                established under subsection (f);
                    ``(B) does not report on criteria in accordance 
                with subsection (b); or
                    ``(C) in other circumstances, as the Secretary 
                determines appropriate.
    ``(h) GAO Reports.--The Comptroller General of the United States 
shall submit to Congress a report every 4 years on the rating scale 
methodology developed pursuant to subsection (b), providing 
observations on the appropriateness of the current methodology and 
recommendations for changes to the methodology.
    ``(i) Internet Website.--The Secretary shall publish the star 
rating for each certified health information technology and methodology 
to determine the star rating on the Internet website of the Office of 
the National Coordinator. Following the biannual reporting described in 
subsection (e), authorized certified bodies shall have 30 days to 
calculate and submit updated ratings to the Secretary, and updated 
ratings shall be published on such Internet website not later than 30 
days following such submission.
    ``(j) User Compensation Fund.--The Secretary shall establish a 
revolving user compensation fund in which amounts collected under 
subsection (g)(2) shall be directed and used to assist users of health 
information technology that are decertified under subsection (g)(3) to 
reimburse users for the costs of purchasing new certified health 
information technology products.
    ``(k) Hardship Exemption.--The Secretary shall, on a case-by-case 
basis, exempt an eligible professional, eligible hospital, or critical 
access hospital from the application of the payment adjustment under 
the Meaningful Use of Certified EHR Technology program under sections 
1848(a)(7)(A), 1886(b)(3)(B)(ix)(I), and 1814(l)(4), respectively, of 
the Social Security Act for 1 year if the eligible professional, 
eligible hospital, or critical access hospital uses health information 
technology that becomes decertified under subsection (g)(3), to help 
such eligible professional, eligible hospital, or critical access 
hospital transition to a new certified electronic health record 
technology.
    ``(l) Appeals.--The Secretary shall establish a process whereby any 
vendor of, or entity offering, health information technology can 
appeal--
            ``(1) the health information technology product's star 
        rating; or
            ``(2) the Secretary's decision to decertify a product, as 
        applicable.''.

SEC. 5. UPDATING INFORMATION ON ACCESSING PERSONAL HEALTH INFORMATION.

    Subtitle A of title XXX of the Public Health Service Act (42 U.S.C. 
300jj-11 et seq.), as amended by section 4, is further amended by 
adding at the end the following:

``SEC. 3009B. UPDATING INFORMATION ON ACCESSING PERSONAL HEALTH 
              INFORMATION.

    ``The National Coordinator, in consultation with the Director of 
the Office of Civil Rights, shall, as appropriate, update the Internet 
website of the Office with information to assist individuals in 
understanding their rights to access and protect their personal health 
information under the Health Insurance Portability and Accountability 
Act of 1996 (Public Law 104-191), including best practices for 
requesting their personal health information in a computable format and 
using patient portals, among other information.''.
                                 <all>