b'<html>\n<title> - OPPORTUNITIES AND CHALLENGES IN ADVANCING HEALTH INFORMATION TECHNOLOGY</title>\n<body><pre>[House Hearing, 114 Congress]\n[From the U.S. Government Publishing Office]\n\n\nOPPORTUNITIES AND CHALLENGES IN ADVANCING HEALTH INFORMATION TECHNOLOGY\n\n=======================================================================\n\n                             JOINT HEARING\n\n                               BEFORE THE\n\n                            SUBCOMMITTEE ON\n                         INFORMATION TECHNOLOGY\n\n                                AND THE\n\n                      SUBCOMMITTEE ON HEALTH CARE,\n                   BENEFITS AND ADMINISTRATIVE RULES\n\n                                 OF THE\n\n                         COMMITTEE ON OVERSIGHT\n                         AND GOVERNMENT REFORM\n                        HOUSE OF REPRESENTATIVES\n\n                    ONE HUNDRED FOURTEENTH CONGRESS\n\n                             SECOND SESSION\n\n                               __________\n\n                             MARCH 22, 2016\n\n                               __________\n\n                           Serial No. 114-109\n\n                               __________\n\nPrinted for the use of the Committee on Oversight and Government Reform\n\n\n\n[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]\n\n\n         Available via the World Wide Web: http://www.fdsys.gov\n                      http://www.house.gov/reform\n                      \n                      \n                    U.S. GOVERNMENT PUBLISHING OFFICE\n23-444 PDF                  WASHINGTON : 2017                    \n_______________________________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government Publishing Office, \nhttp://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,\nU.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). \nE-mail, <a href="/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="9ff8eff0dffceaecebf7faf3efb1fcf0f2b1">[email&#160;protected]</a>  \n              \n              \n              \n              \n              \n              COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM\n\n                     JASON CHAFFETZ, Utah, Chairman\nJOHN L. MICA, Florida                ELIJAH E. CUMMINGS, Maryland, \nMICHAEL R. TURNER, Ohio                  Ranking Minority Member\nJOHN J. DUNCAN, Jr., Tennessee       CAROLYN B. MALONEY, New York\nJIM JORDAN, Ohio                     ELEANOR HOLMES NORTON, District of \nTIM WALBERG, Michigan                    Columbia\nJUSTIN AMASH, Michigan               WM. LACY CLAY, Missouri\nPAUL A. GOSAR, Arizona               STEPHEN F. LYNCH, Massachusetts\nSCOTT DesJARLAIS, Tennessee          JIM COOPER, Tennessee\nTREY GOWDY, South Carolina           GERALD E. CONNOLLY, Virginia\nBLAKE FARENTHOLD, Texas              MATT CARTWRIGHT, Pennsylvania\nCYNTHIA M. LUMMIS, Wyoming           TAMMY DUCKWORTH, Illinois\nTHOMAS MASSIE, Kentucky              ROBIN L. KELLY, Illinois\nMARK MEADOWS, North Carolina         BRENDA L. LAWRENCE, Michigan\nRON DeSANTIS, Florida                TED LIEU, California\nMICK, MULVANEY, South Carolina       BONNIE WATSON COLEMAN, New Jersey\nKEN BUCK, Colorado                   STACEY E. PLASKETT, Virgin Islands\nMARK WALKER, North Carolina          MARK DeSAULNIER, California\nROD BLUM, Iowa                       BRENDAN F. BOYLE, Pennsylvania\nJODY B. HICE, Georgia                PETER WELCH, Vermont\nSTEVE RUSSELL, Oklahoma              MICHELLE LUJAN GRISHAM, New Mexico\nEARL L. ``BUDDY\'\' CARTER, Georgia\nGLENN GROTHMAN, Wisconsin\nWILL HURD, Texas\nGARY J. PALMER, Alabama\n\n                   Jennifer Hemingway, Staff Director\n                 David Rapallo, Minority Staff Director\n   Troy Stock, Subcommittee on Information Technology Staff Director\n                       Christina Hinkle, Counsel\n                           Willie Marx, Clerk\n                 Subcommittee on Information Technology\n\n                       WILL HURD, Texas, Chairman\nBLAKE FARENTHOLD, Texas, Vice Chair  ROBIN L. KELLY, Illinois, Ranking \nMARK WALKER, North Carolina              Member\nROD BLUM, Iowa                       GERALD E. CONNOLLY, Virginia\nPAUL A. GOSAR, Arizona               TAMMY DUCKWORTH, Illinois\n                                     TED LIEU, California\n                                 \n                                 \n                            ----------                              \n\n     Subcommittee on Health Care, Benefits and Administrative Rules\n\n                       JIM JORDAN, Ohio, Chairman\nTIM WALBERG, Michigan                MATT CARTWRIGHT, Pennsylvania, \nSCOTT DesJARLAIS, Tennessee              Ranking Member\nTREY GOWDY, South Carolina           ELEANOR HOLMES NORTON, Distict of \nCYNTHIA M. LUMMIS, Wyoming               Columbia\nMARK MEADOWS, North Carolina         BONNIE WATSON COLEMAN, New Jersey\nRON DeSANTIS, Florida                MARK DeSAULNIER, California\nMICK MULVANEY, South Carolina, Vice  BRENDAN F. BOYLE, Pennsylvania\n    Chair                            JIM COOPER, Tennessee\nMARK WALKER, North Carolina          MICHELLE LUJAN GRISHAM, New Mexico\nJODY B, HICE, Georgia                Vacancy\nEARL L. ``BUDDY\'\' CARTER, Georgia\n                            \n                            \n                            \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on March 22, 2016...................................     1\n\n                               WITNESSES\n\nKaren DeSalvo, M.D., National Coordinator for Health Information \n  Technology, U.S. Department of Health and Human Services\n    Oral Statement...............................................     5\n    Written Statement............................................     8\nMs. Jessica Rich, Director, Bureau of Consumer Protection, U.S. \n  Federal Trade Commission\n    Oral Statement...............................................    13\n    Written Statement............................................    15\nMr. Matthew Quinn, Federal Managing Director, Intel Healthcare \n  and Life Sciences\n    Oral Statement...............................................    24\n    Written Statement............................................    27\nMr. Neil DeCrescenzo, Member, Executive Committee, Healthcare \n  Leadership Council\n    Oral Statement...............................................    44\n    Written Statement............................................    46\nMr. Mark Savage, Director of Health IT Policy and Programs, \n  National Partnership for Women and Families\n    Oral Statement...............................................   126\n    Written Statement............................................   128\n\n                                APPENDIX\n\nAn April 1, 2016 letter from the National Partnership for Women & \n  Families to Chairman Will Hurd, Chairman Jim Jordan, Ranking \n  Member Robin Kelly, and Ranking Member Matthew Cartwright, \n  Entered by Chairman Will Hurd..................................   152\n\nA December 2014 report from the National Partnership for Women & \n  Families titled, ``Engaging Patients and Families: How \n  Consumers Value and Use Health IT\'\', Entered by Representative \n  Matt Cartwright. A copy of the report can be found online here: \n  http//www.nationalpartnership.org/research-library/health-care/\n  HIT/engaging-patients-and-families.pdf\n\n \nOPPORTUNITIES AND CHALLENGES IN ADVANCING HEALTH INFORMATION TECHNOLOGY\n\n                              ----------                              \n\n\n                        Tuesday, March 22, 2016\n\n                  House of Representatives,\nSubcommittee on Information Technology, joint with \n    the Subcommittee on Health Care, Benefits, and \n                              Administrative Rules,\n              Committee on Oversight and Government Reform,\n                                                   Washington, D.C.\n    The subcommittees met, pursuant to call, at 2:06 p.m., in \nRoom 2154, Rayburn House Office Building, Hon. William Hurd \n[chairman of the Subcommittee on Information Technology] \npresiding.\n    Present from Subcommittee on Information Technology: \nRepresentatives Hurd, Walker, Blum, Connolly, and Lieu.\n    Present from Subcommittee on Health Care, Benefits, and \nAdministrative Rules: Representatives Walberg, Gowdy, DeSantis, \nDeSaulnier, Cartwright, and Lujan Grisham.\n    Mr. Hurd. The Subcommittee on Information Technology and \nthe Subcommittee on Health Care, Benefits, and Administrative \nRules will come to order. Without objection, the chair is \nauthorized to declare a recess at any time.\n    We are expecting votes fairly soon, so I am hoping we can \nget through opening remarks, go do our vote series, and come \nback and finish the hearing.\n    Good afternoon. I appreciate your being here today. You all \nknow that heart disease is a leading cause of death in the \nUnited States, according to the CDC. More than 600,000 \nAmericans die from heart disease each year.\n    The American Medical Association recommends walking as the \nsimplest positive change you can make to improve your heart \nhealth. Walking 30 minutes day, or around 10,000 steps, lowers \nblood pressure, improves movement and mobility, and increases \nenergy. Simply increasing the number of steps you take per day \ncan significantly reduce your risk of coronary heart disease \nand stroke.\n    Many of you could glance right now at your smart phones, \nwearables, or other devices and report your number of steps and \ncalories burned for the same period of time. For most of us, I \nwill bet that number is probably higher than before we had the \napp or device and we were tracking our steps.\n    It would not be an extreme exaggeration to say that the \nproliferation of wearable devices and smart phone apps that \ntrack steps and the accompanying increases in the number of \nsteps some people are taking on a daily basis has saved lives.\n    This is just one example of the benefits technology has \nbrought to health and health care, and we have barely scratched \nthe surface. We are on the cusp of being able to use technology \nto truly revolutionize health care and health care delivery.\n    Leveraging the power of the cloud will enable us to move \nmore health care tasks online, including consultations and data \nstorage and retrieval.\n    Sensors will make it easier for people to take care of \nthemselves before they get sick. Constituents in rural parts of \nTexas 23rd, my district, will be able to speak directly with \ntheir primary care providers instead of commuting hours each \nway.\n    As more devices are connected and more data is generated, \nmedicine will become customized and personalized. Preventative \nmedicine and healthy living practices will increase, costs will \ndecline, and the prevalence of chronic diseases will decrease \nsubstantially.\n    But this will only happen if researchers, hospitals, \nentrepreneurs, regulators, health care professionals, patient \nadvocates, and lawmakers come together to update antiquated \nlaws and reform outdated institutions.\n    Right now, old and unclear privacy laws hinder \ninteroperability between health IT systems and devices. Right \nnow, the sheer number of Federal agencies, and often \nconflicting rules one must navigate to invest in the space, \nchills investment and entrepreneurship. And right now, a \nfragmented and bureaucratic system places the patient at the \nfringe of the process, rather than at the center.\n    In today\'s hearing, I hope to hear specifically what laws \nor regulations need to be changed or updated, and how they \nshould be changed or updated or abandoned.\n    Health IT is an exciting, innovative field, but to get this \nright, we must collaborate. We must destroy silos. I am \ncommitted to doing so. I know my friend and ranking member, Ms. \nKelly, and Ted Lieu are as well.\n    And I want to thank the witnesses for being here today, and \nI look forward to their testimony.\n    Now I would like to recognize Mr. Cartwright for his \nopening statement.\n    Mr. Cartwright. Thank you, Chairman Hurd. I would like to \nthank you both for calling this hearing so we can hear about \nhow the Federal Government and private industry are working \ntogether, and for your interest and efforts at creating the \nnext generation of health information technology.\n    I represent largely a rural district in northeastern \nPennsylvania, and I know quite well how health IT can bring \naffordable medical care to those who might not otherwise be \nable to receive it.\n    In fact, that is why I cosponsored the Medicare Telehealth \nParity Act of 2015, the 21st Century Cures Act, and also the \nTELE-MED Act. Bills like these help medical professionals \nprovide patients with the best health care available anywhere \nand at any time.\n    But even with the undeniable benefits technology brings, \npatient safety must remain our foremost consideration. \nTechnology brings opportunity, but it can also bring unforeseen \nchallenges, and I hope we can talk about that a little today.\n    As a career courtroom attorney, I have seen too many \nmedical malpractice lawsuits where carelessness caused injuries \nand death, and where doctors have made grave and avoidable \nmistakes. Too often these mistakes were due to failures in \ncommunication that left physicians and nurses without all of \nthe patient\'s information that they needed to complete proper \nassessment and treatment.\n    We worry that different computer system standards and \nmethods of tracking medical history often mean doctors, nurses, \nlab technicians, and others involved in the treatment process \ncannot get a complete understanding of the illness in front of \nthem and the treatment that is needed.\n    That is why it is so important that technologies like \nelectronic health records, which contain the complete medical \nand treatment history of a patient quickly and efficiently give \nproviders insight and a comprehensive view into what is going \non and all the facts of the case. Standardized, industry-\naccepted technologies can make that happen, in my view.\n    In the field of health IT, private industry has a critical \nrole in the process doing what it does best: drive innovation \nand keep America at the leading edge in medical technology.\n    The Federal Government also has a role to play, making sure \nthese new technologies meet health care needs without \ncompromising patient safety.\n    I am looking forward to today\'s hearing, to the testimony \nof all of you. I am glad that industry and government are \nworking together to bring about the kinds of technological \nadvances that will improve health care in this country, make it \nsafer, and make it more available to people in all corners and \nall pockets of this Nation.\n    I thank you again, Chairman Hurd, and I yield back.\n    Mr. Hurd. Thank you.\n    I am going to hold the record open for 5 legislative days \nfor any members who would like to submit a written statement.\n    Ranking Member Lieu is here, and if he is ready, we will \nhave him give his opening remarks.\n    Mr. Lieu from California is recognized for 5 minutes.\n    Mr. Lieu. Thank you, Mr. Chairman.\n    Thank you to the witnesses who will be presenting today.\n    Today, we are here to learn more about how to make the \nprimary health technology laws work smarter and better. Laws \nand regulations should be there to protect the public, but done \nincorrectly, they can hinder innovation, and the same holds \ntrue in the health IT space.\n    The Health Insurance Portability and Accountability Act, \nHIPAA, contains provisions to create universal electronic \nmedical records and protect patient privacy. The Health \nInformation Technology for Economic and Clinical Health, \nHITECH, contains provisions to protect consumer privacy and \ngive notice in case of data breach. The Affordable Care Act \nalso contains provisions to improve the quality and efficiency \nof patient care with EHRs.\n    However, these laws and regulations were enacted before key \ntechnological advances that we now take for granted. HIPAA was \npassed in 1996 before broad adoption of the mobile revolution. \nHITECH was passed in 2009, before much of cloud computing \nexisted.\n    Some might suggest that rolling back regulations is the \nanswer. While I agree that government regulation is not as \nnimble as technology, we still need some combination of \nregulations and enforceable guidance to protect the public.\n    For instance, last month, the IT system at Hollywood \nPresbyterian Hospital in Southern California was held hostage \nby ransomware denying patients and providers access to their \nmedical records. The HITECH law has cybersecurity requirements \nthat require notifications for data breaches, but the law says \nnothing about notification for data that was frozen or held \nhostage where it is stored.\n    I note that today the press reports that two more hospitals \nin Southern California were hit with malware attacks.\n    Technology is moving very quickly. Telemedicine and text \nmessaging and mobile smart phone exposure requires that HHS and \nFTC keep up with technology changes, update guidance reliably, \nand keep rules and regulations flexible to encourage \ninnovation.\n    Regulation done wrong or too little regulation makes it \ndifficult to protect the public and ensure that data flows \nfreely. Regulation done right spurs innovation and improves \nquality of care and protects the public.\n    I look forward to hearing from the witnesses today about \nwhat we can do to encourage innovation and cooperation, and \ncontinue to bring government health care into a more modern era \nof service.\n    With that, I yield back.\n    Mr. Hurd. Thank you, Mr. Lieu.\n    If Chairman Jordan joins us and is interested in giving \nopening remarks, we will let him do that as he arrives.\n    Again, I would like to thank the witnesses. I would like to \nrecognize you all now. I am pleased to welcome Dr. Karen \nDeSalvo, national coordinator for health information technology \nat the U.S. Department of Health and Human Services. Thank you \nfor being here. Ms. Jessica Rich, director of the Bureau of \nConsumer Protection at the U.S. at the Federal Trade \nCommission; Mr. Matthew Quinn, Federal managing director at \nIntel Healthcare and Life Sciences; Mr. Neil DeCrescenzo, \nmember of the executive committee at the Healthcare Leadership \nCouncil; and Mr. Mark Savage, director of health IT policy and \nprograms at the National Partnership for Women and Families.\n    Welcome to you all. Pursuant to committee rules, all \nwitnesses will be sworn in before you testify.\n    Please rise and raise your right hands.\n    Do you solemnly swear or affirm that the testimony you are \nabout to give will be the truth, the whole truth, and nothing \nbut the truth?\n    Thank you. Please be seated.\n    Let the record reflect that the witnesses answered in the \naffirmative.\n    In order to allow time for discussion, please limit your \ntestimony to 5 minutes. Your entire written statement will be \npart of the record.\n    We are going to go through as many opening remarks as we \ncan before we get called to votes. If the bells go off while \nyou are in your remarks, go ahead and continue. We will finish \nafter your remarks.\n    Now I would like to recognize Ms. DeSalvo for your opening \nremarks.\n\n                       WITNESS STATEMENTS\n\n                STATEMENT OF KAREN DeSALVO, M.D.\n\n    Dr. DeSalvo. Thank you, Chairman Hurd, and Ranking Members \nLieu and Cartwright, and distinguished members of the \nsubcommittees. Thank you all for the opportunity to appear here \ntoday.\n    I am Dr. Karen DeSalvo, and I have the honor of serving as \nthe national coordinator for health information technology at \nthe U.S. Department of Health and Human Services for the past 2 \nyears. I\'m proud to be here today representing the remarkable \nteam at the Office of National Coordinator and share with you \nthe current State of health information technology in our \nNation and how we are working with others to see that these \nsystems realize their full potential.\n    The Office of the National Coordinator for Health \nInformation Technology has a strong, bipartisan history. It was \nestablished in 2004 by executive order and charged with the \nmission of giving every American access to their electronic \nhealth information. In 2009, it was statutorily established by \nthe Health Information Technology for Economic and Clinical \nHealth Act, or HITECH, which provided the resources and \ninfrastructure needed to foster the rapid nationwide adoption \nand use of health IT.\n    In the 7 years since HITECH was enacted, we have seen \ndramatic progress. Today, nearly all hospitals and more than \nthree-quarters of physicians report using a certified \nelectronic health record. This tripling in rates of adoption \nputs us as a Nation well ahead of our peer countries, giving us \na significant competitive advantage in health care innovation \nand scientific advancement. And it is working in so many \ncommunities across this country.\n    But I also note that we haven\'t realized the full potential \nof health IT for every person in this country.\n    And this is not just an abstract policy idea to me. It is \npersonal. It is why I came to ONC 2 years ago, because I knew \nas a doctor the promise of health IT, of having information \navailable for me when I was on call in the evening not at the \nhospital, such a leap from the days in the early 1990s when I \nwas a medical school student at Charity Hospital and had to \nphysically go up to a lab and pull a lab slip with handwritten \nresults from a wooden box, so that I would understand more \nabout my patients and how to care for them.\n    Today, that is all available electronically to me and other \ndoctors, and not just to us but to our patients, to really see \nthat they can be empowered and have the information they need \nto self-care. It is a rapid and remarkable transformation in a \nvery short period of time. But the pace has come with \nchallenges.\n    Like others, I have been frustrated by the lack of \ninteroperability, by the usability of the systems, and by how \nhard it can be to select the right system to buy. I hear about \nthese challenges from my colleagues whether at listening \nsessions but also from consumers and other stakeholders.\n    We all want to move ahead with technology, but we want it \nto work better. That is what I came to Washington to do.\n    Since I\'ve been the national coordinator, we have been \nfocused on fixing those challenges in an urgent fashion to meet \nthe expectations of the people that I serve, the American \npeople. ONC does this in a variety of ways.\n    For example, we can leverage our electronic health record \ncertification program. We also serve as a coordinator across \nthe Federal Government to see that agencies have shared policy \nand technology approaches and will send clear signals to the \nprivate sector.\n    We have also worked with the private sector on setting a \nclear path ahead for our nationwide interoperability. This \nroadmap that we produced last year lays out who should do what \nby when to achieve interoperability in the near term to see \nthat electronic health information is available when and where \nit matters to consumers and clinicians.\n    ONC and others have been meeting our deliverables from this \nplan and are advancing drivers of interoperability like payment \nreform, publishing clear standards, working with States and \nothers on harmonizing privacy and security expectations. The \nplan has been publicly endorsed by our Federal partners, by the \nprivate sector, and we have been so pleased with everyone\'s \nwillingness to step up and lead where appropriate, to see that \nwe can innovate and accelerate interoperability. Indeed, \nworking with the private sector is how ONC operates.\n    As another example, we recently convened stakeholders to \nask them to make a series of commitments to ensure that \nelectronic health information works better for patients and \nproviders. It is a really tremendous opportunity for the \nprivate sector to lead.\n    So last month, we were able to announce that companies that \nprovide electronic health records for 90 percent of hospitals \nin this country, and health care systems with facilities in 46 \nStates, including the States for all the members of these two \nsubcommittees, and over a dozen professional associations and \nstakeholder groups like the AMA and the American Hospital \nAssociation, all have agreed to implement three commitments \nthat will help make sure health information flows.\n    The commitments are that consumers will have access to \ntheir electronic health information, that entities will not \nengage in health information-blocking, and that we will move to \nfederally recognized national standards so that all these \ndifferent systems will speak the same language.\n    ONC and our partners in the Federal space and the private \nsector are working together each and every day to see that we \ncan move this future vision to an immediate reality. And \nCongress has been one of the great partners in health IT, and I \nlook forward to continuing to work with you all to realize the \nfull potential of health IT for this country.\n    Thank you for having me here today, and I look forward to \nyour questions.\n    [Prepared statement of Dr. DeSalvo follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Hurd. Thank you, Dr. DeSalvo.\n    Now, Ms. Rich, you are recognized for 5 minutes.\n\n                   STATEMENT OF JESSICA RICH\n\n    Ms. Rich. Chairman Hurd, Ranking Members Lieu and \nCartwright, and members of the subcommittees, I am Jessica \nRich, director of the Bureau of Consumer Protection at the \nFederal Trade Commission. I appreciate this opportunity to \npresent the commission\'s testimony.\n    Consumers are increasingly taking an active role in \nmanaging their health data, and there has been an explosion of \nnew products and services to help them. These range from \nwearable fitness devices like Fitbit or Jawbone, to dieting \napps like My Fitness Pal and Calorie Counter, and to Web sites \nlike WebMD where consumers can get health advice and \ninformation.\n    These products and services offer enormous benefits to \nconsumers, but they raise privacy and security concerns, too. \nWho has access to all of this data? And is it being stored \nsecurely?\n    Much of this activity now happens outside of the doctor\'s \noffice and other traditional health care contexts. As a result, \nit is not protected under HIPAA, which only applies to health \ndata held or generated by covered entities, such as health care \nproviders and health plans. In most instances, however, this \nactivity is covered by the Federal Trade Commission Act, which \nprohibits unfair or deceptive practices across the marketplace, \nincluding in the area of health privacy.\n    As the primary Federal agency charged with protecting \nconsumer privacy, the FTC has made it a priority to protect \nconsumer-sensitive health information. Our efforts include \ncivil law enforcement, policy initiatives, and consumer and \nbusiness education.\n    Three recent FTC cases illustrate the challenges we face in \nprotecting consumer health data and how the FTC is addressing \nthem.\n    PaymentsMD is a medical billing company that offered an \nonline portal where consumers could pay their bills. The FTC \ncharged that the company misled thousands of consumers who \nsigned up by failing to tell them that it would also seek their \nhighly detailed medical data from pharmacies, medical labs, and \ninsurance companies.\n    Henry Schein provided office equipment software for dental \npractices. We charged this company with misrepresenting to \nclients that its software provided industry-standard encryption \nof sensitive patient information as required by HIPAA. In fact, \nwe alleged the software used a weaker method of data masking \nthat didn\'t meet HIPAA standards.\n    A third example is our settlement with GMR, a medical \ntranscription service. We charged that GMR assured its clients \nthat its services were secure but outsourced them to a third-\nparty service provider without adequately checking its security \nmeasures. As a result, consumers found doctors\' notes of their \nphysical examinations freely available on the Internet.\n    Besides enforcement, the commission engages in policy \ninitiatives to encourage stronger protection for health \ninformation. Last year, we hosted a public workshop on consumer \nhealth data to examine the products and services consumers are \nusing to generate and control their data and how this data is \nprotected.\n    We also released a staff report on the Internet of Things, \nwhich, among other topics, examined the privacy and security \nissues raised by connected medical devices and health and \nfitness products. Of greatest concern, panelists discussed the \nunique risks if health devices like pacemakers and insulin \npumps are not secure and are vulnerable to hackers.\n    Finally, the commission promotes stronger data protections \nthrough consumer education and business guidance. For example, \nour new IdentityTheft.gov Web site provides customized advice \nto consumers who have been victims of medical identity theft.\n    And last year, the FTC launched its Start with Security \ncampaign to educate small businesses around the country about \nhow to develop an effective data security program.\n    In addition, working with HHS and with FDA, the FTC is \ncurrently developing business guidance for health app \ndevelopers to help them understand which legal requirements \napply to them.\n    The FTC shares the subcommittees\' concerns about the need \nto protect the privacy and security of consumer health data. \nAlthough we now use a variety of tools to protect consumers in \nthis area, additional tools would enhance our ability to do so.\n    To this end, the commission reiterates its longstanding \nbipartisan call for Federal data security and breach \nlegislation that would allow us to seek civil penalties to \ndeter unlawful conduct and give us jurisdiction over nonprofit \nentities.\n    In closing, the FTC remains committed to protecting \nconsumer health data and looks forward to our continued work \nwith Congress on this critical issue. Thanks again for the \nopportunity to provide the commission\'s views today.\n    [Prepared statement of Ms. Rich follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Hurd. Thank you, Ms. Rich.\n    Mr. Quinn, you are recognized now for 5 minutes.\n\n                   STATEMENT OF MATTHEW QUINN\n\n    Mr. Quinn. Good afternoon, Chairman Hurd and other esteemed \nmembers of the House Oversight and Government Reform Committee. \nThank you for the opportunity to testify today on behalf of \nIntel Corporation.\n    In my written testimony, I provide some tangible examples \nof how Intel is working to make good on the promise of today\'s \nhealth technologies and to pave the way toward tomorrow\'s. \nToday, I would like to frame my comments in the context of \nrecent personal experiences.\n    Two Fridays ago, I received a call that no one wants. My \nsister in Ohio said that dad had just taken a bad fall. He had \njust left his doctor\'s office where he was in for a checkup \nafter a recent hospitalization.\n    Things had gone well, and they stopped by a favorite \nrestaurant for breakfast. As my dad climbed the curb, he became \nlightheaded, fell to the ground, and tumbled back into the \nparking lot. As we soon found out, he broke his clavicle, \npelvis, and deeply cut his elbow.\n    To say that my dad is a complex patient would be an \nunderstatement. He is the poster child for needing all of his \nproviders and caregivers to be on the same sheet of music and \nhave the whole picture of his health and health care.\n    Let\'s begin by thinking of the constellation of my dad\'s \nhealth data. Most familiar are the clinical and claims data \ncaptured at clinics, hospitals, and the like. Secondly, there \nis diagnostic data captured by medical devices and imaging. \nAdding to this is consumer-generated data. And finally, there \nis \'omics, vast amounts of information in his genome.\n    Personal precision medicine in the 21st century will need \nto make sense of all of this.\n    The U.S. has made great strides to ensure that each person \nhas an electronic health record. Yet the goal of point-of-care \nand personal access to comprehensive health information has not \nyet been achieved.\n    There are three recurring barriers that often limit data-\nsharing. First, medical institutions using privacy and security \npolicies and laws like HIPAA as excuses for why they can\'t \nshare; next, medical professionals lacking easy, affordable \ntools to share data, especially because vendors fail to use or \nconsistently implement standards; and finally, payment reforms \nthat don\'t reimburse for new care models like telehealth.\n    Back to my dad\'s experience, when he arrived at the ER, the \nsame hospital where he had received his most recent treatment, \nthey pieced together his health history, partly from the EHR \nand partly from my parents.\n    I fear that if he was brought to a different hospital, it \nwould\'ve been basically starting from scratch. There exists a \nlocal health information exchange, but evidently, this hospital \nand my dad\'s nephrologist don\'t participate. My mom is our de \nfacto health information exchange.\n    My dad would definitely enjoy the kind of secure, \nstandards-based data-sharing that Intel\'s own Connected Care \nprogram makes available for over 33,000 of its employees. As we \nhave shown, it is all quite possible today, just not as \nwidespread as it could be.\n    We need to think about interoperability in much broader \nterms than merely exchange of electronic health record data. \nThat will change as the Internet of Things takes hold and we \nconnect smart devices to the Internet in ways that generate \ndata that can be turned into valuable insights.\n    How would this affect my dad? Well, first of all, it would \nallow him to get some sleep. Because the devices monitoring him \nin the ICU don\'t talk to each other and his vitals tend to \nbounce around, there are endless, nearly always false alarms.\n    What if devices even from different vendors could talk to \neach other? Innovators could create smart alarms from the new \ncombined data streams and save countless hours of nursing time, \ncountless lives, and just let my dad sleep. The data from all \nthe medical devices could automatically feed the EHR, millions \nmore nursing hours saved.\n    But let\'s think bigger. What if when my dad was discharged \nthat he was outfitted with sensors or an app that constantly \ndetected whether his gait was making him prone to falls? Or \nwhat if instead of having to drive across town to visit his \ndoctor, he could do so from his home via telemedicine, and his \nblood and vitals could be automatically analyzed via his home \ndialysis unit? What if his caregivers could track his progress \nin getting back up on his feet as he rehabs?\n    I think we have come up with a half-dozen ideas for new \nbusinesses, but all of this relies on there being a solid \nfoundation for the Internet of Things to blossom: security from \nthe sensor to the cloud; connectivity, allowing devices to \ncommunicate their status to the system; data normalization to \nallow devices to speak the same language; and actionable \nanalytics.\n    So to close, how do we believe Congress can help seize the \nopportunities and overcome the challenges?\n    First, sustain momentum toward standards and \ninteroperability for today and for tomorrow. As Intel\'s \nConnected Care program demonstrates, a rigorous standard-based \napproach enables quicker and more rapid efficient deployments \ntoday. And to rapidly move forward toward the Internet of \nThings, Intel invites active Federal participation in industry-\nled initiatives such as the IIC, OCF, ICE alliance, and \nContinua.\n    Second, encourage patient engagement by removing obstacles \nfor patients to access and share their data. Intel invites \npolicymakers to partner with industry to pursue a standardized, \nmachine-readable consent form to allow patients to easily \ndonate their data to ongoing research.\n    And last but not least, continue to push towards value-\nbased care. We support the HHS goal to move half of care to \nalternative payment models by 2018. When incentives are aligned \nto value-based care, the demand for information-sharing goes \nup. Congress can further drive innovation by providing \nreimbursement for remote patient monitoring and other promising \ntechnologies.\n    Thank you, and I look forward to your questions.\n    [Prepared statement of Mr. Quinn follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Hurd. Mr. Quinn, I appreciate your opening remarks.\n    Now Mr. DeCrescenzo is recognized for 5 minutes.\n\n                 STATEMENT OF NEIL DeCRESCENZO\n\n    Mr. DeCrescenzo. Thank you. Mr. Chairman, members of the \ncommittee, it is a privilege to be here today.\n    My name is Neil DeCrescenzo. I am the president and CEO of \nChange Healthcare. Perhaps our name says it all.\n    Change Healthcare is headquartered in Nashville, Tennessee, \nprovides its services in all 50 States, and has over 50 offices \nnationwide. We are a leading provider of software and \nanalytics, network solutions, and technology-enabled services \nthat optimize communications, payments, actionable insights \nthat enable smarter health care.\n    By leveraging our Intelligent Healthcare Network, which is \none of the largest financial and administrative networks in the \nUnited States health care system, payers, providers, and \npharmacies are able to more effectively manage complex \nworkflows that support value-based health care.\n    While I am proud to represent the nearly 7,000 people of \nChange Healthcare, I am testifying today in my role as a member \nof the executive committee of the Healthcare Leadership \nCouncil, a coalition of leading companies and organizations \nfrom virtually every sector of American health care. In that \nrole, I would like to share a few thoughts on the role and \ncapability of health information technology to transform our \nNation\'s health care system for the better.\n    As increasingly is the case in most fields, health care \nimprovement today is driven by data. If our health care system \nis not improving at the pace any of us would like, this is in \nlarge part due to barriers standing in the way of access to \ndata, the ability to share information, and the utility of this \ninformation for consumers, providers, payers across the health \ncare continuum.\n    Our HLC member companies know from firsthand experience \nthat data interoperability can strengthen care coordination, \nenabling providers, payers, pharmacists, laboratories, and \nothers, to be on the same page when treating a patient. It can \nboost progress toward an outcome-driven, value-based payment \nsystem to replace the outdated and inefficient fee-for-service \nstatus quo while also improving our quality measurement \ncapabilities.\n    With interoperability and access to clinical and claims \ndata, we can accelerate medical research and give hospitals and \nphysician offices real-time access to comparative effectiveness \nfindings. An interoperable system can improve care to rural and \nunderserved areas of the country through improved telehealth \nand remote patient monitoring. Wellness and prevention will \nalso be enhanced through the better use of patient-generated \ndata.\n    This future is promising, exciting, and imminently \nobtainable, once we address some of the obstacles standing in \nour way.\n    Last year, HLC, under the auspices of its National Dialogue \nfor Healthcare Innovation initiative, brought together leaders \nfrom over 70 organizations representing government, industry, \npatients, employers, and academia. There we built consensus on \nhow we can move closer to this desirable data-driven future.\n    Last month, we announced the consensus recommendations \nemerging from this effort, a number of which are relevant to \ntoday\'s discussion.\n    On data interoperability, we believe that a firm date of \nDecember 31, 2018, should be established by which health \ninformation is widely shared among electronic health record \nsystems nationwide. We have the capability to reach this goal \nin the near term, not a decade from now. Progress toward this \nnationwide data infrastructure should be driven by private \nsector innovation, with emphasis placed on secure data-sharing \nto protect patient privacy, common standards and governance, \nand a ban on data-blocking.\n    In addition, we believe that Congress and the \nadministration must address physician health referral laws and \nFederal anti-kickback statutes, as well as civil monetary \npenalty laws.\n    These fraud and abuse protections were built for a fee-for-\nservice world, but today, they often stand as barriers to the \nkind of collaboration and information-sharing that is essential \nfor value-based health care approaches and for improving \npatient care.\n    Another barrier to data-sharing is the multitude of diverse \nand often contradictory Federal and State laws regulating \nhealth information that exist alongside the Federal HIPAA \nregulations. We believe these national and State privacy laws \nand regulations should be harmonized to facilitate greater \ninformation-sharing for the benefit of patients while still \nprotecting their confidentiality.\n    Members of the committee, I would like to close by \napplauding you for conducting this hearing and your focus on \nthe issues that can genuinely transform and improve health care \nfor every American.\n    We can move faster. We can move more collaboratively across \nthe spectrum of U.S. health care. And we can help more \nAmericans maintain or improve their health better than we do \ntoday through data, information, and insights.\n    We look forward to working with you toward our shared \ngoals, and I will be happy to take your questions. Thank you.\n    [Prepared statement of Mr. DeCrescenzo follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Hurd. Thank you, sir.\n    Mr. Savage, you are recognized for 5 minutes.\n\n                    STATEMENT OF MARK SAVAGE\n\n    Mr. Savage. Good afternoon, Chairman Hurd, Ranking Members \nLieu and Cartwright, and distinguished committee members. Thank \nyou for the opportunity to testify today.\n    I am Mark Savage, director of health IT at the National \nPartnership for Women and Families, a nonprofit, nonpartisan \norganization that for 45 years has worked to improve the lives \nof women and families. We are deeply invested in improving the \nvalue and experience of health care and ensuring that new \nmodels of delivery and payment help make consumers partners in \ntheir care with access to the right care at the right time.\n    I am delighted to be able to share today the values, \nexperiences, and needs of patients and consumers who are using \nhealth information technology, such as online access and \nelectronic data-sharing with doctors to improve their health \nand care.\n    The national partnership leads the Consumer Partnership for \neHealth coalition and can speak broadly to the great \nopportunities that health IT presents and the obstacles that \nstill make it difficult to realize its full potential.\n    Health IT is the essential infrastructure for improving \nquality, care coordination, and value in our health care system \ntoday.\n    It is a critical tool for engaging consumers who clearly \nrecognize its value, according to a national survey we \ncommissioned in 2014. We found that nearly 9 in 10 patients \nwith online access to their health information use it. Notably, \npeople who use online access frequently are much more likely \nthan infrequent users to report that health IT motivates them \nto improve their health.\n    Patients recognize that health IT is essential to improving \ntheir access to care, as well as their access to their health \ninformation. They know what we know, that health IT helps \npatients and family caregivers communicate with their health \ncare providers, share information and manage their care; \nimproves patients\' knowledge of their health and empowers them \nto take charge of their care plans; allows patients to correct \nerrors or outdated information in their medical records, such \nas a missing drug allergy; enables patients to share treatment \noutcomes, such as pain levels, functional status, and whether \ntheir health improved after the office visit; helps health care \nproviders answer questions from patients by secure email and \nprovide care with telehealth and see the patients who need the \nmost; gives patients more control over how much personal \nmedical information is shared and how it is used; and much, \nmuch more.\n    Like electronic access in so many other parts of our lives, \nsuch as banking and retail, health IT enables real-time access \nto care and information, and provides individuals with the \nconvenience and control they need and expect in the 21st \ncentury. Health IT can also enhance patient trust and the \nprivacy and security of patient data through encryption and \nother means.\n    The country has seen a rapid increase in health care \nproviders\' adoption and use of health IT in recent years, but \nmuch work remains before the potential benefits reach all \npatients. We have an urgent imperative to break down barriers \nand continue the progress.\n    First, that begins with removing barriers to health \ninformation. The national partnership runs the Get My Health \nData campaign, and, through it, we have learned that many \npatients continue to face astonishing barriers to getting their \ndigital health records from their health care providers. We \nneed to change that by advancing policies and programs that \npromote patients\' online access to and use of their health \ninformation.\n    Second, we need to clarify privacy and security \nrequirements for sharing health data, because confusion \npersists about patient access rights. That means, for example, \nadding proactive education initiatives about what HIPAA \nrequires and what it does not, and encouraging mobile app \ndevelopers and technology vendors to post their privacy \npolicies and data-sharing practices in standardized ways.\n    Third, we need to enhance the usability of health \ninformation so that when patients access their medical data, \nthey can understand and use it. For example, innovative apps \ncould help patients organize their health information in ways \nthat they find most useful.\n    And fourth, we need to bridge existing digital divides to \nhelp identify and reduce disparities in care. That means, for \nexample, promoting online access to health information across \ndiverse communities, and innovation in mobile apps can help.\n    In sum, patients and consumers applaud the progress to date \nand they need more. Patients have a unique vantage point for \nthey are at the center of the health care and information-\nsharing we are all working to improve.\n    Our goal must be to leverage health IT so it helps patients \nbecome real partners in their care and health. Only if we do \nthat will we realize the full promise of health information \ntechnology. Thank you very much.\n    [Prepared statement of Mr. Savage follows:]\n    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n    \n    Mr. Hurd. Thank you, Mr. Savage.\n    We are going to keep going. We are expecting votes in about \n10 to 15 minutes, so we will try to get through as many \nmembers\' questions as we can.\n    To kick us off this afternoon is the distinguished \ngentleman from North Carolina, Mr. Walker.\n    Mr. Walker. I thank you, Mr. Chairman.\n    I appreciate the panel being here today and taking your \ntime and being really a valuable resource for us.\n    I married into the medical community. My wife is a family \nnurse practitioner at Wake Forest Baptist Medical Health \nCenter. Every time I feel like I have, by osmosis, learned more \nmedical knowledge, after 23 years, she reminds me that I don\'t \nreally have a good base of understanding.\n    But this is something that concerns. I remember even as a \nminister for 2 decades sometimes trying to get information \nabout a patient to family members or to others, and trying to \nfigure out how we can meet those needs. Sometimes there were \nproblems to do that, even good laws.\n    I also want to paint a picture here of some friends. I \nrecently tagged along with a surgeon there in Moses Cone \nHospital in Greensboro that has been so burdened with some of \nthe software and some of the regulation. It has impacted him \nnegatively, as well as other physicians who have talked about \nthis.\n    So I want to address a couple of these issues. Maybe, Mr. \nDeCrescenzo, if I could start with you, you both mentioned in \nyour testimony obstacles. You also mentioned the word \n``barriers.\'\' Talk to me for just a minute, if you would, about \nwhat specifically are the obstacles and barriers to getting \nwhere this needs to go.\n    Mr. DeCrescenzo. I think some of the barriers and \nobstacles, Representative, are some of the things that I \nmentioned and some of the other folks here on the panel.\n    First of all, there is a lot of activity underway around \ncollaboration in the industry, but it is one that we think \nneeds to be supported broadly. We have both private sector and \ncombined private sector and government initiatives, things like \nthe CommonWell Alliance, the Sequoia Project. There are \ntechnical standards from committees like HL7 that are trying to \npush the ball forward to make these systems talk to themselves, \nto each other, a lot more adeptly and easily than they have \nhistorically.\n    I think support for that, as exhibited by the ONC report \nthat came out last year, to push us down a roadmap where those \nefforts can be channeled into a way that they ultimately come \nto a harmonized approach between the State regulations and laws \nand standards, Federal, State, Federal laws, regulations, and \nstandards, and private sector initiative, really is one of the \nways that we can make the most against some of the obstacles \nand barriers that exist today where the systems don\'t have \nthose standards to make it easier for them to talk to one \nanother.\n    Mr. Walker. Thank you for responding to that. Are you \nfamiliar with the Press Ganey scores?\n    Mr. DeCrescenzo. The patient satisfaction scores.\n    Mr. Walker. Exactly right. I want to make sure that we are \nalso being an advocate for the health care providers, that we \ndon\'t put these guys in a bind. In fact, earlier this morning, \nwe had a very passionate hearing--compassionate, I should say \nas well--as far as the heroin and opioids. And we know \nsometimes patients can be very manipulative in this process.\n    Can you take a moment, Dr. DeSalvo, and speak to that to \nmake sure, as we move forward with this, we are not putting our \nproviders in a more vulnerable position?\n    Dr. DeSalvo. Thank you for the question, Congressman.\n    As a doctor, I know full well the challenges of making sure \nthat you are being compassionate but also being evidence-based \nin the practice of medicine.\n    I wanted to touch on the patient access piece, because you \nmentioned it, and it is so critically important. The electronic \nhealth information is theirs. They have the right to access it. \nAnd we have worked with the private sector to see that we are \ncreating innovative ways that they have more ready access to \nthat information, so they can make their own care decisions, \nbut also it can be available in the care setting.\n    As an example, just in the last few months, working with \nthe Office of Civil Rights, who has the primary responsibility \nfor HIPAA access, put out some guidance directed at consumers, \nso that they would know what they have the right to access. \nThis is a common refrain that we hear from consumers but also \nfrom docs who want to make sure that the information is getting \nout.\n    In the space of opioids, as an example, we certainly want \nto make sure that we are doing everything to support clinicians \non the frontlines.\n    My husband is an emergency medicine doctor, so this is a \nvery everyday occurrence for him. The tools like PDMPs, the \nprescription drug monitoring programs that are electronic in \nmany States and have really made it easier for us to access \ninformation to make sure that we are appropriately giving \nopioids to people who have pain, are needed, but also trying to \nhelp folks stay out of trouble.\n    We have been working with SAMHSA and with States and with \nthe industry to see that those become more aligned within \nelectronic health records, so you don\'t have to go to another \nplace and sign on. That\'s an added burden.\n    Mr. Walker. Before my time expires, let me also look at \nthis. Health care certainly is very important as we move \nforward in having the right perspective. As a Member of \nCongress, we also have a financial fiscal responsibility as \nwell. We spend more than $2,000 per patient than any other \ncountry in the world.\n    Can we make a case out of this that is something that can \ndrive us to be more health care cost conscience as well?\n    Mr. Quinn or Ms. Rich, would one of you like to address \nthat?\n    Mr. Quinn. I will use as an example Intel\'s Connected Care \nprogram. Where Intel, as a large purchaser of health care on \nbehalf of its 53,000 employees in the U.S., said how can we \nmake our employees the healthiest in the country, retain them, \nand also try to save some money doing it?\n    We have been very successful in the first two. The third \nhas been more challenging, although there has been a great \nprogress there.\n    The key to it, I would say, and this is also the key \npotentially for driving data-sharing and information-sharing in \nour broader health care system, is focusing on value-based \ncare, rather than fee-for-service. That was the engine that \ndrove this, and we have seen a massive amount of actual use of \nthis health information exchange because, of course, the \ntechnical pieces are there with the Sequoia Project and \nbuilding this, but also the incentives for using it are there \nfor the health care providers.\n    Mr. Walker. Thank you, Mr. Quinn.\n    I yield back, Mr. Chairman.\n    Mr. Hurd. The plan is to go to Mr. Connolly, and then we \nwill go into recess to get to votes.\n    I now recognize the gentleman from Virginia, Mr. Connolly, \nfor 5 minutes.\n    Mr. Connolly. I thank the chair.\n    And I thank Mr. Lieu and Mr. Cartwright for their gracious \nconsideration. Thank you so much. I have seven hearings in a \nday and half, so I\'m running back and forth.\n    Mr. Quinn, thank you for sharing your story. Boy, could I \nrelate to that. Both of my parents are in their 80s, and I have \nwitnessed scenes where one is in the hospital in the emergency \nroom, and the other one is being asked to give the history, the \nmedical history. I\'m thinking, what could go wrong with this \nscenario? Thank God they are both alert and have mental acuity, \nbut you know, memory sometimes fails us in moments of stress.\n    It is hardly an ideal system, and surely technology exists \nthat would allow us to have a comprehensive picture of the \npatient in question without relying on human memory and such.\n    So I really related to what you had to say, and I hope your \ndad is doing well.\n    Dr. DeSalvo, picking up on Mr. Quinn\'s narrative, according \nto HHS\'s 2016 report to Congress on the adoption of health IT, \nyour agency found that 97 percent of hospitals and 74 percent \nof physicians possessed a certified electronic health record \nsystem. But only 76 percent of hospitals and 42 percent of \nphysicians with electronic health record systems were sharing \nthe information for the coordination of care. Why that big gap?\n    Dr. DeSalvo. Well, thank you for the question. I certainly \nidentified with Mr. Quinn also, both as a doctor who takes care \nof those kinds of patients but also because of family members \nas well. So as I said in my opening, it is pretty personal to \nall of us to see that the data is moving.\n    The good news story in the data that you present is that, \nover the course of the last many years, we have dramatically \nincreased not just adoption but the opportunity to move and \nshare data. So those are snapshot numbers. But if you look back \nat the trajectory, every year it improves both for doctor \noffices and hospitals. We are not where we want to be yet, but \nwe are making progress.\n    There are areas like the national capital region where \nhealth information exchanges like CRISP make that data \navailable, such that if somebody arrives in an emergency room, \ntheir primary care doc will get a ping and be able to have the \nopportunity to send that med list or problem list, so that we \nwill actually know more about the person in the ER.\n    There are even more exciting advances happening, like in \nMississippi, where the State of Mississippi has been working \nwith local vendors to see that all of long-term data from their \nMedicaid program is available to the doctors in the University \nof Mississippi Medical Center, so that when somebody arrives, \nyou have a picture like you mentioned.\n    Mr. Connolly. You mentioned CRISP, but doesn\'t that require \na voluntary decision to participate?\n    Dr. DeSalvo. You are touching on the challenge that has \nemerged since we have been adopting electronic health records \nand moving to a digitized system, and that is that State laws \nvary, and so there is a need to harmonize that.\n    Mr. Connolly. Right. That is a particular challenge here in \nthe national capital region, since we have three jurisdictions \nwith three different political cultures and sets of laws and so \nforth.\n    I have actually encountered that, where Maryland has one \nset of standards on this kind of communication and Virginia has \nanother, and we are not always talking, which what could go \nwrong with that for someone\'s health? I mean, you could \njeopardize someone\'s health without intending to.\n    Now, do we need, from your point of view, and I welcome Ms. \nRich as well, or anyone else, but is this a case where, \nfrankly, we do need to look at some Federal legislation?\n    We regulate blood supply for safety. Well, electronic \nrecordkeeping is not just a nice thing to have. In the digital \nage, it may be very critical to someone\'s health and the care \nthey get, especially in an emergent situation.\n    Dr. DeSalvo. In the short run, we have been working, the \nOffice of National Coordinator, with the National Governors \nAssociation on developing a toolkit so States themselves can \nharmonize their privacy expectations, so that won\'t be an \nunnatural impediment to information flow.\n    Over the long term, clearly, the health IT landscape has \nchanged a lot since HITECH was passed in 2009. We were on iOS 3 \nthen and now we are up to 6, just as one example. But apps and \ncloud computing have really evolved.\n    So we certainly are leveraging all the opportunities that \nwe have at ONC and our partners, the Office of Civil Rights and \nother agencies, to see that we are protecting consumers and \nthat data is going to flow. But there are areas where we know \nthat there may be some opportunity, like information-blocking, \nwhere we would need some additional support.\n    Mr. Connolly. Thank you so much for this fascinating \nconversation.\n    Again, Mr. Chairman, thank you.\n    Mr. Hurd. Sure.\n    Votes have been called. The committee stands in recess \nuntil immediately following votes.\n    [Recess.]\n    Mr. Hurd. The Committee on Oversight and Government Reform \nSubcommittees on Information Technology and Health Care, \nBenefits, and Administrative Rules will get started again.\n    I appreciate our witnesses\' and guests\' patience as we went \nto go vote. We shouldn\'t be interrupted.\n    To get us restarted is my friend from California, Mr. Lieu. \nYou are recognized for 5 minutes.\n    Mr. Lieu. Thank you, Mr. Chair.\n    Dr. DeSalvo, in your opening statement, you mentioned data-\nblocking. Can you explain what that is and how it works?\n    Dr. DeSalvo. Yes, certainly, Mr. Lieu. Thank you for the \nquestion.\n    Congress asked us to provide a report on health \ninformation-blocking, which we did last April. We thank you for \nthat, because it generated a national conversation and set into \nmotion some actions that we have been taking in partnership, \nfor example, with the Office of Inspector General, also with \nthe Office of Civil Rights, to see that we unblock data that \nhas been collected in electronic health records.\n    This is a new challenge we wouldn\'t have had years ago when \nwe did not have a digitized system. It has emerged since 2009 \nwhen the HITECH Act put ONC and our authorities into place.\n    An example of it would be that I\'m in a health system and \nmy patient records have been collected or digitized, and a \npatient ends up in the emergency room at another hospital \nacross the street, and for whatever reason I\'m not sure I can \nshare it, because I don\'t understand HIPAA, or maybe I don\'t \nhave a business associate degree that I think you need to have \nto share data. And so when that patient shows up across the \nstreet literally, the data is not moving. And it is just \nbecause of a lack of understanding.\n    So that would be sort of an unknowing example. And by \neducating about HIPAA, which is something we have been actively \ndoing, we hope to unblock that sort of data.\n    Sometimes it is more around business practices. People want \nto hold onto patients or hold onto data and don\'t share it.\n    So we have asked and gotten pledges from the health IT \nindustry to say they won\'t block data. Now we are acting on \nmaking sure that we can put some teeth to it.\n    But if I may, Congressman, it is an area where, since 2009, \nthe world has really evolved. That is why in our budget \nrequest, we did put forward a proposal asking for some more \nopportunities for us to be able to address blocking, and to see \nthat, where data could move, that it would.\n    We really welcome the chance to talk with you more about \nthe ways that we think we could have more opportunities to \naddress it.\n    Mr. Lieu. Just so I understand, sometimes you have data-\nblocking because the doctor or hospital may not have \ninterpreted HIPAA correctly. Are there times where, in your \nopinion, they are intentionally doing it to gain a competitive \nadvantage?\n    Dr. DeSalvo. We certainly heard plenty of reports about the \nuse of it to gain a competitive advantage.\n    Mr. Lieu. What about vendors? Do vendors sometimes do that \nas well?\n    Dr. DeSalvo. Occasionally. The way that will occur with \nvendors is they will require added fees, unexpected fees, to \ncreate the interfaces, and that is a form of lack of \ntransparency but can also be a form of blocking.\n    Mr. Lieu. And in the HITECH law, do you believe there are \ngaps that could address this? What can this committee or \nCongress do to help on data-blocking?\n    Dr. DeSalvo. Yes, sir.\n    What we have asked for as part of our budget request are \nsome additional opportunities around defining it and giving us \nan opportunity to require that vendors, for example, can\'t use \ngag clauses to prevent providers from talking about some of the \ncontractual elements. Those are just a couple of the examples \nthat we\'ve asked for.\n    So, yes, we do believe that, since the world has evolved, \nthere is a new need for us to have some additional \nopportunities to protect the people who are using the systems \nand, more importantly, to protect the data of the consumers.\n    Mr. Lieu. Let me switch to cybersecurity.\n    Hollywood Presbyterian Hospital in Southern California had \nbeen attacked with malware. They had to give a ransom to get \ntheir data essentially unencrypted, unblocked. Two more \nhospitals, it was disclosed, were recently attacked in Southern \nCalifornia.\n    What do you think we can do to help prevent those attacks?\n    And my understanding is that it is the Office of Civil \nRights that does cybersecurity?\n    Dr. DeSalvo. That\'s correct.\n    Mr. Lieu. And do you think that would be the appropriate \noffice or not?\n    Dr. DeSalvo. The Office of Civil Rights does have the \nprimary responsibility for privacy and security, and for \nsecurity breach investigations. We work with them in a variety \nof ways to see that we are educating providers, clinicians, and \nothers to make sure that the functionalities, the capabilities \nin electronic health records that we require to keep the data \nsecure, are actually used in the field.\n    We all know that there is a mix of both physical and \ncybersecurity expectations, so tools like our security risk \nassessment tool is a way that we educate providers to know in a \nsimple way how they can protect the data that is in there. So \nthere are some opportunities that we leverage, but we work \nlargely in partnership with the Office of Civil Rights.\n    Mr. Lieu. And does that office have a team of computer \nfolks that deal with cybersecurity issues?\n    Dr. DeSalvo. It is very tight partnership. They certainly \nhave experts in the area of HIPAA and cybersecurity and \nprivacy, and we work very hand in hand with them.\n    We, for example, recently released some additional guidance \nfor providers but also for consumers about access and security, \nand have posted a series of joint blogs to make sure there is a \nshared understanding of what security expectations there are.\n    You all, for example, asked the department to put together \na cybersecurity task force, and we have been working along with \nothers across the department to see that we put together that \ntask force. It just met for the first time last week, so we \nthank you guys for raising that issue.\n    Mr. Lieu. Thank you. I yield back.\n    Mr. Hurd. I would like to pick up where Mr. Lieu left off. \nSo in OCR, they have lawyers so they understand HIPAA. Do they \nhave technical folks that can actually help with a breach or \nthe next ransomware attack?\n    Dr. DeSalvo. Congressman, I would not want to speak \nspecifically to the skill sets of their staff. What I can share \nwith you is that the Office of the National Coordinator, which \nhas technical staff, partners very tightly with the Office of \nCivil Rights, just like we do with other agencies, to make sure \nthat we are bringing that talent to the table if it is \nnecessary.\n    Part of this task force as an example, which is with the \nprivate sector, is to bring together the best minds in \ncybersecurity and to work with not only ONC but OCR to see that \nwe are helping to advance the health care marketplace to adjust \nto any new changes they need to in cybersecurity.\n    Mr. Hurd. Ms. Rich, why is there so much confusion around \nHIPAA?\n    Ms. Rich. I can\'t speak to why there is confusion around \nHIPAA, but I do know that there are many entities that are \noutside of HIPAA that are under our jurisdiction, and that \nincludes all the health apps and the Web sites that take in \nconsumer-generated information, and that consumers may be \nconfused about whether there is a regulation that protects \ntheir privacy in those areas, which is one of the reasons why \nwe think there ought to be a regulation that protects the \nprivacy and data security for the information collected by \nthose entities directly from consumers.\n    Mr. Hurd. Does FDA have responsibility in some type of \nregulation in this space?\n    Ms. Rich. The FDA regulates medical devices, and that \nincludes some health apps. But generally, they are looking at \nsafety issues surrounding whether the app does what it says it \ndoes. The privacy and data security issues of such entities is \ngenerally in our care. And we have been working in this area \nfor over 15 years, and we have an extensive program to look at \nthe data security of these entities and take action--well, \neducate them to start with and then also take action in \nappropriate instances.\n    Mr. Hurd. So if it is a HIPAA violation, that is OCR\'s \njurisdiction. If it is generally something else, it may be you, \nit may be FDA, it may be SAMHSA, or the PPACA. There are so \nmany of these different regulatory bodies, and my fear is that \nit is hurting innovation. It is hurting the proverbial two guys \nor two gals in a garage from creating something that can change \nthe way that we deliver health care.\n    Ms. Rich, I will get back to you on another question.\n    I wanted to ask Messrs. Quinn, DeCrescenzo, and Savage, and \nthen, Ms. DeSalvo, you answer after them, meaningful use, this \nis a term that I have been hearing a lot over the last 16 \nmonths that I have been in Congress and how it was originally \ndesigned to kind of spur companies from participating in EHR \nprograms. But what I am hearing is that it is actually getting \nin the way of innovation.\n    I would like for you three gentlemen to comment on your \nopinions on meaningful use. And, Ms. DeSalvo, I will let you be \nthe cleanup batter.\n    Mr. Quinn?\n    Mr. Quinn. So meaningful use was quite successful in \ndriving adoption of electronic health records. Without \nmeaningful use, we wouldn\'t have the rates of adoption today \nthat we see.\n    As is the case with my dad\'s example, that each individual \nhealth care organization has an electronic health record and \nmay be beginning to exchange data doesn\'t mean that the net \nresult of it is the coordinated care, the shared health \ninformation, that we all need. And the prescriptiveness of this \nled some vendors and health care organizations to play to the \ntest.\n    What we need is to think ahead about the next generation of \ntechnology that is needed to embrace, for example, the Internet \nof Things, consumer-generated health data, the data that is \nbeing unearthed with the genome, and these other sources, and \nincorporate them into this so that we are not just thinking \nabout this program as an end unto itself, but as an enabler of \nnew technologies, new care models, et cetera.\n    Mr. Hurd. Thank you.\n    Mr. DeCrescenzo. Thank you, Mr. Chairman. I would certainly \nsecond Mr. Quinn\'s opinion that meaningful use as it has been \naffected in the last few years to dramatically increase use of \nthe EHRs, as Dr. DeSalvo mentioned earlier, in addition to some \nof the new technologies that you mentioned, need now to be \nconsidered, and also suggest that over the last 4 or 5 years \nunder meaningful use, we have learned a lot about how \ntechnology is used and what are some of the other process and \nincentive issues, including things like reimbursement \nmechanisms that may or may not incent further use of electronic \nmedical records and other types of electronic digitization of \nhealth information in a sharing around that.\n    So going forward, we believe that we need to be thoughtful \nabout what we have learned over the last 4 or 5 years, as we \nlook at additional regulation or requirements for expanding the \nuse of electronic medical records and allied technologies.\n    Mr. Hurd. Mr. Savage?\n    Mr. Savage. We agree that the meaningful use program has \nbeen a major catalyst for improved adoption and use of health \nIT. Patients have been seeing a lot of the benefit of that. As \nI said in my testimony, there are still obstacles to overcome, \nand more needs to be done.\n    But with the meaningful use program in our surveys, we saw \na doubling of online access from 2011 to 2014, from 26 percent \nof patients with online access to 50 percent.\n    We see them using it for the kinds of things that are \nreally critical for delivery system reform that is coming. So \nthe access is important, but the meaningful use program is also \nin 2017 to 2018 to provide much more robust functions around \npatients sharing data with their providers, nonclinical data \nthat is nonetheless relevant to care, better correction of \nerrors, wearables, remote monitoring. And it will, indeed, \nstimulate the kind of innovation that we are all looking for.\n    The version that is coming up also has APIs. We have tech \ndevelopers who are writing apps for using those APIs.\n    So important catalyst. Critical things are coming for \npatients and family caregivers to help them with their care \nplanning.\n    Dr. DeSalvo. Thanks to these folks, I\'m just going to talk \nabout going forward, because the health IT landscape and health \ncare has absolutely been changing and evolving. We are looking \nto go forward after listening to providers, after seeing where \nthe health IT landscape is, to take the opportunity that was \nmade from the doc fix or the MACRA legislation and make this \nprogram going forward more flexible, much more focused on \nclinical outcomes and on interoperability.\n    Mr. Hurd. Thank you.\n    Mr. Cartwright, you are recognized for 5 minutes.\n    Mr. Cartwright. Thank you, Chairman Hurd.\n    I want to follow up that discussion with Mr. Savage a \nlittle bit. I think a cornerstone of the health IT field are \nthe electronic health records, the digital version of a \npatient\'s paper chart containing not just the patient\'s current \ncondition but also his or her medical history.\n    I have here, it looks like a Harris poll that NPWF \ncommissioned. Is that correct, Mr. Savage?\n    Mr. Savage. That is correct.\n    Mr. Cartwright. So this is entitled, ``Engaging Patients \nand Families: How Consumers Value and Use Health IT.\'\'\n    I will ask that this be made a part of the record, Mr. \nChairman.\n    Mr. Hurd. So moved.\n    Mr. Cartwright. It is a result of the Harris poll. I cannot \nimagine how long this poll went, Mr. Savage, but it\'s pretty \nhefty.\n    It was done in the spring of 2014, correct?\n    Mr. Savage. Correct.\n    Mr. Cartwright. Toward the end of it, there is a global \nsummary. And it showed that more than 50 percent of patients \nwant the ability to review their treatment plans, right?\n    Mr. Savage. Correct.\n    Mr. Cartwright. And that nearly 60 percent wanted to see \ntheir doctors\' notes, and that fully 75 percent of patients \nwanted access to their test results electronically.\n    Have I got that correct, Mr. Savage?\n    Mr. Savage. Yes, we found great interest in all of those.\n    Mr. Cartwright. So that is the sort of information that \nwould be available in an electronic health record, correct?\n    Mr. Savage. Yes.\n    Mr. Cartwright. Okay. Is it easy for patients to get access \nto their electronic health records right now?\n    Mr. Savage. The survey that you are referencing does \nidentify increased numbers of access, doubling from 26 percent \nto 50 percent. For those who have it, it has become easier, but \nthe national partnership has also done work with the Get My \nHealth Data campaign, which has found that there are also \npeople without the access that they need and that there are \nsome barriers.\n    So I can either talk about on the survey side, or I can \nshare with you some of the barriers we found with the Get My \nHealth Data side.\n    Mr. Cartwright. The barriers I\'m interested in.\n    Mr. Savage. We have tracers, volunteers who report to us \ntheir experience with trying to get data, and everybody\'s story \nis unique. But we do find some commonalities among those \nstories.\n    So some of the significant barriers are a very complex, \ntime-consuming process in order to get access. So you and I, in \norder to get access to our banking records, we just go down to \nan ATM or access it through the Internet. That is not a time-\nconsuming process, for the norm.\n    But for access to health records, yes, it has been very \ntime-consuming for these individuals.\n    Records provided in a format that is not useful. You may \nask for it in an electronic format. You get a piece of paper by \nsnail mail.\n    Misunderstanding of what patient\'s rights to access are.\n    And perhaps one of the things that we\'ve discovered most \nrecently is the use of unreasonable fees in order to--before \nyou can get access to your records. That may take the form of \nyou have asked for your information and, sure, here\'s the copy \nand here\'s the bill, and it is a bill that you never expected. \nSurprise. Or you are charged a per page fee when it is an \nelectronic record.\n    So there\'s actually been--the Get My Health Data campaign \nhas recommended that there be some comprehensive education \ninitiatives to try to help providers and patients alike \nunderstand the requirements better.\n    And the OCR guidance that recently came out provides some \nexamples of the kind of innovative education efforts that we \nreally do need to see.\n    Mr. Cartwright. Dr. DeSalvo, pick up from there. What kind \nof examples?\n    Dr. DeSalvo. So consumers have more access to their \ninformation than they did previously, though it is not where we \nthink it needs to be. And as Mr. Savage mentioned in his \nearlier comments, we have been pushing through the meaningful \nuse program and through other ways to get increased consumer \naccess.\n    We, in fact, just put out a challenge grant through the \nOffice of National Coordinator calling on the private sector to \ntake advantage of this API expectation that we put in \nelectronic health records to create very consumer-friendly apps \nthat would be on a smart phone and allow somebody, any patient, \nto be able to access their health information and have more \nopportunity to control it. So we are really excited to see what \nthe private sector is going to develop in the next few months \nto make it easier to get more access.\n    The kinds of examples that get in the way of that, \ntechnology certainly Mr. Savage mentioned, but they are \nsometimes just a misunderstanding of HIPAA. The Congressman had \nasked earlier why doctors don\'t understand HIPAA, and part of \nit is we are not really well-trained in it in medical school.\n    This is, I think, a really important opportunity that the \nmedical education field has along the way to see that we \nunderstand what HIPAA is and is not, and do not let it get in \nthe way. Also, the way sometimes it is enacted gets in the way \nof consumers having access to their information.\n    It is, in essence, a form of blocking.\n    So, again, back to this comment of, the world has really \nevolved and now there is data to be free, data to move. And the \nprimary concern is to see that it is there for that clinical \nmoment when you need it.\n    There are also many other important uses, so we are \nleveraging all the tools we have, whether that is education or \nclarity on rules and regs, but there\'s probably also some \nadditional needed attention and maybe some additional support \nto see that blocking is never a reason that people do not get \ntheir data.\n    Mr. Cartwright. So last question, my sense of it is that \nthe better access patients have to their medical records, the \nbetter we all are in terms of patient safety.\n    Does anybody disagree with that? Let the record reflect \nthey are all shaking their head no, Mr. Chairman, and I yield \nback.\n    Mr. Hurd. Thank you, sir.\n    I would now like to recognize Ms. Lujan Grisham for 5 \nminutes.\n    Ms. Lujan Grisham. Thank you, Mr. Chairman. I think I \nprobably want to take off from where my colleague was leading \nyou all, Mr. Cartwright.\n    I actually think in addition to the blocking and \nmisunderstanding that we have seen two principles in HIPAA be \ndetermined--and as an attorney, I feel bad about this--but sort \nof a legal opinion that you have two mutually exclusive \npremises. One, patient protection, and the other would be the \nportability of that information, and they err on the side they \nare absolutely in their minds mutually exclusive, so they go to \nprivacy.\n    I just had this happen with a very large, very recently, \nhealth care provider who argued with me--and HIPAA, I spent a \nlot of time dealing with HIPAA, so it wasn\'t--I won, because \nthe CEO of the health care company refused to provide the \npatient information from provider to provider.\n    Actually, I was trying to do them a favor, right? I have \nlabs that are 45 days out. I get a patient who calls my office \nas a constituent and says I have to have them because my \nspecialist can\'t do what they need to do without the records \nfrom this other provider. I said, let me just call, because I \nknow I don\'t need really anything else, provider to provider, \njust do it. And basically I\'m helping you, because God forbid \nwe find something in those labs that indicate to your lawyers \nthat you have a real liability.\n    And then second, they wouldn\'t do it, because HIPAA \nprevents that, as you all know it absolutely does not. For the \naudience, it does not prevent that. It explicitly provides for \nthat.\n    Then in addition, to make it easy for them, I was willing \nto get the patient on the phone, with plenty of patient \nidentifiers. And HIPAA, according to this provider, also \nexplicitly prohibits not having someone where you have really \nrestrictive proof that that is the patient. I said that is \nnowhere in there. That is your own system, which gets to that \nit is proprietary, it is not interoperable, and that while we \nare to doing I think great strides to make this information \navailable, that unless we deal with that, you can\'t really \ncreate a patient record.\n    I have to have apps for, right now, let\'s see, I\'m old, \nthat would work with about 47 different providers. Now that I \nam lucky enough to have this job, I have to have to add all the \nproviders that are in D.C. that I guarantee you do not speak to \nany of my providers in Albuquerque.\n    So that was a typical-for-me, long-winded statement that \nour intentions here and meaningful use and all the incentives \nand including many of the accountability mechanisms really \nhaven\'t gotten us to what we really want, which is very \neffective patient records, because if we want patients to be \npart of problem-solving, and you do. If I get access to my \nrecord, I find all kinds of stuff that my docs didn\'t see \nbecause they are busy. I feel bad about that. I love them. They \nare my docs, so I really like them, or my practitioners.\n    But they do not have the time to search through stuff, \nwhich is why every time you go, they have to do a whole new \nhistory because they have to ask me, because it is much faster. \nBut what happens when about 20 years from now, I can\'t remember \nfor a whole variety of reasons?\n    So what additional incentives can we use? And you sort of \nfloated around many, right?\n    But I also want a milestone check, because I have also been \nworking on telehealth for more than 2 decades. Quite frankly, \nthe reimbursement issues and the other barriers really simply \nhave not made it available in the places where the technology, \nnot only in juxtaposition to physician consultations or \nphysician-to-patient consultations, but now you have the \nability to do incredible online diagnostics. And yet, we aren\'t \nreally doing it.\n    So what are some really great milestones and mechanisms \nthat this committee can help you achieve, to that end?\n    Anyone? All of you? Everyone?\n    Ms. Rich. I would just like to comment that I do think an \nobstacle to uptake on the part of consumers is concern about \nprivacy, an obstacle to uptake of use of electronic records.\n    Regardless of what a lot of consumers think about privacy \nin other contexts, we do know that they care a lot about \nprivacy when it comes to their health records, which can reveal \ntruly personal information. So from the perspective of somebody \nthat is talking about privacy, we would like to see stronger \nprotections that make sense. Yes, it is a balance. Stronger \nprotections for data ----\n    Ms. Lujan Grisham. Where do you see the balance? And nobody \nI think on this committee is making any sort of statement that \nwe should reduce privacy protections. But when they become an \nobstacle--that does not diminish the protection of privacy, we \nhave a really big problem here.\n    I gave you one illustration. There are many. But what is a \nmilestone to not diminish the protections that we are all \ninterested in, but to get us to real patient records, serious \ninteroperability, not just provider to provider because of \nproprietary, but as you mentioned in an earlier meeting, within \nour hospital equipment, which creates huge patient outcome \nissues, that is not a privacy issue, and gets us to telehealth, \nall the different kinds of things I know that you all are \npromoting?\n    I don\'t know if the chairman is going to let me keep going. \nWhat a good guy.\n    Mr. Hurd. Mr. Quinn can answer that question.\n    Mr. Quinn. I would say a wonderful milestone is getting to \n50 percent alternate payment models by 2018, as HHS has \nproposed, and that Intel, eating our own dog food or, as my \ncolleague says, drinking our own champagne, including in \nAlbuquerque, where we have a huge facility ----\n    Ms. Lujan Grisham. We would like that to be bigger.\n    Mr. Quinn. Thirty-three-thousand employees are today \nparticipating in our Connected Care program. The real enabler \nof this is, of course, that there is something called the \nSequoia Project that makes interoperability possible in \nconnecting 150 different EHRs, but more importantly, that we \nare directly contracting with the providers in that area and we \nhave purchasing power.\n    We are doing this in Albuquerque. We are doing it in \nPortland. We are doing it in Arizona.\n    Intel is a big purchaser, and we said you are going to \nparticipate as part of this, and we are going to collect these \nmetrics.\n    The same is happening on this national basis, this 50 \npercent. Fifty percent I think is a real tipping point, because \nyou can\'t live in two different worlds. You can\'t live in the \nfee-for-service world and the alternate-payment world.\n    The sooner we can get there, the better. We can\'t let up on \nthe accelerator.\n    Ms. Lujan Grisham. Okay, thank you.\n    Mr. Hurd. Thank you, Mr. Quinn.\n    Raise your hand if you have suggestions on how to harmonize \nprivacy laws, and which privacy laws and regulations need to be \nharmonized?\n    Mr. Savage, your organizations don\'t have opinions?\n    Mr. Savage. We do. We don\'t look at them as harmonization. \nWe look at them as protecting privacy for patients in all the \ndifferent States.\n    Mr. Hurd. So I would like all of you all to submit those \nideas, those white papers, to the committee for the record, so \nwe can review those and see if that can be an area that we look \nat.\n    I would be remiss if I don\'t ask a cybersecurity question.\n    Ms. Rich, this is for you, and I am not interested in any \nparticular company or something like that. What do you think is \nthe biggest threat right now to health information and our \ncitizens\' health data?\n    Ms. Rich. There are a few. One is failure by companies \nstill to take this as seriously as they should. There has been \na lot of progress in recent years, but we are still seeing not \nenough attention focused on this issue.\n    Congressman Lieu also mentioned ransomware, which is \nsomething that is on the rise and is particularly on the rise \nwhen sensitive information is collected, because of the great \ninterest in protecting that information, so the ransomware \ntactics are more likely to succeed.\n    We are seeing that more and more in our cases, and we are \nlooking at this issue ourselves, and maybe doing something \npublicly on that.\n    But the number one issue is still the failure to pay enough \nattention to this issue, among many, many companies.\n    Mr. Hurd. Mr. DeCrescenzo?\n    Mr. DeCrescenzo. Obviously, Ms. Rich has her perspective, \nwhat I think at the HLC, we are taking this very seriously. And \nwe see across providers, payers, pharmacies, everybody who is \npart of HLC, an enormous amount of investment and forward-\nthinking on what to do about the problems that you described, \nfor example, at Hollywood.\n    I think one of the challenges everyone needs to recognize \nis that we are also trying to constrain costs as much as \npracticable in the U.S. health care system. And all these \nthings come at a cost. And there is not necessarily as much \nfreedom, or maybe should there be, to be able to capture \nreimbursement in order to reflect those costs.\n    So I think it is a very difficult barrier when you think of \nthe resources that are applied anywhere from telecommunications \nto banking to other industries around cybersecurity, the fact \nthat we have all described the importance of personal health \ninformation, and recognizing that many of these institutions, \nincluding many hospitals I\'m sure in your districts, are \nalready struggling to deal with a number of other aspects of \nsuccessfully providing patient care.\n    So I think we certainly see people taking it very \nseriously. As I\'m sure you\'re aware, many people go into the \nmedical profession because they have that commitment to \npatients, their data, and privacy.\n    So I think one of the things we need to consider is how \nwell is reimbursement reflecting the cost of doing a good job \nat it.\n    Mr. Hurd. Ms. Rich, what has been the biggest fine that FTC \nhas issued on a private company for violating our privacy? We \ndon\'t need to know the situation, just what is the dollar \namount? And can you describe the situation?\n    Ms. Rich. We actually, in the initial instance, don\'t have \nfining authority in the data security area in general. We do \nwhen it involves kids\' information or consumer credit data. But \nin the general data security work we do, we do not have the \nauthority to obtain any penalties.\n    That is, I think, something that we seriously need in order \nto create different incentives here.\n    Mr. Hurd. If a private company would have lost the \ninformation on 23 million records, what would FTC have done?\n    Ms. Rich. In the abstract, it is hard to say. Each \nviolation, if we had civil penalty authority, just borrowing \nfrom the authority that we have in other areas, every violation \ncould amount to a $16,000 penalty. So if you add that up over \nmillions of consumers, it\'s potentially infinite. But, of \ncourse, we take the ability to pay, et cetera, into account.\n    But the fines could be quite high for a company that had \nvery serious violations and injured a lot of consumers.\n    Mr. Hurd. Thank you.\n    Now to close this out, Mr. Blum, you are recognized for 5 \nminutes.\n    Mr. Blum. Thank you, Chairman Hurd, for holding this most \nimportant hearing.\n    And thank you to all the panelists today for your insights. \nI appreciate it very much.\n    Telehealth, telemedicine, has absolutely intrigued me since \nI have been in office the last 15 months. When we talk about \nrising health care costs in the country, I know many citizens \nwant a silver bullet, one answer, one thing that is going to \nsolve the increasing health care costs.\n    I kind of believe, pardon my pun, I believe it has been \ndeath by 1,000 cuts, the increase in health care costs. It has \nbeen a lot of small things. And I think one piece of the \npuzzle, the solution to keeping health care costs in line, is \ntelehealth or telemedicine, and particularly in our veterans\' \ncare system with the psychiatric care, PTSD.\n    I know in Iowa, it is rural, so we don\'t have a lot--in all \nthe outpatient clinics for vets, we don\'t have a psychologist \nor psychiatrist on staff. So telemedicine is a great \napplication there.\n    I would like to ask all the panelists, what policy changes \ndo you think are necessary so there is 100 percent--100 \npercent--telehealth participation by providers and by \nhospitals? I see it as critically important to saving the \ngovernment money and also improving the outcomes of our \npatients.\n    So whoever would like to take that, jump on it, please.\n    Dr. DeSalvo. Congressman, perhaps I will begin and say that \nI share your enthusiasm for telehealth. As a doctor, I have had \nthe opportunity to use that, particularly for access to \npsychiatric care in my home community of New Orleans after \nKatrina, when we had really a lack of services. As a rural \nState, we have been able to leverage that as well.\n    So as a care delivery model, very well-received, and can \nalso save people money, because they don\'t have to take off of \nwork and find health care, et cetera, to go to the sites. It is \nless of a technology issue and more of, I think, an opportunity \nas we move to alternative payment models.\n    So as the VA has been able to show and the private sector, \nand certainly through some of the work that the department has \ndone with these models in the Center for Medicare and Medicaid \nServices, we have been working to advance that as an \nadministration, in partnership with the private sector.\n    I think it is something that we see as a department an \nopportunity in the delivery system reform work that is moving \nto alternative payment models, such as in the MACRA legislation \nthat is required for docs. It is going to give us a lot of \nopportunity to really enable and support new kinds of care \nmodels.\n    So from our standpoint, we believe that, with the \ndepartment, we really believe that we are moving forward into \nthis world and that the MACRA legislation for docs, in \nparticular, is going to be helpful.\n    Mr. Blum. You are a medical doctor, correct?\n    Dr. DeSalvo. Yes.\n    Mr. Blum. I know you cannot speak for the medical \ncommunity, but what is your impression or your opinion of the \nmedical community\'s opinion of telemedicine? Is it a good one? \nOr do they say this isn\'t that good?\n    Dr. DeSalvo. So I can\'t speak for the medical community, so \nI will speak for myself and my peers, that there are some real \nbenefits to it.\n    Speaking purely as a doctor, I think one of the challenges \nis there is a lot that you gain from being in the room with a \npatient, you can touch them, you can listen to them in a way \nyou can\'t necessarily through technology. So a mix of kinds of \ninteraction is typically what we want. We wouldn\'t want it to \nall to be remote, because you also gain something from that \ntouch in that exam room.\n    Mr. Blum. Absolutely.\n    Others? Yes, sir?\n    Mr. DeCrescenzo. Congressman, one other thing I would \nmention is harmonization of standards across the States.\n    Obviously, with telemedicine, as you described, it is \nsomething that brings the ability to provide care across \ndistance. And, of course, many of the States are quite large, \nso it is urban to rural and various other ways. It certainly \nwould facilitate the growth of telemedicine in a very important \nfashion.\n    But in addition, there is quite a patchwork of regulations \nand standards on a State basis across the country, so the \nability to leverage perhaps highly specialized care outside the \nState is often more difficult for somebody looking to put \ntogether a national network or even nationally focused \nproviders like Cleveland Clinic and others who have a very \nlarge footprint across the country.\n    Mr. Blum. And what would the solution to that be? Is there \nan easy one? I like easy solutions.\n    Mr. DeCrescenzo. Well, we have 50 States, so I doubt there \nis an easy one.\n    But I think there is increasing, I would say, similarity \nbetween the regulations of different States as they become more \nfamiliar with this. And perhaps like a lot of the work ONC and \nothers have done around harmonization of technology standards, \nwe would hope there would also be a similar effort to harmonize \nthe standards and regulations around telemedicine.\n    Mr. Blum. Yes, ma\'am?\n    Ms. Rich. The FTC in the competition area, which I don\'t \npersonally work, but we have done a good deal of work on \nbreaking down barriers to competition that may hold back \ncertain alternative forms of medicine.\n    For example, we have commented to States that may have laws \nthat favor certain medical techniques over others in a way that \ninterferes with competition through State laws. So competition \nis very important in this area.\n    Mr. Blum. Do I have time for one more question, Mr. \nChairman?\n    Mr. Hurd. Thirty-nine seconds.\n    Mr. Blum. One of the major barriers preventing a focus on \nhome-based health care versus expensive hospitalization--\nanother area I am very interested in, is keeping that person in \ntheir home as long as we possibly can or getting them back to \ntheir home as quick as we can. Thoughts on that?\n    Mr. Savage. I would jump in and say that is a good \nillustration of perhaps an interoperability issue. We want to \nmake sure that the patient\'s home is connected with the system.\n    So you want access. You want the patient to be able to send \nremote monitoring information to the doctor\'s clinical record. \nThese are things that are actually in the process of being \ndeveloped on a national level.\n    That kind of two-way communication between the home and the \ndoctor\'s system also contributes to care planning, so that you \nactually have working together to manage the care and to move \nfrom care to health.\n    Mr. Blum. This could apply to nursing homes as well, \ncorrect?\n    Mr. Savage. That\'s correct.\n    Mr. Quinn. I would say that one of the things that really \nis lacking today is ensuring that those home-based applications \nhave a market. So today without the reimbursement for many of \nthose things, the market hasn\'t blossomed the way that it \ncould. Many of the applications and the tools aren\'t \nnecessarily designed for a 78-year-old or maybe somebody with \ndisabilities who is at home.\n    Ensuring that that, frankly, consumer marketplace with the \ntechnology that is rigorous enough to be trusted and \nincorporated into the health care system is built and that \nthere is a marketplace for it, because there is reimbursement, \nthere is a path for investors to say there is something here.\n    Mr. Blum. That\'s a good point. Thank you very much for your \ninput. I appreciate very much.\n    With that, I yield the time that I do not have.\n    Mr. Hurd. I would like to thank Mr. Lieu and Mr. Cartwright \nfor the bipartisan nature in working on this topic. It is \nimportant for an exchange of information.\n    And I appreciate our witnesses taking the time to appear \nbefore us today and for your patience.\n    If there\'s no further business, without objection, the \nsubcommittees stand adjourned.\n    [Whereupon, at 4:22 p.m., the subcommittees were \nadjourned.]\n\n\n                                APPENDIX\n\n                              ----------                              \n\n\n               Material Submitted for the Hearing Record\n[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]\n\n                                 [all]\n</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body></html>\n'