b"<html>\n<title> - IMPLEMENTING THE 21ST CENTURY CURES ACT: MAKING ELECTRONIC HEALTH INFORMATION AVAILABLE TO PATIENTS AND PROVIDERS</title>\n<body><pre>[Senate Hearing 116-409]\n[From the U.S. Government Publishing Office]\n\n\n\n\n\n                                                        S. Hrg. 116-409\n \n                     IMPLEMENTING THE 21ST CENTURY\n                      CURES ACT: MAKING ELECTRONIC\n                      HEALTH INFORMATION AVAILABLE\n                       TO PATIENTS AND PROVIDERS\n\n=======================================================================\n\n                                HEARING\n\n                                 OF THE\n\n                    COMMITTEE ON HEALTH, EDUCATION,\n                          LABOR, AND PENSIONS\n\n                          UNITED STATES SENATE\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                                   ON\n\n EXAMINING IMPLEMENTING THE 21ST CENTURY CURES ACT, FOCUSING ON MAKING \n   ELECTRONIC HEALTH INFORMATION AVAILABLE TO PATIENTS AND PROVIDERS\n\n                               __________\n\n                             MARCH 26, 2019\n\n                               __________\n\n Printed for the use of the Committee on Health, Education, Labor, and Pensions\n \n \n \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                    \n\n\n\n        Available via the World Wide Web: http://www.govinfo.gov\n        \n        \n        \n        \n                           ______                       \n\n\n             U.S. GOVERNMENT PUBLISHING OFFICE \n41-393 PDF            WASHINGTON : 2021         \n        \n        \n        \n          COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS\n\n                  LAMAR ALEXANDER, Tennessee, Chairman\nMICHAEL B. ENZI, Wyoming                  PATTY MURRAY, Washington\nRICHARD BURR, North Carolina              BERNARD SANDERS (I), Vermont\nJOHNNY ISAKSON, Georgia                   ROBERT P. CASEY, JR., Pennsylvania\nRAND PAUL, Kentucky                       TAMMY BALDWIN, Wisconsin\nSUSAN M. COLLINS, Maine                   CHRISTOPHER S. MURPHY, Connecticut\nBILL CASSIDY, M.D., Louisiana             ELIZABETH WARREN, Massachusetts\nPAT ROBERTS, Kansas                       TIM KAINE, Virginia\nLISA MURKOWSKI, Alaska                    MARGARET WOOD HASSAN, NewHampshire\nTIM SCOTT, South Carolina                 TINA SMITH, Minnesota\nMITT ROMNEY, Utah                         DOUG JONES, Alabama\nMIKE BRAUN, Indiana                       JACKY ROSEN, Nevada\n\n                                  \n                                    \n                                     \n               David P. Cleary, Republican Staff Director\n         Lindsey Ward Seidman, Republican Deputy Staff Director\n                  Evan Schatz, Minority Staff Director\n              John Righter, Minority Deputy Staff Director\n              \n              \n                            C O N T E N T S\n\n                              ----------                              \n\n                               STATEMENTS\n\n                        TUESDAY, MARCH 26, 2019\n\n                                                                   Page\n\n                           Committee Members\n\nAlexander, Hon. Lamar, Chairman, Committee on Health, Education, \n  Labor, and Pensions, Opening statement.........................     1\nMurray, Hon. Patty, Ranking Member, a U.S. Senator from the State \n  of Washington, Opening statement...............................     3\n\n                               Witnesses\n\nMoscovitch, Ben, M.A., Project Director, Health Information \n  Technology, The Pew Charitable Trusts, Washington, DC..........     6\n    Prepared statement...........................................     7\n    Summary statement............................................    15\nSavage, Lucia, C., J.D., Chief Privacy and Regulatory Officer, \n  Omada Health, Inc., San Francisco, CA..........................    16\n    Prepared statement...........................................    17\n    Summary statement............................................    29\nRehm, Christopher, R., M.D., Chief Medical Informatics Officer, \n  LifePoint Health, Brentwood, TN................................    29\n    Prepared statement...........................................    31\n    Summary statement............................................    34\nGrealy, Mary, J.D., President, Health Leadership Council, \n  Washington, DC.................................................    36\n    Prepared statement...........................................    37\n\n                          ADDITIONAL MATERIAL\n\nSupplemental remarks of Lucia C. Savage, J.D.....................\n    Digital Health Data and Information Sharing: a New Frontier \n      for Healthcare Competition.................................    54\n    ONC's Proposed Rule On Information Blocking: The Potential To \n      Accelerate Innovation In Health Care.......................    83\n    Comments of Omada Health, Inc. to U.S. Department of Health \n      and Human Services Office for Civil Rights in Response to \n      Request for Information, Docket # 0945AA00.................    86\nSupplemental remarks of Mary Grealy, J.D.........................\n    HLC BPC Report on Advancing Interoperability, Information \n      Sharing, and Data Access...................................    98\n\n\n                     IMPLEMENTING THE 21ST CENTURY\n\n                      CURES ACT: MAKING ELECTRONIC\n\n                      HEALTH INFORMATION AVAILABLE\n\n                       TO PATIENTS AND PROVIDERS\n\n                              ----------                              \n\n\n                        Tuesday, March 26, 2019\n\n                                        U.S. Senate\n       Committee on Health, Education, Labor, and Pensions,\n                                                    Washington, DC.\n    The Committee met, pursuant to notice, at 10 a.m., in room \nSD-430, Dirksen Senate Office Building, Hon. Lamar Alexander, \nChairman of the Committee, presiding.\n    Present: Senators Alexander [presiding], Cassidy, Romney, \nBraun, Murray, Baldwin, Kaine, Jones, Hassan, Rosen, and Casey.\n\n                 OPENING STATEMENT OF SENATOR ALEXANDER\n\n    The Chairman. The Senate Committee on Health, Education, \nLabor, and Pensions will please come to order. Senator Murray \nand I will each have an opening statement, then we will \nintroduce the witnesses. After the witnesses' testimony, \nSenators will each have about five minutes of questions.\n    Reid Blackwelder is a family physician with three clinics \nin the tri-cities area of East Tennessee. A few years ago, he \ntalked with the New York Times about his electronic health \nrecords that were supposed to make his life easier saying, ``we \nhave electronic health records at our clinic but the hospital, \nwhich I can see from my window, has a separate system from a \ndifferent vendor. The two do not communicate. When I admit \npatients to the hospital, I have to print out my notes and send \na copy to the hospital so they can be incorporated into the \nhospital's electronic records.'' Dr. Blackwelder could pay for \nhis patients' hospital records to be electronically sent from \nhis system to the hospital system, but it would cost him \n$26,400 every month or $316,800 a year. So, for Dr. Blackwelder \nand many other doctors, record keeping is now more expensive \nand burdensome as a result of electronic health care records.\n    In 1991, the National Academy of Medicine released a report \nurging the prompt development and implementation of what were \nthen called computer-based patient records. We forget that was \nwell before the internet was in common usage in the United \nStates. The report said, these systems have a unique potential \nto improve the care of both individual patients and reduce \nwaste through continuous quality improvement. Electronic health \nrecords, as they came to be called, got a boost in 2009 when \nthe Federal Government, in a bipartisan effort, began the \nMeaningful Use Program, spending over $36 billion in grants to \nincentivize doctors and hospitals to use these systems. As was \nthe prediction in the 1991 report, the hope was that electronic \nrecords would improve patient care and reduce unnecessary \nhealthcare spending. This is important to this Committee \nbecause at our hearing last summer Dr. Brent James from the \nNational Academies testified that up to 50 percent of what we \nspend on health care is unnecessary. So, there is bipartisan \nfocus, both in the Congress and the administration, on reducing \nhealth care costs.\n    One way to reduce what we spend on administrative tasks and \non necessary care, is by having electronic health records that \ntalk to one another, which we call interoperability. But in \n2015, six years after the Meaningful Use Program started, as \nthis Committee worked on the 21st Century Cures Act, we \nrealized that in many cases electronic health records added to \nadministrative burden and increased unnecessary health care \nspending. A major reason for that is the records are not \ninteroperable. One barrier to interoperability is called \ninformation blocking, which is when some obstacle is in the way \nof a patient's information being sent from one doctor to \nanother. So, in 2015, this Committee held six bipartisan \nhearings, formed a working group to find ways to fix the \ninteroperability of electronic health records. These hearings \nled to a bipartisan group of HELP Committee Members working \ntogether to include a provision in the 21st Century Cures Act, \nto stop information blocking and encourage interoperability.\n    Today's hearing is about two rules that the Department of \nHealth and Human Services proposed to implement this provision \nin the 21st Century Cures Act. The two rules are complicated, \nbut I would like to highlight a few ways they lay out a path \ntoward interoperability. One, the rules define information \nblocking so we know what we mean when we are talking about it. \nSo, it is more precisely clear what we mean when one system, \nhospital, doctor, vendor, or insurer is purposely not sharing \ninformation with another.\n    Second, the rules require that by January 1, 2020, for the \nfirst time insures must share a patient's health care data with \nthe patient so their health information follows them as they \nsee different doctors. Third, all electronic health records \nmust adopt the same standards for data elements, known as \napplication programming interface or API, two years after these \nrules are completed. And fourth, hospitals are required to send \nelectronic notifications to a patient's doctors immediately \nwhen that patient is admitted to, discharged from, or \ntransferred from the hospital. According to the Department of \nHealth and Human Services, these new rules should give more \nthan 125 million patients easier access to their own records in \nelectronic format. This should be a huge relief to any of us \nwho have spent hours tracking down paper copies of our records \nand carting them back and forth to different doctors' offices. \nThe rules will reduce administrative burden on doctors so they \ncan spend more time with patients.\n    A recent study from Kaiser found that emergency room \ndoctors in order use electronic health record systems make up \nto 4,000 mouse clicks per shift. If electronic health records \ndata was truly interoperable, it would greatly reduce how many \nclicks doctors have to make. According to the Department of \nHealth and Human Services, spending less time on these \nadministrative tasks will improve efficiency and save about \n$3.3 billion a year. And because doctors can see patients full \nmedical history, they can avoid ordering unnecessary tests and \nprocedures. I also want to be aware, and I know this Committee \ndoes, of unintended consequences from these two rules. Are we \nmoving too fast?\n    In 2015, I urged the Obama administration to slow down the \nMeaningful Use Program, which they did not do, and looking \nback, the results would have been better if they had. Are the \nstandards for data elements too rigid? Is the door still open \nfor bad actors to game the system and continue to information \nblock? And how can we ensure patient privacy as patients gain \nmore access and control over their personal health information, \nand how do we help them keep it secure? I want to ensure these \nrules will make the problem of information blocking better not \nworse.\n    I look forward to any specific suggestions to improve the \nrules from those who use electronic health record systems. \nElectronic health records that work can give patients better \noutcomes and better experiences at a lower cost.\n    Senator Murray.\n\n                  OPENING STATEMENT OF SENATOR MURRAY\n\n    Senator Murray. Thank you very much, Mr. Chairman.\n    Back in 2008, just one in 20 hospitals used electronic \nhealth records. A decade later, we have made enough progress to \nflip that number entirely. Today, just one in 20 hospitals have \nnot adopted electronic health records. And over the past \ndecade, we have seen how better information about a patient's \nhealth care does make a big difference. In national news, \nelectronic health records played an important role in \nunderstanding how the water in Flint, Michigan was putting \nfamilies in danger. And while they do not always make \nheadlines, electronic health records also make a difference by \nhelping care providers identify health problems sooner so \npatients can get preventive care to stay healthy, avoid \nduplicated tests or medication errors, and identify treatments \nthat might be counterproductive based on a patient's medical \nhistory or current prescriptions.\n    The HITECH Act we passed in 2009 was a big part of \naccomplishing the progress we have seen so far, but we have to \ncontinue building on that progress to ensure health information \ntechnology lives up to its full potential. And we have to \ncontinue oversight, following up the work we did in 2015 after \nthe Office of the National Coordinator for Health Information \nTechnology put out a report detailing some of the challenges \nahead. The report made clear information blocking was a serious \nproblem throughout the health care system. While high tech \nrequired certified electronic health record products to meet \ntechnical standards intended to make good information more \naccessible for care providers, the ONC report found substantial \nevidence some organizations were intentionally setting up \nbarriers between their systems and other systems, like \nexorbitant fees whenever someone sent, received, or even \nsearched for a patient's information, contracts that restricted \npeople's ability to access and share their own health \ninformation, and systems built in ways that made sharing \ninformation needlessly complicated. Maybe they missed the day \nin kindergarten about sharing, because putting something where \nonly you can reach or charging excessive fees for it is \nabsolutely not how it should be done. And it is absolutely not \nacceptable when it comes to people's health.\n    We cannot afford to have bad actors who prioritize their \nbottom line over patients' best interest, and block information \nhospitals, providers, and patients need to be able to share \nthat with one another. We also cannot expect health IT systems \nto get better when some vendors include gag clauses that \nprevent care providers from speaking out about the problems, or \nissues, or errors they encounter. It should be easy for \nproviders shopping for electronic record systems to learn about \npotential issues. It should be easy for medical professionals \nto hear about a problem with a system they use, and it should \nbe easy for anyone to speak out when they see something that \nwould jeopardize people's health. When systems cannot speak \nwith each other and people cannot speak up about the problems \nthey see, it is patients who do get hurt. Like the man in \nCalifornia who suffered brain damage after his diagnosis was \ndelayed because a hospital software could not properly \ninterface with a lab software, or the woman in Vermont who died \nof a brain aneurysm that might have been caught if a software \nproblem had not stopped the order for a test that she needed. \nWhen we talk about making sure we have a strong health IT \nsystem, we are not just talking about technology and \ninnovation. Families' lives depend on making sure we get this \nright, which is why I was glad we were able to take steps to \naddress these issues in the 21st Century Cures Act.\n    I look forward to hearing from our witnesses about their \nperspective on ONC's proposed rule to implement the Cures' \nprovisions. In that bill, we moved to end information blocking, \nand make clear when patients and their care providers need \ninformation, they should not be stopped by unnecessary, \nunreasonable barriers. And we tasked ONC with clarifying what \nsort of concerns, like privacy, and safety, and security, would \nbe grounds for reasonable exceptions. We also took steps to \nhelp ONC strengthen its certification program beyond technical \ncriteria for electronic health records, so they can make sure \nthat if vendors want to get the Government seal of approval, \nthen they cannot engage in information blocking or use gag \nclauses.\n    The new conditions also call for open application \nprogramming interfaces, or APIs, another step that will help \nmake sure systems developed by different vendors and used by \ndifferent doctors are able to speak to each other, and that \npatients have an easier time getting access to their medical \nrecords. I am glad ONC is moving to put these common sense \nsteps into action. I am interested in making sure this gets \ndone right. I look forward to hearing from our witnesses about \ntheir perspective on ONC's approach, and about the steps the \nCenters for Medicare and Medicaid Services is taking to make \nclaims data more accessible and prompt care providers to be \nbetter about sharing information. Of course, as we continue to \nproof our health IT system, we need to make sure that health \ninformation is being provided in a way that works for patients \nas well.\n    During our 2015 hearings, I shared the story of woman who \nhad been seeking the results of her pregnancy test, but instead \nof a clear answer, her electronic health record simply reported \nher hormone levels--not helpful. We need to do better for her \nand for other patients who have gone looking for information \nthey can use only to find massive binders, unreadable PDFs, and \nstacks of CDs. Engagement and usability have to be part of this \ndiscussion. And last but most certainly not least, we need to \ntalk about security, privacy, and data stewardship. That means \nprioritizing the development of technology and best practices \nthat can help prepare for the constantly evolving cyber \nsecurity threats of the 21st century.\n    It also means having a national conversation about what is \nrequired for all parties to be good stewards of the data people \nentrust them with, and that conversation is only going to \nbecome more important as tech companies and others introduce \nnew products like mobile applications that empower people with \ntheir health care data but are not covered by existing HIPAA \nprotections. Patients should be able to expect tech companies \nare going to use their most sensitive information responsibly \nand give them the tools they need to be able to control how and \nwhen their information is disclosed. Our objective should be to \nmake sure tech companies are putting patients in the driver's \nseat, not the other way around. It is clear we have come a long \nway when it comes to strengthening our Nation's health \ninformation infrastructure, but it is also clear there are a \nlot of challenges ahead.\n    I look forward today to hearing from all of our witnesses. \nThank you for being here. We want to hear about how data and \ntechnology can actually empower patients and care providers, \nand I hope we can continue our bipartisan work on this \nimportant issue, Mr. Chairman.\n    Thank you.\n    The Chairman. Thank you Senator Murray and thank you for \nyour leadership on this. I think all Members of the Committee \nwould agree that the 21st Century Cures Act is one of the most \nimportant pieces of legislation we have had a chance to work \non. Senator McConnell, Majority Leader, said it was the most \nimportant bill in the Congress in which it passed, and it was a \nbipartisan piece of legislation.\n    I have noticed that we can do three things in the \nCommittee, it seems to me. One, we can call attention to \nsomething, which we are doing today and which we did with our \nfive hearings on electronic health care records. Two, we can \npass a law, which we did with 21st Century Cures. And three, we \ncan make sure the law works, which is what this hearing is \nabout--it is about oversight. And we welcome our witnesses.\n    The first one, Mr. Ben Moscovitch is the Project Director \nof Health Information Technology at the Pew Charitable Trust. \nHe leads research on the challenges of achieving \ninteroperability and highlights possible solutions.\n    Next, we will hear from Ms. Lucia Savage. She is the Chief \nPrivacy and Regulatory Officer at Omada Health. Omada is a \ndigital behavioral health company that aims to address health \nissues including type 2 diabetes, heart disease, and obesity. \nShe focuses on advancing health care using technology and \nmaintaining the security of patients' health information.\n    The third witness, Dr. Christopher Rehm, is Chief Medical \nInformation Officer of LifePoint Health in Brentwood, \nTennessee. It is a hospital system with 89 locations in 30 \nStates. He works both with physicians and patients to apply \ntechnology solutions to health care needs.\n    Finally, we will hear from Ms. Mary Grealy, President of \nthe Healthcare Leadership Council, which is comprised of health \ncare executives from leading organizations and companies in the \nhealth care industry, health plans, hospitals, health product \ndistributors, pharmacies, and academic medical centers.\n    Welcome to each of our witnesses. Thank you for making time \nfor us today. If you will summarize your remarks in about five \nminutes, we will then have questions. Why don't we begin, Mr. \nMoscovitch with you.\n\n  STATEMENT OF BEN MOSCOVITCH, M.A., PROJECT DIRECTOR, HEALTH \nINFORMATION TECHNOLOGY, THE PEW CHARITABLE TRUSTS, WASHINGTON, \n                               DC\n\n    Mr. Moscovitch. Chairman Alexander, Ranking Member Murray, \nMembers of the Committee, thank you for holding this hearing \nand for the opportunity to present testimony. If one were to \nread recent news articles, it would be reasonable to think that \nour healthcare system is less efficient and less safe because \nof the transition from paper to electronic records.\n    The truth is EHRs have revolutionized modern medicine by \ngiving clinicians better tools to document patients' needs, \nsafely prescribe medications, and administer care. But, as \nCongress recognized in the 21st Century Cures Act, gaps remain. \nThey keep EHRs from reaching their full potential. Oversight \nfrom this Committee can help fill those gaps. My testimony will \nfocus on three aspects of the recently proposed regulations to \nimplement Cures that could one, enable easier use of health \ndata, two, promote better matching of patient records, and \nthree, improve safety and reduce clinician burden.\n    First, interoperability requires patients and clinicians to \nbe able to effectively access and extract information from \nEHRs. To address that, Congress directed ONC to develop new \ncriteria for EHRs, which help different systems communicate. \nThese are called APIs or Application Programming Interfaces. \nAPIs are the foundation of the modern internet. They allow \ntravel websites to aggregate airline fares, personal financial \napplications to pull data from an individual's accounts, and \ncountless other everyday uses. For APIs to be effectively used, \ndifferent systems need to exchange data in the same way. To \naccomplish this, ONC identified the use of a standard called \nFHIR for data exchange and provided guidance on how to \nconsistently implement it for better interoperability. As ONC \nfinalizes the rule, Congress should ensure that the agency \nmaintains its commitment to these standard APIs.\n    Interoperability also requires health organizations to know \nthat they are communicating about the same person. This is \noften referred to as patient matching. When data are exchanged, \nrecords may not be matched up to half the time. Pew has \nidentified concrete steps that Congress should encourage ONC to \ntake, including ones recently highlighted in a GAO report \nrequired by Cures. We found that better standardization of data \ncan improve match rates. For example, Pew funded research at \nIndiana University revealed that use of the U.S. Postal Service \nstandard for address would increase match rates by \napproximately 3 percent, a significant improvement. One \ntechnology developer told us this would help their system match \nan additional tens of thousands of records per day. To improve \nmatching, ONC should specify use of the postal service standard \nfor address and include other routinely collected elements like \nemail address, which is already in half of records but not used \nfor matching. In Cures, Congress also recognized that EHR \nusability must be improved. Usability refers to system design, \nas well as how they are customized and used. Poor usability can \ncontribute to clinician burden and contribute to medical \nerrors.\n    Pew collaborated with MedStar Health to examine the \ncontribution of EHR usability to medication safety events, such \nas dosing errors in three pediatric health care facilities. The \nresearch found that EHR usability contributed to more than a \nthird of the 9,000 events examined. This Committee can \nencourage ONC to make patient safety a priority in implementing \nCures. Congress charged ONC with developing new criteria for \nEHRs used in pediatric care. While ONC rightly identified 10 \npriorities for pediatric care, such as the dosing of drugs \nbased on weight, the agency should better focus on safety and \nusability. For example, ONC should clarify that developers \nseeking certification for pediatric functions involve \npediatricians and pediatric nurses to test the system.\n    Congress also required ONC to establish an EHR reporting \nprogram. The agency should embed safety in the usability \naspects of this program, as recommended by clinicians, \ntechnology professionals, and others. In conclusion, the \nbipartisan passage of Cures launched a new era for digital \nhealth by providing patients and clinicians with better access \nto data and reducing medical errors. As the administration \ncontinues its implementation, this Committee can ensure that \nCongress's goals are met by supporting secure, standard API \naccess to a wide range of health data, encouraging ONC to \naddress patient matching through better standards, and pressing \nONC to focus on patient safety throughout the implementation of \nCures.\n    Thank you for holding this hearing, and I look forward to \nanswering your questions.\n    [The prepared statement of Mr. Moscovitch follows:]\n                  prepared statement of ben moscovitch\n    Chairman Alexander, Ranking Member Murray, Members of the \nCommittee, thank you for holding this hearing and for the opportunity \nto present testimony.\n\n    My name is Ben Moscovitch; I serve as the Project Director of \nHealth Information Technology at The Pew Charitable Trusts (Pew), a \nnonprofit, nonpartisan research and policy organization. Our health \ninformation technology project focuses on improving the safety of \nelectronic health record (EHR) systems, and enhancing the exchange of \ninformation so that health care providers and patients have the data \nthey need to make informed decisions.\n\n    EHRs have revolutionized how clinicians deliver care by equipping \nthem with better tools to document patients' health status, safely \nprescribe medications, and otherwise order health care interventions. \nAnd, these tools have the potential to make it easier for patients and \nclinicians to have more complete and robust data to coordinate care \nacross health care settings.\n\n    Seeking to build on the improvements spurred on by the digitization \nof paper records, Congress recognized that gaps remain in realizing the \nfull potential of EHRs to give patients their data, make clinical care \nmore efficient, and enhance patient safety. The 21st Century Cures Act \n(Cures), passed in 2016, marked an important step toward remedying \nthese deficiencies by addressing barriers to both the effective \nexchange of health data, known as interoperability, and the usability \nof these systems.\n\n    Congress, through Cures, set a positive vision for the future of \nEHRs--a vision where patient data are securely accessible to patients \nand clinicians wherever and whenever they need them. Access to health \ndata would help advance the coordination of care for patients who see \nmultiple physicians. This coordination would help patients live longer \nand better lives, and reduce costs associated with duplicate laboratory \nand other services. And, this vision would have EHRs serve as a \ncritical, helpful tool that clinicians can seamlessly use to administer \nhigher quality care. In this vision, EHRs are indispensable, yet almost \ninvisible to patients because the systems are easily and efficiently \nused, and only interject in care to offer essential support services to \nhelp clinicians provide safer, higher quality care.\n\n    Earlier this month, the Office of the National Coordinator for \nHealth Information Technology (ONC) and the Centers for Medicare & \nMedicaid Services (CMS) issued proposed rules to begin implementing \nthat vision captured in Cures. The regulations aim to ease the exchange \nof health data when patients want to access their information or have \nit transmitted to their health care providers, and otherwise focus on \nbarriers to the use of these systems to improve patient care.\n\n    My testimony will focus on three key aspects of the proposed rules \nfrom ONC and CMS published earlier this month that address Congress' \ndesire to improve the interoperability of health data and effective use \nof EHRs. Specifically, I will discuss:\n\n        <bullet>  provisions enabling easier extraction and use of \n        health data from EHRs via application programming interfaces \n        (APIs), which enable different technologies to communicate;\n\n        <bullet>  needed enhancements to better match patient records \n        across the different health care providers where individuals \n        seek care; and\n\n        <bullet>  necessary improvements to the usability of EHR \n        systems to address design and implementation factors that can \n        both introduce burdens on clinicians and contribute to medical \n        errors.\n\n    Enhanced Interoperability via Application Programming Interfaces\n    For patients to obtain their records or health care providers to \nexchange information, they first need the ability to effectively \nextract data from EHRs. To address that challenge, Congress required \nONC to develop new criteria for EHRs to make ``all data elements'' \navailable via APIs, which are software tools that allow systems to \nrequest and deliver information to other systems. APIs are the \nfoundation to the modern internet; they allow travel websites to \naggregate fares from different airlines, personal financial \napplications to pull data from an individual's accounts, and countless \nother everyday uses. \\1\\\n---------------------------------------------------------------------------\n    \\1\\  The Pew Charitable Trusts, ``Electronic Tools Can Strengthen \nHealth Care Data Access, Sharing'' (2018), https://www.pewtrusts.org/\nen/research-and-analysis/issue-briefs/2018/09/electronic-tools-can-\nstrengthen-health-care-data-access-sharing.\n\n    Currently, EHRs often do not support the robust use of APIs for \ndata exchange, or if they do, those APIs can be implemented in \nproprietary ways that inhibit the use of the data by clinicians and \npatients. The Cures provision on APIs--colloquially referred to as \n``open APIs''--would let other technologies more readily access data \nwithin the system in a secure manner. The term ``open'' does not \nsuggest that health data can be freely accessed by any user. Instead, \n``open'' refers to the fact that these APIs would be easier to use, \nsuch as that the business and technical documentation would be publicly \n---------------------------------------------------------------------------\navailable.\n\n    By including this provision in Cures, Congress recognized that APIs \nreflect the future of data exchange in health care. They can enable \npatients to access their health records, hospitals to better exchange \ndata with other organizations, and health care facilities to build and \nimplement new decision support tools on top of their EHRs.\n\n    In the recently proposed regulations, ONC implements this API \nprovision, making several critical decisions on the standards to use \nfor data and what information EHRs must be able to release.\n                   ONC Advances Standard, Secure APIs\n    For third-party technologies--like smartphone applications that \npatients use to download their records or clinical decision support \ntools that sync with EHRs--to utilize APIs to access data, the \ndevelopers of these tools must know how to request and access the \ninformation. When EHRs use different standards for APIs, each third-\nparty technology must change its systems to reflect every variation.\n\n    Recognizing this challenge, ONC sought to minimize the variability \nacross systems by requiring the use of standards for APIs. Achieving \nstandardization across APIs necessitates consistency both for how \ninformation can be accessed and how the data elements are represented. \nONC accomplishes that goal by requiring use of the Fast Healthcare \nInteroperability Resources (FHIR) standard, which technology developers \nare increasingly adopting, for how to exchange information.\n\n    However, FHIR permits the depiction of data elements in different \nways and considers the inclusion of some data as optional, which could \ninhibit interoperability. To reduce this variability, ONC proposes to \nrequire the use of an implementation guide developed by the Argonaut \nProject--a collaboration among technology developers and health care \nproviders--that provides constraints on how to implement FHIR.\n\n    This combination of the FHIR standard and the Argonaut Project \nimplementation guidelines will reduce the barriers to API use, so that \npatients and clinicians are better able to access data contained in \nEHRs. As ONC finalizes the rule, Congress should ensure that the agency \nmaintains its commitment to standardized APIs--both through the use of \nFHIR and refined implementation guidelines.\n                ONC Expands Data Elements Made Available\n    To fully take advantage of APIs as a tool to improve \ninteroperability and patient access to electronic health data, Congress \nrequired that they provide access to ``all data elements'' within an \nEHR system. In ONC's proposed rule, the agency provides guidance on \nwhat information constitutes ``all data elements'' that systems would \nbe required to make available.\n\n    In prior regulations, ONC has required EHRs to have APIs that make \ncertain information--referred to as the Common Clinical Data Set \n(CCDS)--available for patient access, such as through a smartphone \napplication. The CCDS contains some critical information, including \nmedications, laboratory tests ordered, and problem lists, but lacks \nother data, such as physicians' notes. ONC has proposed expanding and \nadjusting the CCDS to meet the statutory requirement of making ``all \ndata elements'' available. This expanded data set would be renamed the \nU.S. Core Data for Interoperability (USCDI), and would include \nadditional key information. ONC's proposed additions include:\n\n        <bullet>   Different types of clinical notes. These clinical \n        notes include free text entered by clinicians and other data \n        about laboratory and imaging observations, treatment plans, and \n        other aspects of care. In clinical notes, clinicians describe \n        the nuances of care and patients' medical conditions. The \n        addition of notes to the USCDI can give patients and other \n        clinicians critical information that may not be captured \n        effectively in structured fields or medical codes.\n\n        <bullet>   Provenance. Provenance indicates the author, the \n        author's organization, and a time stamp for data elements in \n        the EHR. The inclusion of provenance would allow patients and \n        clinicians to understand the origin of the data, such as \n        whether a medication was entered by a primary care physician or \n        at a hospital. The time stamp will allow applications to chart \n        or sort information, such as by listing patients' medications \n        starting with the most recent. The addition of provenance to \n        the USCDI would provide much needed context for the data.\n\n        <bullet>   Patients' addresses and phone numbers. The \n        availability of addresses and phone numbers will better enable \n        systems to link patient records across systems, and is \n        described in more depth below.\n\n        <bullet>   Pediatric vital signs. The inclusion of pediatric \n        vital signs would enable more precise care for children by \n        allowing different applications to model the growth of a \n        patient according to biologic reference ranges, and prescribe \n        the proper dosing of drugs based on weight and age.\n\n    ONC has also requested comments on whether to expand the \n``medication allergies'' list to also encompass reactions for other \nsubstances, such as food. By expanding this capability, clinical \ndecision support tools could, for example, alert clinicians when \npatients are allergic to substances from which medications are made, \nsuch as eggs or pigs, and could improve patient safety.\n         Electronic Health Information Export Could be Enhanced\n    ONC's implementation of the API provision from Cures supports API-\nbased access to some--but not all--data contained in EHRs. In parallel, \nthe ONC proposed rule also includes provisions that would facilitate \nthe extraction of a broader group of data--referred to as electronic \nhealth information (EHI)--from health information technology systems. \nThe EHI provision in the proposed rule would require EHR systems to \nsupport the export of all their patient data, and potentially \ninformation from other data bases connected to it. The EHI export \nfunction must support the export of an individual patient's data as \nwell as information on all patients in the system to allow health care \nproviders to switch EHR systems if they so choose.\n\n    Unlike the API provisions in the proposed rule, ONC does not \npropose to require that technologies make this information available \nvia any specific standards or format. Indeed, no such standard exists \nto describe all possible data elements across all EHRs. Instead, ONC \nindicates that the information should be extracted and remain \ncomputable wherever possible. Eventually, ONC states, it expects that \nhealth technologies would increasingly enable the extraction of EHI via \nAPIs.\n\n    As noted above, Cures required ONC to issue new criteria for EHRs \nto make ``all data elements'' available via APIs. However, ONC has \nproposed API requirements that would only expose a subset of data--the \nUSCDI--via APIs. To address the gap between what Congress required in \nCures and ONC's current proposal for APIs, Congress should encourage \nONC to expeditiously make all EHI available via APIs wherever possible. \n\\2\\ However, unlike the USCDI data, much of EHI data may not have \nwidely adopted standards or be easily exchanged via FHIR. Therefore, \nONC should require EHR vendors to support an API-based export \ncapability for all data elements (i.e., information beyond the USCDI), \neven without requiring any particular standard for EHI that is not part \nof the USCDI. Eventually, as standards are more widely adopted for \ndifferent data elements that are made available via the EHI provision, \nONC should expand the USCDI to encompass more of this information.\n---------------------------------------------------------------------------\n    \\2\\  Josh Mandel, ``Cures Envisions APIs for `All data'; ONC \nProposes `a Limited Set' '' (2019), https://github.com/jmandel/interop-\n2019-nprms/blob/master/ehi-export.md.\n---------------------------------------------------------------------------\n               Timeline for Health Care Provider Adoption\n    Historically, ONC releases regulations for a new edition of \ncertification criteria for EHRs and separately CMS issues rules for \nhealth care providers to adopt technologies that meet those \nrequirements.\n\n    However, as currently written, ONC's regulations would require \ntechnologies certified to the 2015 version of the criteria to upgrade \nto meet provisions in the new regulations within approximately 2 years \nof when they are finalized by the agency. By the end of that 2-year \nperiod, health care providers that have not upgraded their systems to \ninclude functions--such as for APIs and EHI--required by the new \nregulations would no longer be using certified products and could fall \nout of compliance with CMS requirements.\n\n    In effect, ONC has created a system that would require several \nsteps to occur in approximately 2 years: the development of new \nfunctions by EHR vendors; the testing and certification of those \nfunctions; implementation of changes at health care facilities; \ncustomization and configuration of the technology by health care \nproviders; the testing of systems to ensure that they function properly \nwithin a facility and do not introduce inadvertent patient safety \nrisks; and the training of staff.\n\n    Given all the steps that need to occur during that time period, \nCongress should ensure that these systems, once implemented, are \nsufficiently tested--including for safety--by health care providers. \nAdditionally, ONC should work with CMS to ensure that the timeline the \nagency finalizes in the regulations is not subsequently delayed. This \nassurance would provide certainty to both EHR developers and health \ncare providers on government's expectations on when these provisions \ntake effect.\n      CMS Regulations Advance API Use for Patient Access to Claims\n    In parallel to ONC's regulations, the CMS proposed rule also \nadvances the use of standard, FHIR-based APIs for patients to gain \naccess to their information held by health plans. This would allow \npatients to--for example--download claims data on their phones, giving \nthem a holistic understanding of the services and treatments that they \nhave received from different health care providers. Equipping patients \nwith their claims data builds on previous efforts from CMS to leverage \nthis information, including by providing increased access to the data \nby researchers working to identify ways to improve care quality and \nreduce costs. \\3\\\n---------------------------------------------------------------------------\n    \\3\\  Centers for Medicare & Medicaid Services, ``CMS Administrator \nVerma Unveils New Strategy to Fuel Data-driven Patient Care, \nTransparency,'' Apr. 26, 2018, https://www.cms.gov/newsroom/press-\nreleases/cms-administrator-verma-unveils-new-strategy-fuel-data-driven-\npatient-care-transparency.\n\n    Claims are especially useful because, unlike other information \nsources, they contain data for nearly every encounter an individual has \nwith the health care system. Claims are standardized for providers and \npayers, resulting in easier aggregation of information across the \nhealth care system. As CMS states in this proposed rule, ``[w]hereas \nEHR data is frequently locked in closed, disparate health systems, care \nand treatment information in the form of claims and encounter data is \n---------------------------------------------------------------------------\ncomprehensively combined in a patient's claims and billing history.''\n\n    CMS' efforts to give patients access to their claims data and \nprovide researchers with this information, while laudable, omits one \ncritical element particularly important for the Medicare population. \nCurrently, claims only indicate that a procedure was performed--for \nexample, a total knee replacement--but not the brand and model of \nimplant used. In parallel, the unique device identifier system \ndeveloped by the Food and Drug Administration (FDA) provides each \nmedical device with a code corresponding to its brand and model. Adding \nthe device identifier to claims can fill the gap, and provide patients, \nclinicians, and researchers with additional information on products \nused to sustain life and support care. \\4\\\n---------------------------------------------------------------------------\n    \\4\\  The Pew Charitable Trusts, ``Unique Device Identifiers Improve \nSafety and Quality'' (2016), https://www.pewtrusts.org/en/research-and-\nanalysis/fact-sheets/2016/07/unique-device-identifiers-improve-safety-\nand-quality.\n\n    Incorporating device identifiers in claims can also generate \nsignificant savings. The Department of Health and Human Services Office \nof the Inspector General (OIG) found that the failures of just seven \ntypes of cardiac implants cost Medicare $1. 5 billion to treat affected \npatients, and an additional $140 million directly to beneficiaries in \nout-of-pocket costs. \\5\\ These findings led the OIG to support the \naddition of device identifiers to claims. The White House's fiscal 2020 \nbudget request for FDA also listed strong support for the addition of \ndevice identifiers to claims. \\6\\ For CMS to effectively equip patients \nwith their data--including from claims--and provide researchers with \ninformation to evaluate care, the agency should ensure that claims \ncontain critical information on the products used.\n---------------------------------------------------------------------------\n    \\5\\  Department of Health and Human Services Office of Inspector \nGeneral, ``Shortcomings of Device Claims Data Complicate and \nPotentially Increase Medicare Cost for Recalled and Prematurely Failed \nDevices'' (2018), https://oig.hhs.gov/oas/reports/region1/11500504.pdf.\n    \\6\\  Food and Drug Administration, ``FDA Fiscal Year 2020 \nJustification of Estimates for Appropriations Committees'' (2019), \nhttps://www.fda.gov/downloads/AboutFDA/ReportsManualsForms/Reports/\nBudgetReports/UCM633738.pdf.\n\n    Given broad support across the health care industry and CMS' \nrecognition of the importance of access to claims data, Congress should \nensure that device identifiers are incorporated into claims.\n Ineffective Patient Matching Also Inhibits Widespread Interoperability\n    To achieve interoperable exchange of medical data, health \norganizations must also know that they are communicating about the same \nperson. Presently, up to half of the information exchanges made by \nhealth care organizations may fail to accurately match records for the \nsame patient. Both ONC and CMS included requests for information (RFIs) \non patient matching in their proposed rules.\n\n    To accurately match records held at different health care \nfacilities, organizations typically compare patients' names, dates of \nbirth, and other demographic data to determine if records refer to the \nsame individual. Health care facilities use algorithms to conduct these \nmatches, and also employ staff to manually review records--which is \nboth costly and time consuming. This process, referred to as patient \nmatching, often fails to accurately link records because of typos \nentered into the system; similarities in names, birth dates or \naddresses among different patients; changing information, such as when \nindividuals move or get married; and many other reasons. \\7\\\n---------------------------------------------------------------------------\n    \\7\\  The Pew Charitable Trusts, ``Enhanced Patient Matching Is \nCritical to Achieving Full Promise of Digital Health Records'' (2018), \nhttps://www.pewtrusts.org/en/research-and-analysis/reports/2018/10/02/\nenhanced-patient-matching-critical-to-achieving-full-promise-of-\ndigital-health-records.\n\n    While some private sector technologies--such as referential \nmatching, wherein third-party data are used to support matches--show \npromise, market forces have been unable to solve the patient matching \nproblem for decades. In fact, patient matching requires collaboration \nbetween unaffiliated organizations, even competitors, that lack \nincentive to agree to a set of standards or develop systems that \n---------------------------------------------------------------------------\nseamlessly exchange information.\n\n    Recognizing that effective patient matching is necessary to achieve \ninteroperability, a provision in Cures championed by several Members of \nthis Committee required the Government Accountability Office (GAO) to \nevaluate steps that ONC and the private sector have taken to address \nthis challenge. \\8\\ The GAO report highlights a solution that many \norganizations--including a contractor to ONC--have proposed: consistent \nuse of standards for demographic data. \\9\\\n---------------------------------------------------------------------------\n    \\8\\  Government Accountability Office, ``Approaches and Challenges \nto Electronically Matching Patients' Records across Providers'' (2019), \nhttps://www.gao.gov/products/GAO-19-197.\n    \\9\\  Genevieve Morris et al., ``Patient Identification and Matching \nFinal Report'' (2014), https://www.healthit.gov/sites/default/files/\npatient_identification_matching_final_report.pdf.\n\n    In parallel, Pew conducted 2 years of research--including \ninterviews with health care providers, focus groups with patients, and \ncontracted studies--to examine different ways to address matching \nchallenges. The Pew research--summarized in a report released in \nOctober 2018--examined four main opportunities: the standardization of \ndata; the use of unique identifiers or biometrics (such as facial \nrecognition or fingerprint scans); a smartphone-based, patient-led \nsolution; and referential matching.\n       ONC Should Advance Standardization to Improve Match Rates\n    While no single solution will completely solve the patient matching \nproblem, our research identified concrete steps ONC can take to make \nmeaningful progress to address this challenge.\n\n    First, ONC should require the use of standards for certain \ndemographic data elements. In Pew-funded research published earlier \nthis month, researchers at Indiana University studied whether the \nstandardization of different data elements improves patient matching \nrates. \\10\\ Indiana University researchers attempted to match records \nin four data bases, standardized the data in those data bases, and then \nretried matching the records to determine whether that standardization \nyielded better results.\n---------------------------------------------------------------------------\n    \\10\\  Shaun J Grannis et al., ``Evaluating the Effect of Data \nStandardization and Validation on Patient Matching Accuracy,'' Journal \nof the American Medical Informatics Association (2019), https://\ndoi.org/10.1093/jamia/ocy191.\n\n    The research revealed that the standardization of address to the \nstandard employed by the U.S. Postal Service (USPS), which details the \npreferred abbreviations for street suffixes and states, for example, \nwould improve match rates by approximately 3 percent. One technology \ndeveloper indicated that this would help their system match an \nadditional tens of thousands of records per day. Separately, \nstandardizing last name--while showing limited utility on its own--\nwould further improve match rates if done in addition to address \n---------------------------------------------------------------------------\nstandardization.\n\n    ONC already proposes in the new recent regulations to embed address \nin the USCDI, but further improvements in match rates could be realized \nif the agency simply updates this provision to require use of the USPS \nstandard when matching records. Software that automatically converts \naddresses to the USPS standard after they are input into the system is \navailable in the commercial market; it is the reason many websites, for \nexample, automatically make format changes to your address at the time \nyou place an online order. Use of this standard would not necessarily \nrequire workflow changes at the point of patient registration, and \nwould meaningfully help better link records using the general processes \nthat providers already employ.\n\n    Second, the use of additional data elements could also improve \nmatch rates. For example, research published in 2017 showed that email \naddresses are already being captured in more than half of patient \nrecords. \\11\\ However, email address is not typically used for matching \ndespite its widespread availability. ONC could improve match rates by \nidentifying and including in the USCDI readily available data \nelements--potentially email address, mother's maiden name, or insurance \npolicy identification number--that health information technologies \nshould use for matching.\n---------------------------------------------------------------------------\n    \\11\\  Adam Culbertson et al., ``The Building Blocks of \nInteroperability: A Multisite Analysis of Patient Demographic \nAttributes Available for Matching,'' Applied Clinical Informatics 8, \nno. 2 (2017): 322-336, https://doi.org/10.4338/ACI-2016-11-RA-0196.\n\n    Given the effect of low match rates on patient safety and health \ncare spending, as well as the failure of the market to address this \nchallenge, Congress should work with ONC to ensure that the agency is \nrequiring use of better standards for address and enabling the \nutilization of additional data elements for matching.\n   ONC Should Leverage Key Cures Provisions to Improve Usability and \n                                 Safety\n    Along with barriers to the interoperable exchange of data among \nhealth care providers and to patients, Congress also recognized in \nCures that subpar EHR usability hampers the ability of these systems to \nmeet their full potential in delivering more efficient and safer care.\n\n    Usability refers to the layout and design of systems, and how their \ncustomization, configuration, and implementation affects their use by \nclinicians. Usability-related safety problems can emerge due to \nconfusing interfaces, the need to develop workarounds to complete \ntasks, an overabundance of unnecessary alerts, and many other issues \ngiven the central role that EHRs increasingly have in helping \nclinicians order procedures, review health information, and obtain \ndecision support.\n\n    Poor usability has two major consequences. First, ineffective \nusability can contribute to clinician burden and burnout, which can \nmake them more susceptible to making errors. \\12\\ Second, poor \nusability can contribute directly to patient harm through errors that \noccur when clinicians interact with the EHR. Pew collaborated with \nMedStar Health's National Center for Human Factors in Healthcare to \nexamine the contribution of EHR usability to medication safety events \nin three health care organizations that treat pediatric patients. The \nresearch, published in Health Affairs last year, revealed that EHR \nusability contributed to 3,243 of 9,000 safety events examined. \\13\\ Of \nthose usability-related events, more than 80 percent involved an \ninappropriate drug dose, and 609 of the usability-related events \nreached patients. In one case, a transplant patient missed days-worth \nof medication that would help prevent organ rejection. In another case, \nthe blood transfusion for a newborn in critical condition was delayed \ndue to the inability to create a record. These findings, including \nother research conducted by MedStar Health, found a clear link between \nthe usability of EHRs and patient safety. \\14\\\n---------------------------------------------------------------------------\n    \\12\\  Louise H. Hall et al., ``Healthcare Staff Well-being, \nBurnout, and Patient Safety: A Systematic Review,'' PLOS One, July 8, \n2016: https://doi.org/10.1371/journal.pone.0159015; and Maria Panagioti \net al., ``Association Between Physician Burnout and Patient Safety, \nProfessionalism, and Patient Satisfaction: A Systematic Review and \nMeta-analysis,'' JAMA Internal Medicine 2018;178(10):1317-1331. \ndoi:10.1001/jamainternmed.2018.3713.\n    \\13\\  Raj M. Ratwani et al., ``Identifying Electronic Health Record \nUsability and Safety Challenges in Pediatric Settings,'' Health Affairs \nvol. 37, no. 11: Patient Safety (2018): https://doi.org/10.1377/\nhlthaff.2018.0699.\n    \\14\\  Jessica L. Howe et al., ``Electronic Health Record Usability \nIssues and Potential Contribution to Patient Harm,'' Journal of the \nAmerican Medical Association 319, no. 12 (2018): 1276-78, http://\ndx.doi.org/10.1001/jama.2018.1171.\n\n    ONC has an opportunity to improve system usability and patient \nsafety under the existing authority provided to the agency by Congress \nas part of Cures. Congress has required that ONC create voluntary \ncertification criteria for EHRs used in the care of children and \ndevelop a new EHR reporting program that could be used to identify and \naddress usability issues. Patient safety could be greatly improved if \nONC makes it a priority during their implementation of these \nprovisions.\n   Pediatric EHR Certification Program Should Include Patient Safety\n    The health care needs of children and adults differ substantially; \nfor example, pediatric patients often receive medication dosage amounts \nbased on their weight. Given differences such as this, Congress \nincluded provisions in Cures for ONC to develop and adopt new voluntary \ncriteria for EHRs used in the care of children.\n\n    In the proposed rule, ONC identified 10 clinical priorities for \npediatrics, including weight-based dosing, use of biometric norms for \ngrowth charts, as well as age-and weight-specific dose range checking. \nThe 10 clinical priorities selected by ONC rightly recognize many of \nthe key clinical priorities for pediatric patients, including factors \nthat research has shown contribute to patient safety problems. However, \nONC should build on the provisions in its regulations to further \nimprove the usability and safety of EHRs. Specifically, ONC could take \nconcrete steps to tailor the certification program to pediatric care \nand improve patient safety:\n\n        <bullet>   Involve pediatric end users. ONC currently requires \n        EHR developers to involve at least 10 end users of the system \n        in testing the system for certification. However, research \n        suggests that some health information technology developers do \n        not use appropriate end users to test their systems. \\15\\ ONC \n        should clarify that any EHR developer seeking certification for \n        pediatric functionalities should test the system using \n        pediatric-focused clinicians, such as pediatricians and \n        pediatric nurses. ONC could indicate, for example, that at \n        least five of the 10 end-users participating in testing have \n        pediatric expertise to obtain this certification.\n---------------------------------------------------------------------------\n    \\15\\ Raj M. Ratwani et al., ``Electronic Health Record Vendor \nAdherence to Usability Certification Requirements and Testing \nStandards,'' Journal of the American Medical Association 314, no. 10 \n(2015): 1070-71, http://dx.doi.org/10.1001/jama.2015.8372.\n\n        <bullet>   Use pediatric-focused scenarios. EHR developers \n        currently use different testing scenarios--which mimic real \n        clinic events and workflows--to demonstrate the functionality \n        of their systems. To obtain certification for pediatric \n        functionality, ONC should clarify that some of the testing \n        scenarios must focus on situations involving children as \n---------------------------------------------------------------------------\n        patients.\n\n        <bullet>   Utilize mock pediatric data. EHR developers use data \n        on mock patients to demonstrate that their technologies meet \n        ONC's certification program. ONC supplies some test data for \n        those assessments. For a pediatric-focused certification, ONC \n        should supply test data for mock pediatric patients and clarify \n        that the test data used must involve mock data of children.\n\n    As ONC revises its approach to the voluntary certification program \nfor EHRs used in the care of children, Congress should work with the \nagency to prioritize patient safety and system usability by ensuring \nthat these common-sense approaches are incorporated.\n   Usability Criteria in EHR Reporting Program Should Include Safety\n    Through Cures, Congress also requires ONC to develop a reporting \nprogram to examine several different functions of EHRs, including \nsystem interoperability, security, usability and user-centered design. \nFindings obtained via this EHR Reporting Program, as envisioned by \nCongress, would be publicly available on ONC's website.\n\n    Late last year, ONC began implementing this provision. The agency \nselected a contractor to administer the program, and issued an RFI to \nobtain input on what data to collect on the use and functions of EHRs. \n\\16\\ While the recent regulations do not implement this provision from \nCures, ONC is expected to issue associated rulemaking in the future.\n---------------------------------------------------------------------------\n    \\16\\  Office of the National Coordinator for Health Information \nTechnology, ``Request for Information Regarding the 21st Century Cures \nAct Electronic Health Record Reporting Program,'' Federal Register, \nAug. 17, 2018, https://www.regulations.gov/document?D=HHS-ONC-2018-\n0022-0001.\n\n    In response to the RFI, organizations representing clinicians, \nhealth technology professionals, and hospitals--among others--urged ONC \nto incorporate safety in the usability aspects of the program, though \nimportantly not as a separate category. \\17\\ Pew provided \nrecommendations to ONC on how to collect some of this information, and \nis collaborating with MedStar Health to identify additional \nopportunities for embedding safety into the usability aspects of the \nEHR Reporting Program.\n---------------------------------------------------------------------------\n    \\17\\  Ben Moscovitch, ``Medical Groups Urge Federal Government to \nStrengthen Health IT Usability, Safety,'' Dec. 11, 2018, https://\nwww.pewtrusts.org/en/research-and-analysis/articles/2018/12/11/medical-\ngroups-urge-Federal-government-to-strengthen-health-it-usability-\nsafety.\n\n    Congress has provided ONC a prime opportunity to improve the \nusability--and consequently, safety--of EHRs. As ONC implements this \nprogram, this Committee should work with ONC to ensure that the \nusability aspects of the EHR Reporting Program focus on the facets of \nusability that contribute to unintended patient harm.\n                               Conclusion\n    The bipartisan passage of Cures launched a new era for improving \nEHR interoperability and patient safety. As CMS and ONC continue their \nimplementation of Cures and other policies related to health \ninformation technology, this Committee can play an important role in \nthe coming months by ensuring that these agencies carry out the goals \nexpressed by Congress. Specifically, this Committee can conduct \noversight in several key areas:\n\n        <bullet>  Support ONC's efforts to require secure, standard API \n        access to a wide range of health data, including clinical \n        notes;\n\n        <bullet>  Address the gap between Congress' requirements in the \n        21st Century Cures Act and ONC's current proposal to advance \n        the release of more data--including all EHI--via APIs;\n\n        <bullet>  Advance the addition of device identifiers to claims;\n\n        <bullet>  Encourage ONC to address patient matching through the \n        use of the USPS standard for address and the incorporation of \n        additional demographic data elements in the USCDI;\n\n        <bullet>  Press ONC to focus on addressing the risks to patient \n        safety as part of the voluntary criteria for EHRs used in the \n        care of children; and\n\n        <bullet>  Urge ONC to embed safety in the usability aspects of \n        the EHR Reporting Program.\n\n    By taking these steps in the coming months, Congress can provide \npatients and clinicians with better access to health data, reduce \nmedical errors associated with the use of EHRs, and continue to ensure \nthat the potential of the 21st Century Cures Act is fully realized on \nbehalf of patients and clinicians across the country.\n\n    Thank you for holding this hearing today, and for your bipartisan \ncommitment to improving the interoperability, usability and safety of \nelectronic health records. I look forward to answering any questions \nyou may have.\n                                 ______\n                                 \n                 [summary statement of ben moscovitch]\n    Electronic health records (EHRs) have revolutionized how clinicians \ndeliver care by equipping them with better tools to document patients' \nhealth status, safely prescribe medications, and otherwise order health \ncare interventions. And, these tools have the potential to make it \neasier for patients and clinicians to have more complete and robust \ndata to coordinate care across health settings.\n\n    Seeking to build on the improvements spurred on by the digitization \nof paper records, Congress recognized that gaps remain in realizing the \nfull potential of EHRs to give patients their data, make care more \nefficient, and enhance patient safety. The 21st Century Cures Act \n(Cures) marked an important step toward addressing these gaps by \noptimizing the use of these technologies and addressing barriers to \nboth the effective exchange of health data, known as interoperability, \nand the usability of these systems.\n\n    My testimony will focus on three key aspects of the recently \nproposed rules from the Office of the National Coordinator for Health \nInformation Technology (ONC) and the Centers for Medicare & Medicaid \nServices (CMS) published earlier this month that address Congress' \nvision to improve the interoperability of health data and effective use \nof EHRs. Specifically, I will focus on:\n\n        <bullet>  provisions enabling easier extraction and use of \n        health data from EHRs via application programming interfaces \n        (APIs), which enable different technologies to communicate;\n\n        <bullet>  needed enhancements to better match patient records \n        across different health care providers; and\n\n        <bullet>  necessary improvements to the usability of EHR \n        systems to address design and implementation factors that can \n        both introduce burdens on clinicians and contribute to medical \n        errors.\n\n    As CMS and ONC continue their implementation of Cures, this \nCommittee has an opportunity to ensure that these agencies carry out \nthe goals expressed by Congress. Specifically, this Committee can \nconduct oversight in several key areas:\n\n        <bullet>  support ONC's efforts to require secure, standard API \n        access to a wide range of health data;\n\n        <bullet>  advance the addition of device identifiers to claims;\n        <bullet>  encourage ONC to address patient matching through the \n        use of the better standards for address and exchange of \n        additional demographic data elements;\n\n        <bullet>  press ONC to focus on addressing the risks to patient \n        safety as part of the voluntary criteria for EHRs used in the \n        care of children; and\n\n        <bullet>  urge ONC to embed safety in the usability aspects of \n        the EHR Reporting Program establish by Cures.\n\n    By taking these steps in the coming months, Congress can provide \npatients and clinicians with better access to health data, reduce \nmedical errors associated with the use of EHRs, and continue to ensure \nthat the potential of the 21st Century Cures Act is fully realized for \npatients and clinicians across the country.\n                                 ______\n                                 \n    The Chairman. Thank you, Mr. Moscovitch.\n    Ms. Savage, welcome.\n\n     STATEMENT OF LUCIA C. SAVAGE, J.D., CHIEF PRIVACY AND \n   REGULATORY OFFICER, OMADA HEALTH, INC., SAN FRANCISCO, CA\n\n    Ms. Savage. Chairman Alexander, Ranking Member Murray, and \nthe entire Committee, thank you for the opportunity to speak \nwith you today.\n    From October 2014 through January 2017, I served as Chief \nPrivacy Officer at ONC. I was the senior advisor for efforts to \nenable patients to get their health information through apps, \nand I provided technical assistance as you were drafting 21st \nCentury Cures. After leaving ONC, I joined Omada Health, a \nlate-stage, privately held healthcare company that focuses on \nchronic disease prevention and management, as well as \nsupporting people with anxiety and depression. We utilize a \nsecure digital communications platform to connect individuals \nto professional health coaches--no robots here. In the process, \nour participants share their health information just like they \nwould with any other provider. We analyze that information in \nreal time using proprietary data science and we feed actionable \ninsights back to the individual and his or her health coach in \nreal time on a secure app. The result is health care services \nthat scale quickly and leverage those individual insights at \nthe population health level.\n    One of my duties at Omada is to oversee its operations as a \nhealth care service provider and covered entity under HIPAA. In \nother words, we are just like a doctor's office under Federal \nlaw. That means that for our business, all of the HIPAA \nprivacy, security, and breach notification rules apply. ONC \nproposes some bold reforms that could significantly impact the \nway facts are shared and that should foster innovation. Among \nthe most impactful things they propose is that information \nblocking rules apply to business-to-business transactions. This \nis a logical and necessary next step to achieving the vision of \nan innovative healthcare system where health facts can flow \nappropriately and securely to benefit patients.\n    Included in my supplemental remarks is an article published \nyesterday by the American Bar Association Antitrust Law Journal \nwhere professors Martin Gaynor, Julia Adler-Milstein, and I \nexamine the anti-competitive effects of B2B health information \nexchange absent ONC's rule. There are, however, three areas \nwhere ONC could push its vision more aggressively or the agency \nmay want to consider unintended consequences of its rulemaking.\n    First, the ONC rule does strike a good balance on privacy \nand security. It has appropriate exceptions for privacy \npromises made to individuals, for state or Federal laws, for \nsecuring one's own system, for system maintenance, and for \nsafety. However, the rule proposes ongoing deference to \norganizational policies that might be at odds with \ndemocratically developed privacy laws that support \ninteroperability. I encourage ONC to consider a transition or \nsunset period, during which institutions have time to adapt to \napp-enabled health information exchange, and to eliminate \norganizational policies that block appropriate flow of health \nfacts.\n    Second, 21st Century Cures applies the prohibition against \ninformation blocking to developers of health information \ntechnology. However, the ONC proposal applies that only to a \nsubset or certified health information technology, primarily \ncertified EHRs. This limitation leaves out many types of health \ninformation technology where individuals' health facts are \ncollected. For example, the proposed rule does not reach to \nhealth information technology in the emerging world of \nconnected devices or software as a medical device, and it seems \nto omit any non-certified EHR, such as a lab or pharmacy \nelectronic record system that is not certified.\n    Third, ONC proposes to allow technology developers to \nlicense interoperability elements. Licenses must not be so \nexpensive or so restricted as to interfere with or stifle \ninnovation, or create barriers to new entrance. As ONC \nfinalizes the concept of interoperability elements it is \ncritical that it clarify that the health facts within that \nsoftware are never to be licensed. Omada made this point in our \nrecent proposal response to the RFI from the Office for Civil \nRights, and I have included those comments in my supplemental \nmaterials.\n    Finally, I applaud CMS's efforts to ensure that people have \nthe same app-enabled access to their health facts from health \nplans as they do from providers. CMS expects that common \nconsumer tools like laptops, smartphones, and apps will be used \nthroughout the healthcare system. In the health care startup \nworld, we use these common consumer tools every day to connect \nwith and deliver valuable health care services to individuals.\n    We are excited to have the barriers to interoperability \nfall, and we look forward to a time when the barriers fall for \nus to be paid for efficacious health care services with these \ncommon consumer tools.\n    Thanks again for the opportunity to testify and I look \nforward to answering your questions.\n    [The prepared statement of Ms. Savage follows:]\n\n                 PREPARED STATEMENT OF LUCIA C. SAVAGE\n                 \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                 \n                 \n\n                  [summary statement of lucia savage]\n    Lucia C. Savage, JD, is Chief Privacy and Regulatory Officer at \nOmada Health. From October 2014 to January 2017 she served as Chief \nPrivacy Officer at the Office of the National Coordinator for Health IT \n(ONC). At ONC, Ms. Savage was the senior privacy advisor on an \nindividual's rights to get their own health data electronically and by \napp. She also provided technical assistance in drafting the health \ninformation technology provisions of Cures.\n\n    Her current employer, Omada Health, is a late-stage, privately-held \nhealth care company focused on chronic disease prevention and \nmanagement, as well as supporting those dealing with anxiety and \ndepression. Omada utilizes a secure digital communications platform to \nconnect individuals to professional coaches. In the process, its \nparticipants share their health information, just as they would with \nany healthcare provider. Omada is a health care provider and a covered \nentity under HIPAA, legally just like a doctor's office. The HIPAA \nPrivacy, Security and Breach Notification rules apply to Omada.\n\n    Ms Savage will testify that:\n\n        <bullet>  While the ONC rule strikes a good balance on privacy \n        and security, the rule proposes ongoing deference to \n        organizational policies that might be at odds with privacy laws \n        that support interoperability. Rather than deference, a \n        transition or sunset period might be appropriate for \n        organizational policies.\n\n        <bullet>  The prohibition against information blocking should \n        apply more widely to ``health information technology'' (a term \n        defined in 21st Century Cures), and not just to certified EHR \n        developers. A more expansive reach will more effectively and \n        quickly assure that individuals can get and use their health \n        facts wherever they are collected in the healthcare system.\n\n        <bullet>  ONC should clarify its proposal on licensing \n        ``interoperability elements'' to ensure that an individual's \n        health facts are never subjected to such licenses, and that the \n        licenses themselves are not so strict or expensive as to \n        inhibit innovation.\n\n        <bullet>  Omada is fully committed to interoperable exchange of \n        health facts, and sees the full implementation of these rules \n        as an opportunity for growth, even if it means that Omada, \n        which is not currently a provider type proposed to be covered \n        by the rule, is in scope for the rule's reach.\n\n        <bullet>  CMS timely proposes to require health plans to make \n        individuals' health facts available from plans on the same \n        conditions as those facts are available from providers. This \n        proposal, if finalized will ensure consumers can continue to \n        use everyday consumer tools, like laptops, smartphones and apps \n        to get care and manage their health.\n                                 ______\n                                 \n    The Chairman. Thank you, Ms. Savage.\n    Dr. Rehm, welcome.\n\nSTATEMENT OF CHRISTOPHER REHM, M.D., CHIEF MEDICAL INFORMATICS \n            OFFICER, LIFEPOINT HEALTH, BRENTWOOD, TN\n\n    Dr. Rehm. Thank you very much. Chairman Alexander, Ranking \nMember Murray, and Members of the Senate HELP Committee, thank \nyou for the opportunity to testify before you today.\n    As Chairman Alexander stated, I am the Chief Medical \nInformatics Officer at LifePoint Health. And LifePoint Health \nis a provider organization that provides care in over 89 \ncommunities in 30 states across the United States. Our clinical \ntechnology environment consists of over 20 distinct inpatient \nand ambulatory EHRs, and countless vendor partners providing \ndepartmental and point solutions. It takes a tremendous amount \nof effort for our team to build, configure, and tie together \nthese systems so that our medical teams are set up for success \nto provide safe, efficient, high quality care to every patient \nwe see in the communities that we serve. Despite our best \nefforts, our providers and patients are impacted by the lack of \ninteroperability daily.\n    The desire to make electronic health information freely \navailable spans the political spectrum and has been a long-\nstanding goal of both patients and medical teams. I am here \ntoday as a healthcare provider, someone who has taken care of \npatients, and supports others who take care of patients. I love \nmy work and my colleagues love their work, but this is hard. \nThe lack of interoperability associated with our medical \ntechnology, some of it related to the technology itself, some \nof it related to the regulations that apply to this technology, \nmake it harder to do our job. Electronic medical records, \nmedical devices, and patient monitors are supposed to help us \nbe better caregivers. Instead these technologies frequently add \nto the complexity and burden that we feel.\n    Today, I will touch on some of the causes and offer \nsuggested solutions to lessen the provider burden and move \ntoward the interoperable future that we all desire. First, \nproviders do not build these technologies. We purchase them \nfrom vendors. It is commonplace that vendors develop products \nthat do not interoperate. Many vendors release products that \nmeet minimum standards for ONC certified technology. Their \ncontracts do not cover the maintenance for updating them when \nnew regulations come about. It is up to the provider \norganizations to cover the cost and the burden of implementing \nthese add-ons to cover new regulations.\n    In addition to being costly, upgrades take time. Where we \nare often given 6 months to comply with CMS regulations, it can \ntake up to 12 months for a provider organization to review, \nconfigure, test, train all of our end users, and deploy \nnumerous vendor technologies, ensuring that we do not break \nhundreds of existing custom interfaces that are already in \nplace. We applaud the ONC proposal to require health IT vendors \ndemonstrating that their products are usable for patients and \nproviders in a real-world environment. We need our health care \ntechnology and software systems to work in real life settings \nin concert with other vendor technologies if we expect to meet \nthe needs of patients and providers now and in the future.\n    Second, where the HITECH Act catalyze the new from paper to \ndigital records via provider-based incentives and penalties, \nunfortunately it did not address or create the underlined \ninfrastructure of interoperability to enable data liquidity \nacross technologies. Provider organizations have been left to \nbridge the gap with interface engines, workarounds, and manual \nprocesses with varying degrees of success and reliability. This \nlack of infrastructure is troublesome for a number of reasons, \nfrom privacy and security challenges to the ability of \nproviders to seamlessly send and receive data. For example, the \nCMS proposed rule would require hospitals to send electronic \nnotifications when a patient is admitted, discharged, or \ntransferred as part of the conditions of participation.\n    In order to comply with the condition of participation, \nproviders must clearly understand the requirement and the \nobjective compliance measure. This proposal lacks both of those \nelements, which is concerning given the tremendous penalties \nhospitals face for failing to comply with conditions of \nparticipation. Instead, I encourage the administration to focus \non its current activities to improve interoperability, such as \ncontinuing to advance the goals of the Trusted Exchange \nFramework and Common Agreement, known as TEFCA, and vendor \naccountability for the products that they develop. Another \nvictim of this lack of infrastructure is patient-provider trust \nthat data will be secure and used appropriately. The proposals \nboth envision that unvetted third-party applications will be \naccessing patient electronic health data via open APIs.\n    Personally, I like the idea of controlling my own data, but \nthe truth is the vast majority of us, me included, do not read \nthe entire terms of use agreement on every app or website that \nwe enroll in. We believe our data is more private and secure \nthan it actually is. The entrance of non-health care actors \ninto the healthcare market, particularly those that fall \noutside of HIPAA requirements, necessitates strong principles \nof trust and security. One approach that supports innovation \nand provides the needed safeguards to govern personal \nelectronic health data is an industry backed process to \nindependently vet these applications to ensure they meet all \nrelevant security standards, use data appropriately and in line \nwith consumer expectations, and for those applications that \noffer medical advice, is the advice clinically sound?\n    In closing, Government policies must allow digital health \ninformation to be exchanged in a way that protects and \nprioritizes the health interests of individuals and the health \nsystems and clinicians who care for them. In this technological \nage, it is important we all remember that deployment of health \ninformation technology, interoperability, data exchange, and \nsecurity are all in service of delivering the highest quality \ncare. It is not about the technology. It is about the patients, \ntheir care, and their outcomes.\n    Thank you for the opportunity to speak today. I have \nadditional information on these topics in my written testimony \nI hope you will also consider.\n    [The prepared statement of Dr. Rehm follows:]\n                 prepared statement of christopher rehm\n    Chairman Alexander, Ranking Member Murray, and Members of the \nSenate HELP Committee, thank you for the opportunity to testify before \nyou today. It is an honor to be invited to participate in today's \ndiscussion.\n\n    My name is Christopher Rehm. I am a physician and the Chief Medical \nInformatics Officer at LifePoint Health. LifePoint Health is a provider \norganization that delivers Acute, Emergency, Post-Acute and Outpatient \ncare for over 85 communities in 30 states. Our clinical technology \nenvironment consists of 10 different Inpatient electronic health \nrecords (EHRs), greater than 10 Ambulatory EHRs, and countless vendor \npartners providing departmental, ancillary and point solutions. My team \nand I work with our hospitals and providers to build, configure and tie \ntogether these systems so that our providers are set up for success to \nprovide safe, efficient, high quality care to each and every patient we \nsee in the communities we serve.\n\n    The desire to make electronic health information freely available \nspans the political spectrum and has been a long-standing goal of \npatients and those who care for them. These proposed rules represent an \nimportant step in our journey to achieve the ultimate aims of a truly \nperson-centric health care delivery system. I applaud this Committee \nand Federal health agencies for recognizing the need to improve \nexisting regulations to keep pace with evolving technologies and \ninnovations. I support the ability of patients to have access to their \nhealth information and understand that the future health of our \npopulation and the sustainability of our industry depends upon the \ntimely, efficient movement of data.\n\n    There are several ways that we can choose to navigate toward this \nfuture state. The new Centers for Medicare & Medicaid Services (CMS) \nand Office of the National Coordinator for Health Information \nTechnology (ONC) rules represent the interpretation of the great work \nthat this Committee did on the 21st Century Cures Act. And we support \nthe general direction of the rules. Having said that, if we do not take \ntime to consider how these new rules may affect certain stakeholders in \nthe health care ecosystem, especially providers and patients, the \ndecisions that we make today may have unintended consequences for years \nto come.\n          Cost and Regulatory Burden of Health IT on Providers\n    I am here today as a health care provider--someone who has taken \ncare of patients and oversees others who take care of patients. I love \nmy work because there is no other place or profession where people are \nso consistently caring and devoted to alleviating human suffering \ncaused by disease. But many of the forces facing hospitals, doctors, \nnurses and patients make it really hard to do the job well.\n\n    Some of the most stifling forces are those imposed by our \ntechnology and the regulatory policies that govern them. Electronic \nmedical records, devices, diagnostics, monitors--these are all things \nthat are supposed to augment our practice, to help us be better \ncaregivers. Instead, our technology only adds to the complexity and \nburden that we feel. Part of the problem is that there is no \nunderpinning that supports a system-of-systems for technology in the \nhealth care industry. No one has established the rules of the road for \ndata exchange, like industries such as banking, aviation, cable, \ntelecom and others did decades ago. Vendors develop products and \nservices that do not interoperate. In order to support some level of \ncommunication across systems, the market has created even more products \nand services--like integration and interface engines--that help to glue \ntogether these proprietary technologies. But it is up to the providers \nto bear the burden and cost of implementing and integrating all of \nthese separate pieces, and it doesn't stop once we have bought them.\n\n    Many vendors release products that meet minimum viability standards \nfor ONC certified technology, but their service contracts do not \ninclude the cost of maintaining and updating them to remain compliant \nwith new regulations. Coming into compliance with new or updated \nregulations generally involves upgrading the EHR or device to modify \nhow information is documented, collected and reported. \\1\\ The average-\nsized community hospital (161 beds) spends nearly $760,000 annually on \ninformation technology investments needed to support compliance with \nFederal regulations. \\2\\ These IT changes and associated costs are \ncrushing our industry where margins are already thin.\n---------------------------------------------------------------------------\n    \\1\\  Assessing the Regulatory Burden on Health Systems, Hospitals \nand Post-acute Care Providers. American Hospital Association. February \n2018.\n    \\2\\  Assessing the Regulatory Burden on Health Systems, Hospitals \nand Post-acute Care Providers. American Hospital Association. February \n2018.\n\n    Additionally, these upgrades take time. Six months is simply not \nenough time for a provider organization to review, build, configure, \ntest, train and deploy numerous vendor technologies following new \nreleases to be ready to meet the regulatory deadlines for reporting \nunder the CMS programs. IT product design, testing and implementation \nrequires lead time, particularly when it involves a vendor. Time frames \nfor implementation and updates need to be adjusted to reflect what is \nreasonable and acceptable, for instance, 12 months after a Generally \n---------------------------------------------------------------------------\nAvailable release date from a vendor.\n\n    We applaud the ONC proposal to require health IT vendors to \ndemonstrate that their products are usable to patients and providers in \na real-world environment. Any solution can work in a vacuum. We need \nour health care technology and software systems to work in real life \nsettings and in concert with many other vendor technologies if we \nexpect them to meet the needs of patients and providers now and in the \nfuture.\n\n    While the HITECH Act catalyzed the move from paper to digital \nrecords via incentives and penalties on health care providers, it did \nnot, unfortunately, address or create an underlying infrastructure of \ninteroperability to enable data liquidity among technologies. Think \nabout this for moment: it is the equivalent of telling people they must \nbuy cars and move those cars from place to place, but there are no \nroads and no agreed upon design for the roads, let alone the funding to \nactually pay for the construction. In the case of EHRs, it is the \nprovider organizations who have been left to bridge the gap with \neverything from integration and interface engines, to workarounds that \nlead to significant ``clicks'' for clinicians, to even a combination of \nelectronic and manual processes.\n\n    Health care providers are trying hard to persist in their \ndedication, but the increasing pressure of having to do more with less \nweighs heavily on these well-meaning people. Atul Gawande's November \n2018 article was aptly titled ``Why Doctors Hate Their Computers,'' \\3\\ \nand a joint Fortune and Kaiser Health News article just last week \nhighlighted and astounding average of 4,000 clicks per shift for an \nemergency room doctor. \\4\\ Clinicians need our support, encouragement, \nand appreciation for the value they bring to patients and to society.\n---------------------------------------------------------------------------\n    \\3\\  Atul Gawande, Why Doctors Hate Their Computers, The New Yorker \n(Nov. 12, 2018), https://www.newyorker.com/magazine/2018/11/12/why-\ndoctors-hate-their-computers.\n    \\4\\  Erika Fry and Fred Schulte, Death by a Thousand Clicks: Where \nElectronic Health Records Went Wrong, Fortune and Kaiser Health News \n(Mar. 18, 2019), http://fortune.com/longform/medical-records/.\n\n    As a health care provider, I support the ability of patients to \nhave access to their health information and the sharing of information \nacross disparate technologies, systems, and providers. The CMS proposed \nrule would require, as part of the Medicare Conditions of Participation \n(CoPs), hospitals to send electronic notifications when a patient is \nadmitted, discharged, or transferred. Hospitals would be required to \nsend these notifications to other facilities, providers, or community \ncare providers with an established patient relationship who the \nhospital has reasonable certainty will receive the notifications. While \nI support this idea directionally--and look forward to achieving this \nlevel of information sharing--this is unfortunately putting the cart \nbefore the horse. It sounds like it would be simple to implement, but \nthere are numerous unanswered questions and operational considerations. \nFor example, not all EHRs can generate these messages--and this \nfunctionality is not required of vendors under the ONC certification \nrules. And if a provider is not connected to a health information \nexchange or similar network, of which the most advanced ones are quite \ncostly, it is an enormous undertaking--in both time and money--to \n---------------------------------------------------------------------------\nconnect to these other providers and facilities individually.\n\n    In order to comply with a CoP, providers must clearly understand \nwhat it is they must do and how they will be surveyed and judged to \ndetermine compliance. This proposal lacks both of those elements, which \nis concerning given the tremendous penalties hospitals face for failing \nto comply with CoPs, including termination from the Medicare program. \nInstead, I encourage the administration to focus on its current \nactivities to improve interoperability, such as continuing to advance \nthe goals of the Trusted Exchange Framework and Common Agreement \n(TEFCA), as well as its proposals in this rule to further ensure \nvendors are accountable for the products they develop. The \nresponsibility for interoperability cannot and should not be borne \nsolely by providers, and there are plenty of things that vendors, \nbusiness associates, plans and other organizations can and should be \nexpected to do and contribute.\n                      Patient Privacy and Security\n    It is clear that Congress and this administration are committed to \nsolving the issue of interoperability and achieving complete patient \naccess in the U.S. health care system. So far, the administration is \nrelying on third party apps and the private market to solve these \nproblems. The rules state that they wish to ``enable patients to access \ntheir health information electronically . . . to make the data \navailable through an application programming interface [API] to which \nthird party software applications connect to make the data available to \npatients.'' \\5\\\n---------------------------------------------------------------------------\n    \\5\\  84 Fed. Reg. 7610, 7612 (Mar. 4, 2019).\n\n    Providing unvetted third party applications fairly open access to \npatient digital health data concerns me as both a clinician and a \nconsumer. I am well-aware of the argument that it is the patient's \nprerogative to specify where and to whom their data goes. Personally, I \nlike the idea of controlling my own data. But reality does not always \nalign with our ideas, particularly when it comes to our personal \ninformation--whether health-related, financial, or even demographic. \nThe truth is that the vast majority of us, myself included, do not read \nthe entire ``terms of use'' agreement on every app or website that has \nsome of our personal information, and we often mistakenly believe our \n---------------------------------------------------------------------------\ndata is more private or more secure than it actually is.\n\n    While it may be tempting to allow access to personal digital health \ninformation for any and all entities who claim to operate under the \nbanner of ``promoting care coordination,'' we would be wise to take a \nlesson from the consumer data privacy events of the past few years. \nMillions of individuals were surprised and angry to learn how Facebook \nwas using and selling their data, while other consumers weren't even \naware that all their financial information is funneled through three to \nfour major credit bureaus, two of which experienced major breaches in \nthe last few years.\n\n    Digital data is the currency of the modern technology ecosystem and \nmarketplace. There are fortunes to be made in mining and monetizing \nyour personal digital health data. New rules and processes that govern \nand protect digital health data must be sensitive to the reality that \nnot all covered entities, business associates, and third parties are \ncreated equal. Particularly with regard to entities that fall outside \nof the HIPAA requirements, it is imperative that patients, their \nfamilies, providers, and consumers can trust that these applications--\nand the data both sent to and received from them--are secure, private, \nand clinically sound.\n\n    The vision for the future is one in which a patient's data flows \nbetween her/his care providers, the patient and her/his providers, and \nbetween the patient's personal electronic device and the provider.\n\n    That vision presupposes that data is vetted, clinically sound and \ncomes from a trusted source. The reality is that neither clinicians nor \npatients have the ability to validate that it is trusted data.\n                         A Trust-Based Approach\n    I believe there are ways to support the innovation coming from the \nexternal marketplace while providing the needed safeguards to govern \npersonal digital health data. The entrance of non-health care actors \ninto the health care market--particularly those that fall outside of \nthe HIPAA requirements--necessitates strong principles for trust and \nsecurity. One such idea is an industry-backed trust platform technology \narchitecture, supported by an appropriate governance model.\n\n    This is a wide-ranging solution that would encompass all health-\nrelated digital information on a single platform architecture. In the \nmeantime, I also encourage a smaller scale solution to address privacy, \nsecurity, and clinical efficacy of third-party applications, \nspecifically an industry-backed process to independently vet these \napplications to ensure they are meeting all relevant security \nstandards; are using data appropriately and in line with consumer \nexpectations; and, for those applications that offer medical advice, \nare clinically sound. Such a process will go a long way toward ensuring \ntrust while removing the burden of this process from consumers and \nproviders.\n                       What Federal Policy Can Do\n    Policymakers must strike a balance between their desire to make \npersonal digital health information available and the burdens that \nthese requirements place on health systems under proposed timelines. \nGovernment policies must allow digital health information to be \nexchanged in a way that protects and prioritizes the interests of \nindividuals--and the health systems and clinicians who care for them--\nwhile allowing the marketplace to innovate and interact in a \nresponsible and controlled way.\n\n    In this technological age, it is important we all remember that the \ndeployment of health information technology, interoperability, data \nexchange, privacy and security are all in service of patients receiving \nand providers delivering the safest, highest quality care. It is not \nabout the technology; it is about patients, their care, and their \noutcomes.\n                                 ______\n                                 \n                [summary statement of christopher rehm]\n    Chairman Alexander, Ranking Member Murray, and Members of the \nSenate HELP Committee, thank you for the opportunity to testify before \nyou today.\n\n    My name is Christopher Rehm. I am a physician and the Chief Medical \nInformatics Officer at LifePoint Health. LifePoint Health is a provider \norganization that delivers Acute, Emergency, Post-Acute and Outpatient \ncare for over 85 communities in 30 states. Our clinical technology \nenvironment consists of 10 different Inpatient EHR's, greater than 10 \nAmbulatory EHR's, and countless vendor partners providing departmental, \nancillary and point solutions. My team and I work with our hospitals \nand providers to build, configure and tie together these systems so \nthat our providers are set up for success to provide safe, efficient, \nhigh quality care to each and every patient we see in the communities \nwe serve.\n\n    The desire to make electronic health information freely available \nspans the political spectrum and has been a long-standing goal of both \npatients and medical teams. I am here today as a health care provider--\nsomeone who has taken care of patients and supports others who take \ncare of patients. I love my work--and my colleagues love their work. \nBut sometimes health IT and the regulatory policies that govern them \nare stifling and make it harder to do our job. Electronic medical \nrecords, medical devices, and patient monitors are supposed to help us \nbe better caregivers. Instead, these technologies frequently add to the \ncomplexity and burden that we feel. I will touch on some of these \ncauses today as well as offer suggested solutions to help alleviate a \nportion of this burden to support providers as we move toward the \ninteroperable future we all desire.\n\n    First, providers do not build these technologies; we purchase them \nfrom vendors. I have frequently found, however, that vendors develop \nproducts and services that do not interoperate. Many vendors release \nproducts that meet minimum standards for ONC certified technology, and \ntheir contracts do not include the cost of maintaining and updating \nthem to remain compliant with new regulations. It is up to the \nproviders to bear the burden and cost of implementing and integrating \nthese separate pieces.\n\n    In addition to being costly, upgrades take time. While we are often \ngiven 6 months to comply with CMS regulations, it can take up to 12 \nmonths for a provider organization to review, configure, test, train \nand deploy numerous vendor technologies, ensuring we did not break \nhundreds of custom interfaces, following new releases.\n\n    We applaud the ONC proposal to require health IT vendors to \ndemonstrate that their products are usable for patients and providers \nin a real-world environment. We need our healthcare technology and \nsoftware systems to work in real life settings and in concert with many \nother vendor technologies if we expect to meet the needs of patients \nand providers now and in the future.\n\n    Second, while the HITECH Act catalyzed the move from paper to \ndigital records via provider-based incentives and penalties, it did \nnot, unfortunately, address or create an underlying infrastructure of \ninteroperability to enable data liquidity across technologies. Provider \norganizations have been left to bridge the gap with interface engines, \nwork arounds and manual processes--with varying degrees of success.\n\n    This lack of infrastructure is troublesome for a number of \nreasons--from privacy and security challenges to the ability of \nproviders across the country to send and receive data. For example, the \nCMS proposed rule would require hospitals to send electronic \nnotifications when a patient is admitted, discharged, or transferred as \npart of the Conditions of Participation (CoPs).\n\n    In order to comply with a CoP, providers must clearly understand \nthe requirement and the objective compliance measure. This proposal \nlacks both of those elements, which is concerning given the tremendous \npenalties hospitals face for failing to comply with CoPs, including \ntermination from the Medicare program. Instead, I encourage the \nadministration to focus on its current activities to improve \ninteroperability, such as continuing to advance the goals of the \nTrusted Exchange Framework and Common Agreement (TEFCA) and vendor \naccountability for the products they develop.\n\n    Another victim of this lack of infrastructure is patient and \nprovider trust that data will be secure and used appropriately. The \nproposals envision unvetted third party application access to patient \ndigital health data via open API's. Personally, I like the idea of \ncontrolling my own data. But the truth is that the vast majority of us, \nme included, do not read the entire ``terms of use'' agreement on every \napp or website, and we believe our data is more private or more secure \nthan it actually is.\n\n    I believe there are ways to both support the innovation coming from \nthe external marketplace while providing the needed safeguards to \ngovern personal digital health data. The entrance of non-healthcare \nactors into the healthcare market--particularly those that fall outside \nof the HIPAA requirements--necessitates strong principles for trust and \nsecurity. One idea is an industry-backed process to independently vet \nthese applications to ensure they meet all relevant security standards; \nuse data appropriately and in line with consumer expectations; and, for \nthose applications that offer medical advice, are clinically sound.\n\n    Government policies must allow digital health information to be \nexchanged in a way that protects and prioritizes the health interests \nof individuals--and the health systems and clinicians who care for \nthem--while allowing the marketplace to innovate and interact in a \nresponsible and controlled way.\n\n    In this technological age, it is important we all remember that \ndeployment of health information technology, interoperability, data \nexchange, privacy and security are all in service of delivering the \nhighest quality care. It is not about the technology; it is about the \npatients, their care and their outcomes.\n\n    Thank you for the opportunity to speak to the Committee today. I \nhave additional information on these topics in my written testimony \nthat I hope you will also consider.\n                                 ______\n                                 \n    The Chairman. Thank you, Dr. Rehm.\n    Ms. Grealy, welcome.\n\n     STATEMENT OF MARY GREALY, J.D., PRESIDENT, HEALTHCARE \n               LEADERSHIP COUNCIL, WASHINGTON, DC\n\n    Ms. Grealy. Excuse my laryngitis, please. Chairman \nAlexander, Ranking Member Murray, and Members of the Senate \nHELP Committee, thank you for inviting the Healthcare \nLeadership Council to testify before you today.\n    HLC is a coalition of Chief Executives from all disciplines \nwithin American healthcare. It provides a forum for the \nNation's health care leaders to work together toward their \nvision of a 21st century healthcare system that makes \naffordable, high-quality care accessible to all Americans. \nMembers of HLC, hospitals, academic health centers, health \nplans, pharmaceutical companies, medical device manufacturers, \nlaboratories, biotech firms, health product distributors, post-\nacute care providers, and information technology companies, \nadvocate for measures to increase the quality and efficiency of \nhealth care through a patient-centered approach.\n    The members of HLC are saying that the time is here, the \ntime is now, to achieve full nationwide interoperability of \nhealth information and to have secure, seamless access to data \nfor clinicians, patients, and health care consumers. Today, I \nam pleased to present to you a significant project undertaken \nby HLC with the Bipartisan Policy Center, two organizations \nthat between us represent many of the major companies that \npurchase healthcare, pay for healthcare, provide healthcare, \nand deliver access to the data that drives quality health care.\n    Despite all the progress we have seen in health care moving \ninto the digital age with more providers utilizing electronic \nhealth records and more consumers able to get health \ninformation on our smartphones, everyone in this room knows \nthat we still have a long way to go. Today, we do not interact \nwith just one family physician. We as patients interact with \nprimary care doctors, specialists, hospitals, clinical labs, \npharmacies, insurers, and more, yet these entities often do not \ntalk to each other electronically. And if we are to reach our \ngoal of a healthcare system that provides high-quality, \npatient-centered care, interoperability is not simply \ndesirable, it is absolutely necessary.\n    HLC and the Bipartisan Policy Center set out to determine \nwhat needs to be done to achieve nationwide health data \ninteroperability. We engaged the University of California at \nSan Francisco to interview dozens of experts from multiple \nhealth care sectors and the Government. What we learned in \nthese interviews led to the recommendations and our call to \naction that we provided as an attachment in our written \ntestimony. There are a couple of exciting aspects to this \nproject and the proposals that emerged from it that I would \nlike to highlight for the Committee. It is significant that \nleaders from the private sector across the entire health care \ncontinuum have come together and agreed upon mechanisms to \naccelerate nationwide interoperability. And this is not just a \nmatter of telling Government what it should be doing, but \nrather these private-sector entities are placing the \nresponsibility among themselves and upon themselves, pledging \naction and embracing accountability.\n    Thus, you see us calling for collaboration between \nhealthcare payers and providers to use payment incentives to \ndrive adoption of baseline interoperability expectations. And a \ncall for providers to work with electronic health record \ncompanies and software developers in incorporating these same \nexpectations into their business contracts. We are calling for \ncommon standards to be utilized to improve patient matching, \nand we are calling for the rapid adoption and implementation of \nopen standards-based APIs. These just touch the surface of the \nrecommendations you will see in the report.\n    We are pleased that the leaders in the public sector \nstepped forward with the proposed Federal rules we are \ndiscussing today on data access and interoperability, and we \nsee a great deal of alignment in these rules with what we are \noffering in our report. We applaud the efforts of ONC and CMS \nto eliminate information blocking and ensure the consumers have \neasy access and ability to share their health information as \nthey wish. These rules represent an important and perhaps \nground breaking first step for true nationwide \ninteroperability.\n    I would note that both proposed rules include changes to \nhow patient health information is used and shared. These rules \nincorporate new innovative products such as third-party \napplications that are not currently covered by the HIPAA \nPrivacy Law. We need to ensure a thoughtful approach in how \nentities currently subject to HIPAA share information with \nthese new entities to ensure the safeguarding of sensitive and \nvaluable personal health information.\n    Any future legislation or rulemaking that addresses the \nelectronic flow of identifiable health information should \nengender the same trust as the HIPAA privacy standards have \ndone for the past 20 years. Given the significant impact of \nthese rules, including the strong enforcement, penalties, we \nare requesting that ONC and CMS grant a 30-day extension of the \ncomment period for the proposed rules.\n    Thank you for the opportunity to speak to the Committee \ntoday, and I look forward to discussing the comments of HLC \nmembers and our commitment toward advancing nationwide \ninteroperability.\n    [The prepared statement of Ms. Grealy follows:]\n                   prepared statement of mary grealy\n    Chairman Alexander, Ranking Member Murray, and Members of the \nSenate Health, Education, Labor, and Pensions (HELP) Committee, thank \nyou for the opportunity to testify today.\n\n    My name is Mary Grealy, and I am President of the Healthcare \nLeadership Council (HLC). HLC is a coalition of chief executives \nrepresenting all disciplines within American healthcare. It is the \nexclusive forum for the Nation's healthcare leaders to jointly develop \npolicies, plans, and programs to achieve their vision of a 21st century \nhealthcare system that makes affordable high-quality care accessible to \nall Americans. Members of HLC--hospitals, academic health centers, \nhealth plans, pharmaceutical companies, medical device manufacturers, \nlaboratories, biotech firms, health product distributors, post-acute \ncare providers, home care providers, and information technology \ncompanies--advocate for measures to increase the quality and efficiency \nof healthcare through a patient-centered approach. All of these health \nsectors, and the patients they serve, are affected by and committed to \ncomprehensive access to health data.\n\n    The members of HLC are saying that the time is here, the time is \nnow to achieve full nationwide interoperability of health information \nand to have secure, seamless access to data for clinicians, patients \nand healthcare consumers.\n\n    Today, I'm pleased to present to you the results of a significant \nproject undertaken by HLC with the Bipartisan Policy Center (BPC), two \norganizations that, between us, represent many of the major companies \nthat purchase healthcare, pay for healthcare, provide healthcare, and \ndeliver access to the data that drives quality healthcare.\n\n    For all the progress we've seen in healthcare moving into the \ndigital age--with more providers utilizing electronic health records \nand more consumers able to get health information on our smartphones--\neveryone in this room knows we still have a long way to go. Today, we \ndon't just interact with one family doctor. We as patients interact \nwith primary care doctors, specialists, hospitals, clinical labs, \npharmacies, insurers, and more. Yet, these entities often don't talk to \neach other electronically. And if we're to reach our goal of a \nhealthcare system that provides high-value, high-quality, safe, cost-\neffective, patient-centered care, interoperability is not simply \ndesirable--it's necessary.\n\n    HLC and BPC set out to determine what needs to be done to achieve \nnationwide health data interoperability. We engaged the University of \nCalifornia at San Francisco to interview dozens of experts from \nmultiple healthcare sectors and the government. These interviews gave \nus an idea of the barriers that stand between the present and our \nessential future, and how to overcome them, leading to the \nrecommendations we've provided as an attachment to this testimony.\n\n    Our goals today and moving forward are clear and unwavering--we \nintend to bring information seamlessly to the point of care to support \ncare delivery, and we will meet the information needs of patients and \nconsumers to support their health and healthcare. There are a couple of \nexciting aspects to this project and the proposals that emerged from it \nthat I want to highlight for the Committee.\n\n    It's quite significant that leaders from the private sector--across \nthe entire healthcare continuum--have come together not only to say \nthat we must accelerate the movement toward nationwide \ninteroperability, but they have agreed upon mechanisms by which to do \nit. And this isn't just a matter of telling government what it should \nbe doing, but rather, these private sector entities are placing the \nresponsibility upon themselves--pledging action and embracing \naccountability.\n\n    Thus, you see us calling for collaboration between healthcare \npayers and providers to use payment incentives to drive adoption of \nbaseline interoperability expectations, and a call for providers to \nwork with electronic health record (EHR) companies and software \ndevelopers in incorporating those same expectations into their business \ncontracts.\n\n    We're calling for common standards to be utilized to improve \npatient matching, to make certain the right patient is getting the \nright treatment at the right time, all the time. And we're calling for \nproviders, EHR companies, software developers, payers and other sectors \nto pursue rapid adoption and implementation of open standards-based \nAPIs. These just touch the surface of the recommendations you will see \nin the attached report.\n\n    But the other aspect of this project that is so encouraging is that \nwe are in alignment with the Federal Government and its goals in this \narea.\n\n    We are pleased that leaders in the public sector stepped forward \nwith proposed Federal rules on data access and interoperability and we \nsee a great deal of agreement in these rules with what we are offering \nin our report.\n\n    We applaud the efforts of the Office of the National Coordinator \nfor Health Information (ONC) and the Centers for Medicare and Medicaid \nServices (CMS) to eliminate information blocking and ensure that \nconsumers have easy access and the ability to share their health \ninformation as they wish. These rules represent an important, and \nperhaps groundbreaking, step toward true nationwide interoperability.\n\n    It should be noted that both proposed rules include changes to how \npatient health information is used and shared. These rules incorporate \nnew, innovative products, such as third-party applications, that are \nentering the healthcare market at a rapid pace but are not covered by \nthe Health Insurance Portability and Accountability Act (HIPAA) privacy \nand security rules. We need to ensure a thoughtful approach in how \nthose entities currently covered by HIPAA share information with new \nentities to ensure the safeguarding of sensitive--and valuable--\npersonal health information. Any future legislation or rulemaking that \naddresses the electronic flow of identifiable health information should \nengender the same trust as the HIPAA privacy standards have done for \nthe past 20 years.\n\n    Given the significant impact of these proposed rules, including \nstrong enforcement and penalties, we are requesting that ONC and CMS \ngrant, at a minimum, a 30-day extension of the deadline for submitting \ncomments on the proposed rules. An extension would provide more \nadequate time to conduct a thoughtful analysis of the proposed rules \nand their impact, and to fully address the multiple requests for \ncomments and information embedded within them.\n\n    Thank you for the opportunity to speak to the Committee today. I \nlook forward to discussing the commitment of HLC members toward \nadvancing nationwide interoperability. These commitments are explicitly \nincluded in the HLC BPC Report on Advancing Interoperability, \nInformation Sharing, and Data Access, which is included as part of my \nwritten testimony.\n                                 ______\n                                 \n    The Chairman. Thank you, Ms. Grealy, and thanks to each of \nyou. We will now have a round of 5 minute questions.\n    We will begin with Dr. Cassidy.\n    Senator Cassidy. Thank you, Mr. Chairman. I thank you all \nfor being here. Raised several interesting things. Ms. Grealy, \nI just learned that in my state, the patient does not own her \ndata. Does HLC have a position on whether or not the patient \nshould own her data?\n    Ms. Grealy. We think it is important that patients do own \ntheir data and that they have access to that data. And that \nreally, the providers and those working with that patient \nhealth information, really are the stewards of that \ninformation.\n    Senator Cassidy. Simple answer, yes. Thank you for that. \nMs. Savage, you raised a point, I think you did, of the ability \nfor the health plan--again, do I own the data that the health \nplan has? Or should I own that data?\n    Ms. Savage. As you mentioned, it is really a matter of \nstate law. So technically within a health plan, you may not own \nthe data, but you certainly have a right to get a copy. That is \nthe state of the law.\n    Senator Cassidy. Let me ask, define the data. If the health \nplan is purchasing data from data brokers, not just about the \ndoctor who saw me for a busted arm, but rather the data from \nthe grocery store as to whether or not I am buying high \ncholesterol food, should I have the right to that data?\n    Ms. Savage. You have a right to get any data that the \nhealth plan is using to make a medical decision about you.\n    Senator Cassidy. Now, define medical decision.\n    Ms. Savage. Well, it is a little bit ambiguous and so I----\n    Senator Cassidy. Oh, that is what I thought.\n    Ms. Savage. That is right. But I want to definitely \ndistinguish is you do not have a right to get data that is \nused, for example, to calculate a measure because that is not--\n--\n    Senator Cassidy. To calculate a measure----\n    Ms. Savage. Like a measure. Like a plan, HEDIS measure for \nhow many people referred to a mammogram or something like that.\n    Senator Cassidy. Got it.\n    Ms. Savage. That is not about you. But if they are using \nthat data to decide that you should or should not have a \nparticular treatment or should or should not have a premium \nincrease that is definitely within the data you should be able \nto get access to.\n    Senator Cassidy. Now, you say should, implying that you \npersonally think that we should, but legally do I--legally do I \nhave access to that data?\n    Ms. Savage. Absolutely, you legally have access to that. \nThe problem is that in caring that out, obviously there is a \nlot of gaps in how people do that. That issue of individuals \ngetting their own data, I think is a top five complaint at OCR.\n    Senator Cassidy. Do we have a need therefore for \nstandardization of how the patient would access her data and \nwhat exactly comprises that data so that there is not this \nvariability in response?\n    Ms. Savage. I think there are some great paths of \nstandardization beginning to take hold. The idea of using an \napp and a standard API is one, although not all data will be \navailable behind that API in the immediate future. A second is \nthe Association of Health Information Management, AHIMA, is \nworking on a standardized form and they are urging people to \nadopt it voluntarily so that it can be turned into an online \nform so people can use it, but it is not enough.\n    Senator Cassidy. I think that my colleagues and I would be, \nand I certainly am interested, if you all have ideas as to how \nI could know if the health app that I am using does--feeding up \nto the insurance plan, that I actually have that data as well \nas that which they purchase from data brokers, which I am told \nis quite extensive.\n    Ms. Savage. Right. So that is a couple of different issues, \nbut in my longer testimony I refer to an article that I did \nwith ten or so tips people could just adopt right now that \nwould make it easier for patients and nothing prevents a health \ninsurer from adopting those. I want to separate that for a \nmoment from the broker purchased data because we do not know \nexactly which health plans are doing that, and second or third \nfrom the app you choose to use. All different things.\n    Senator Cassidy. I get that. So that is my question for \nyou, Dr. Rehm. So, I recently read of somebody partnering with \nsomebody so that smart watches were on the wrist of the \ninsured. And I thought to myself, now they know how many steps \nI am taking today and whether or not my gate becomes shuffling \nand so maybe I have the first onset of Parkinson's disease, \nright. And should that be protected, the fact that I am \nbasically telling them that I may be at risk for a neurologic \ndisease--by the way I do not have a neurologic disease for the \nrecord, that I know of.\n    [Laughter.]\n    Dr. Rehm. I would characterize that, as soon as that \npersonal health data gets transmitted into the healthcare \nsystem that information should be protected so----\n    Senator Cassidy. But I do not believe it necessarily \ncurrently is, correct?\n    Dr. Rehm. Well, if that, let us say you have an EMR that \nallows you to add personal health devices to that EMR so that \nthe patient that is wearing that watch or scale, for that \ninstance, feeds my EMR, then that information is entered into \nthe EMR and it is protected, at least in my practice.\n    Senator Cassidy. Now you are speaking of the theoretical, \nbut I am pressing on you, do we know that is the case?\n    Dr. Rehm. Only if it answers the EMR. So, I would say we do \nnot know that is the case.\n    Senator Cassidy. If it goes to the health plan, and not to \nthe doc, but if it goes to the health plan, is that part of the \ndata that Ms. Savage referred to as being a covered entity--a \nHIPAA protected set of data or not?\n    Dr. Rehm. I do not know.\n    Senator Cassidy. I do not know either. Ms. Savage?\n    Ms. Savage. Yes, the health plan is a covered entity under \nHIPAA just like a physician's office.\n    Senator Cassidy. But is the app, the information that they \nare receiving from the app considered part of that covered \ndata?\n    Ms. Savage. When it flows into the covered entity's \ncustody, it becomes covered by HIPAA. The second thing to \nremember is, OCR has been very clear, when the app is sponsored \nby or paid for by the covered entity, the collection by the app \nis in fact covered by HIPAA. The one place we do not, that OCR \ndoes not reach, is to an app that is not paid for or sponsored \nby a covered entity itself.\n    Senator Cassidy. Got it. So, if I just voluntarily give. I \nam going over. Thank you, Mr. Chairman.\n    The Chairman. Thank you, Senator Cassidy.\n    Senator Murray.\n    Senator Murray. Thank you very much. And Ms. Savage, you \ntalked about the importance balance between protecting patient \nprivacy and making sure patients have access to their data. I \nthink that is what the Senator was going after. Let me ask a \nlittle differently. Do patients who share their health care \ninformation with third-party apps have their information \nprotected under the patient privacy laws of HIPAA?\n    Ms. Savage. It is going to go back to who is sponsoring \nthat app. So, in the Omada context, our app is sponsored by us. \nWe are a healthcare provider under HIPAA. All the HIPAA rules \napply within the app, however, we do not stop people from \ntaking whatever they want about the health information, just \nlike Senator Cassidy did, and blurting it out in whatever \ncontext they want. And so, unless the context in which that \nblurt is received is also covered by HIPAA, it would not be \ncovered.\n    That might be a third party app that is not covered, that \nis covered only by the Federal Trade Commission or State \nAttorneys General, as opposed to being within kind of the \nconfines of a HIPAA-covered entity and its sponsorship.\n    Senator Murray. Well, what should patients know? What \nshould we all know about how our data can be shared if we use \nan app that is not covered by HIPAA privacy protections? Can \ntheir data be sold or just goes to drug companies or \nadvertisers?\n    Ms. Savage. Yes. It is a very confusing place for consumers \nwhen in 2016 we sent a report up to Congress on this very \nthing. It is footnoted in ONC's rule, and consumers just--it is \ntoo much information for them to understand and it is very \nconfusing for them. I think that they have the ability to rely \npretty well on what their doctors do and how the healthcare \nsystem works, and those rules are very familiar, but people \ndefinitely feel that--think those rules apply when they do not.\n    Senator Murray. Can your data be sold?\n    Ms. Savage. Outside of HIPAA, yes. Within HIPAA, it cannot \nbe sold in an identifiable way. There is a very specific rule \non that.\n    Senator Murray. Like to drug companies? It could be sold to \ndrug companies?\n    Ms. Savage. Well, if you were, if it was a third party app, \nwithout naming names, and any kind of social media app, of \ncourse.\n    Senator Murray. Okay. Well, so there is a lot of potential \nfor digital records, but it also comes with risks. I think that \nis pretty clear.\n    Ms. Savage. Correct.\n    Senator Murray. Tell us what policy recommendations would \nyou make to better protect patient privacy.\n    Ms. Savage. It is a very complicated area that I know many \nSenators and many of your colleagues and also House Members are \nworking on, and what I think is to look at the totality of the \nfact that the digital life is no longer sliced up into economic \nsectors and we really need policies to converge.\n    Whether that is things that look like HIPAA migrating \noutwards or some uniform policy that everyone can, as a \nconsumer, easily understand, that would be my policy \nrecommendation. And that is not an easy thing to do given our \nFederalized system but that is where I think the direction \nneeds to go, is how to converge it so that it is the same and \nthe expectations are the same for consumers wherever they go.\n    Senator Murray. Consumers understand it better because it \nis uniform?\n    Ms. Savage. Yes.\n    Senator Murray. Okay. Mr. Moscovitch, open APIs are really \nan essential programming feature that allow programs to share \ninformation with each other, and the requirement that \nelectronic health records make them available was a very high \npriority for this Committee. As you said in your testimony, \nAPIs are the foundation of the modern internet. So, to ensure \nthat the APIs are truly open, the Office of the National \nCoordinator for Health Information Technology proposes \nelectronic health records developers publish business and \ntechnical documentation associated with their APIs. Talk to us \nabout why that requirement is so important.\n    Mr. Moscovitch. The documentation is much like an \ninstruction manual for how third-party developers can request \ninformation and how it is formatted so they can use it. In \nother industries, that documentation is publicly available to \nspur innovation. If a technology has an API, for developers to \nuse it they need that instruction manual or that documentation \nor else they do not know how to request the documentations, \nwhether it is behind a paywall or some other proprietary manner \nor made public on a website and it still needs to be developed.\n    Senator Murray. Is that going to impose a burden on \nelectronic health-record developers in your opinion?\n    Mr. Moscovitch. One thing ONC did in the regulations is \nleverage existing work that is already done through different \nstandards bodies, and which many EHR developers are already \nimplementing. That is through the work, the standards and FHIR \nwork that ONC is doing. So, the industry is already moving in \nthis direction and are already developing documentation based \noff of FHIR standards.\n    Senator Murray. Okay. And quickly, Ms. Savage and I can go \nback to you. We want to make sure the Department of Health and \nHuman Services takes the time to implement Cures right away, \nbut if health organizations are hoarding data in order to gain \na competitive advantage for themselves, there are real \nconsequences if the Department takes too long to implement \nthese policies. So, what do you think the risks are of delaying \nthe prohibition on information blocking?\n    Ms. Savage. Well, I cannot do an economic estimation. You \nhave to go to my co-author, Martin Gaynor, on that, but I think \nthat we know that there is lots of savings that have been \ndocumented for the little teeny bits of interoperability we \nhave right now and avoided redundant costs. And that will only \ngrow. And then there is the whole consumer frustration piece. \nIn every part of their lives they are quickly and efficiently \nusing the supercomputers in their pocket except in this.\n    I cannot even estimate the increase in productivity if we \nall don't have to spend hours and hours and hours chasing down \nour records and moving them around in the system for ourselves.\n    Senator Murray. Okay. Thank you. Thank you very much, Mr. \nChairman.\n    The Chairman. Thank you, Senator Murray. And Ms. Savage, \nyour last comment was important to me. This all--listing this \ntestimony sounds very complex, difficult, obtuse, all those \nthings, but we are really talking about a very common everyday \nexperience for most Americans. I mean, as we think about our \nhealth care records, we think on the one hand, well, I can make \nan airline reservation just like that. Two, I can order \nsomething over Amazon just like that, and if I want to take my \nhealth care records from Vanderbilt to the Mayo Clinic, the \nbest thing for me to do is to go down to the bottom floor of \nthe hospital with a wheelbarrow and put them all in there, and \nthen pack them in a suitcase, and then fly to Minneapolis, and \nthen drive to Rochester, and hand them to the doctor. So that \nis--even though each of those two institutions do not use those \nbecause they are leading the country really in terms of \ninteroperability within their systems.\n    We are well-meaning here. But I can still remember going to \nVanderbilt to find out about electronic health care records and \nthey said, Meaningful Use 1 was helpful, Meaningful Use 2 was \nOkay, Meaningful Use 3 was terrifying because as we project our \ngood intentions out to the real world of hundreds of thousands \nof doctors, and thousands of hospitals, and millions of \npatients, sometimes it does not work like we hope it would. So \nthat is how we got to standards that we are talking about today \nand how we got to these rules about information blockage.\n    My question is about the standards. I had this great fear, \nas we were doing the 21st Century Cures bill, that if we \nrequired standards that somebody would write them in Washington \nand that they would be the wrong standards and they would not \nimply properly to everybody. We would just create more of an \nadministrative burden and big mess than existed.\n    If I am remembering it right, what we just said was you \nhave to have standards. We are not going to write them for you. \nAnd now the rules are saying but you are going to have to use \nthese standards written in the private sector so everybody can \nwork together and talk with each other.\n    My question is, Dr. Rehm, let me ask you, are these the \nright standards? Are we correct to insist that there be the \nsame standard for everybody, and are we going too fast in \nasking doctors and hospitals to implement these rules?\n    Dr. Rehm. I will start with the first one. I think we are \nheaded in the right direction with being very prescriptive in \nthe standard, because when the standard is broad and you leave \nit up to the industry to implement, they will take advantage of \nthe breath of what is allowed in the standard, which then \nleaves the provider organization trying to do all the manual \nwork in between because it is not interoperable.\n    I do think being as prescriptive and precise in the \nstandard and requiring people to develop to that standard will \naccelerate interoperability. And the second part of your \nquestion as it relates to going too fast, I think you just have \nto keep in mind that the provider side is always months behind \nwhen the technology is developed to cover us----\n    The Chairman. What I am meaning by that is on Meaningful \nUse 3, it was my strong feeling that if we could kind of slow \nthe train down a year or two, that we would get where everybody \nwanted to go more effectively than if we insisted on pushing \nit. Well there were two different views on that and maybe it \nwas the train was going too fast to slow down, but I want to \nmake sure that these new rules are implemented at a pace that \ngets us where we want to go but does not do it so rapidly that \nit makes it more difficult to get where we want to go.\n    Dr. Rehm. Right now there is 24 months for the technology \norganizations to come alongside the final rule and implement \nwhatever is in the final rule. I think that you got to add time \nto the end of that for the provider organizations to be able to \nreact to whatever it is they release, because we will have to \nunderstand and work with whatever technology is released at the \nend of those 24 months, and the provider side will need time.\n    The Chairman. Ms. Grealy, I have a little less than a \nminute. What about the standard, should we require standards? \nAre these the right standards, and is the time that the \nadministration is allocating for implementing the standards \nappropriate?\n    Ms. Grealy. I think there is a need for standards. I think \nyour concern, and it is a concern that we share, is making sure \nthat we are still allowing for innovation within those \nstandards. We do not want to stifle the innovation and \nimprovement, electronic records and the exchange of \ninformation. I think we will hear from everyone that they \nprobably will want a bit more time. We are at the outset asking \nfor a longer time to analyze and comment on these rules----\n    The Chairman. Well, before you stop, does the proposal \nallow for innovation? I mean I have always imagined that these \nproblems would be solved not by anyone here writing them, but \nby somebody showing up with a, Delta Airlines reservation \nsystem and then everybody is, oh, that is the way to do it, and \nthey use it. Or maybe it was American, I do not remember who it \nwas but that is the way it happened.\n    Ms. Grealy. But I think standards like open APIs--I think \nthere is just broad, deep agreement that is the way we should \ngo, and the FHIR standard. So, there is a need for standards. I \ndo not think we view these as stifling innovation at this \npoint. We never want to be micromanaged, again, because that \nwould stifle the innovation, but I think you are hearing--\neveryone is committed to interoperability and we do need some \nrules of the road that we can all understand and implement.\n    The Chairman. Thank you.\n    Senator Baldwin.\n    Senator Baldwin. Thank you, Mr. Chairman. Thank you to our \nwitnesses. I hail from Wisconsin and we have a long history of \nplaying a major role in technological transformation. My \ncolleagues, many have heard about successful health IT \ninnovations from Gundersen Health System and La Crosse from \nMarshfield Clinic, and of course Epic Systems in Verona, \nWisconsin, which exchanges nearly 4 million records a day.\n    However, our system has not yet achieved the ultimate goal \nof being fully interoperable, which is why I was proud to play \na role on this Committee in crafting the 21st Century Cures \nAct. The proposed rules released by the administration to \nadvance implementation of the 21st Century Cures Act are \ncritical steps to achieving interoperability and improving \npatient access to health data. Several provisions would allow \npatients to become more engaged with their own care by \nrequiring electronic health-record systems to make patient data \navailable to be exported and available through third-party \napps, as we have been discussing.\n    We need to do more to empower patients, however I am \nconcerned that the proposal may expose new vulnerabilities for \npatient confidentiality. Dr. Rehm, these proposals to expand \npatient data sharing through third-party applications \npotentially lead to breaches in patient privacy and security, \nand how can we best balance patient access while preserving the \nconfidentiality of the physician-patient relationship in our \nfast, developing digital era?\n    Dr. Rehm. Right. So, as I put in the written testimony and \nin the oral testimony, I do think that there is risk with \nthird-party applications that do not necessarily--HIPAA does \nnot apply to them all, potentially, in this scenario of what \nthe open API--a third party app can be developed, can be \ndirected toward consumers and there is nobody vetting or \ncurrently there is no organization that would be vetting just \nthe technology infrastructure security of that application.\n    At LifePoint, we have a technology review board that looks \nat applications that some of our member hospitals want to bring \ninto the fold, and it is frequent that when we do a deep dive \ninto that technology, we find a cybersecurity risk and so we do \nnot bring that technology into our technology stack.\n    We need to do something to protect the patients because if \nthey are drawn to a consumer-driven app, they use it, they use \nthe open API to pull their health information into that \napplication, who is it that is making sure that company is \nputting the proper safeguards to keep that data secure? So, I \nthink it is a risk.\n    Senator Baldwin. Thank you. Mr. Moscovitch, you noted that \nthe proposal requires electronic health record systems to \nensure that all of their patient data and electronic health \ninformation can be exported to patients, which could include \nother information from vendors' data bases.\n    I have certainly heard concerns from my constituents about \nthe lack of clarity and standards in the rule concerning what \nconstitutes this electronic health information. In fact, there \nis currently no standard for this broader group of data. Can \nyou elaborate on this gap in existing standards and how \nrequiring extraction of large, potentially undefined data sets \nmay create obstacles for a vendor compliance or other risks to \npatient privacy.\n    Mr. Moscovitch. Sure. The goal of that electronic health \ninformation provision is so that if patients want their data \nthat, including it is outside of the core data elements that \nONC wants exchange for APIs, that patients can get it. And that \nis correct for many of these data elements, that standards do \nnot exist. And so, as ONC finalizes its regulations, it should \nabsolutely clarify which data element, or which information \nmore broadly, needs to be available to patients, and where \npossible, to do that in an easy way for patients.\n    Senator Baldwin. Great. Thanks. I yield back.\n    The Chairman. Thank you, Senator Baldwin.\n    Senator Braun.\n    Senator Braun. Thank you, Mr. Chairman. For me it is \nsurprising that we have to be talking about interoperability \nand information blocking, and I think it is part and parcel of \nwhat is wrong with the healthcare industry in general. I know \nin my own business, which is a logistics and distribution \nbusiness, we due to competitive pressures and transparency, \nembraced the latest, the leading edge. And here, that we are \nhaving to nudge the healthcare industry itself to get with it \non these topics, it is to me, it is what is wrong with the \nhealthcare industry in general, which is a lack of \ntransparency.\n    The industry knowing all this stuff, has been out there for \na long time, and when it comes to, drug pricing, when it comes \nto embracing transparency to engender competition that drives \nmost other industries, I think that is why we are talking about \nit. And every time I get the opportunity, I want to challenge \nthe industry to get with it. To do what almost all other \nindustries have done, and when you have got a leading edge of \nanything, you grab it, because if you do not, you are left in \nthe dust by your competition. The cloaking and shrouding of the \nhealthcare industry, mostly due to the industry itself \nembracing that rather than transparency and technology, leads \nus to this discussion.\n    I, again, challenge the industry to get with it or else you \nare going to have one business partner, the Federal Government. \nLet us go back to interoperability and information blocking. \nWhich of the two, and any of the panelists can weigh in on it, \nis more important leading us to this point to where we are \ndysfunctional when it comes to information sharing, and where \nshould we spend the resources, if we can in some way through \nGovernment, help speed the process? I would like to know the \nrelative importance of these two issues. So, you can start.\n    Mr. Moscovitch. The Congress had a lot of foresight in the \n21st Century Cures Act in leveraging APIs, which as you \nmentioned, many other industries are already taking advantage \nof these kinds of technological tools. And ONC has implemented \nthat provision also with a lot of foresight in leveraging these \nstandards that are already adopted throughout the industry and \nbeing refined through various collaborative groups like the \nArgonaut Project, which brings technology organizations \ntogether to identify a refined way to implement the standard.\n    Senator Braun. You sense that if we were not here today \ntalking about it, the industry would be pushing forward on its \nown? And you can either answer that or not. I would love your \nopinion.\n    Mr. Moscovitch. Congress certainly have accelerated the \nadoption of APIs in a meaningful way.\n    Senator Braun. Thank you.\n    Ms. Savage. I would like to say that is true. I think the \nnudges both from high-tech and from Cures have been crucial. \nAnd all you have to do is go on the right Twitter feed and you \nwill see the hashtag #axethefax because everyone is still using \nfaxes in healthcare. So, we need to move beyond that just like \nthe rest of industry has.\n    Dr. Rehm. I would just double down on that. I think the \nfocus on forcing the industry, when I say industry the \ntechnology side for the interoperability piece because data \nblocking--some of it is just you cannot accomplish it or \nsometimes it is so costly or outside your normal workflow that \nyou do not accomplish it, but if the technology was more plug-\nand-play from an interoperability perspective, you would see \ndata flow more freely because the providers, they want access \nto information to care for the patient. Right place, right \ntime, right now. And so, the providers are pushing from their \nside, but the struggle is in the middle where time, money, and \neffort to overcome the interoperability challenges.\n    Ms. Grealy. I would just underscore how welcomed these \nproposed rules are. It is not often that you see, I think, such \ngreat alignment between what the Government is offering here \nand what the private sector has been asking for and wants to \nwork with them. But I think an area that you touched on is one \nthat we really need to do more work on, and that is how do we \ncreate better consumer, or more consumer demand for this?\n    We need to engage patients and consumers as to what should \nbe available to them, how it is going to improve their health, \nand the efficiency of the healthcare system. So, I think we \nwould welcome a public-private partnership type of campaign to \nreally educate people on how best to use this information, and \nthat they should have access to it. Just like when you change \ncell phone carriers, you do not have to get a new cell phone \nnumber anymore, you get to transfer that number. We should have \nthat same ease of operation with electronic health information.\n    Senator Braun. For consumers to be part of the process, \nwhich is what we did in my own company, to make it consumer-\ndriven, you have got to have transparency. And all I am saying, \nin the entire industry, across the board, start working on this \nstuff, doing it on your own where you do not need to be nudged \nby hearings like this because I think you will regret the \noutcome down the road if you do not start embracing what all \nthe rest of us do, transparency and competition. Thank you, Mr. \nChairman.\n    The Chairman. Thank you, Senator Braun.\n    Senator Rosen.\n    Senator Rosen. Thank you. I would like to thank you, Mr. \nChairman. Thank you for your testimony today. You know, I am a \nformer applications programmer so a lot of this interface stuff \nis near and dear to my heart, but recent study by the Kaiser \nFamily Foundation show that 88 percent of patients say their \nmedical provider does use electronic medical records. That is \nup almost 50 percent from 10 years ago, but the biggest concern \neverybody has is privacy, of course. And so being a former \napplications programmer, systems analyst, this is something \nthat I focus on a lot.\n    What I want to ask you, Ms. Savage, is this, who in your \nview is ultimately responsible for the integrity of an \nindividual's medical record? Is it the doctor, provider, \nelectronic health vendor, the hospital? I mean, who? All of \nthem? I mean, where does accountability ultimately lie?\n    Ms. Savage. In our system, we have pieces of our record in \nthe hands of various entities. When they are covered entities \nunder HIPAA, each entity is responsible for what is in its \ncustody. At Omada, we have we are responsible for what we have \ncustody for. If we are sharing that data at a patient's request \nwith their physician's office, the transom is a great visual. \nIt crosses the transom, the physician takes responsibility for \nit. And that is how the current rules work.\n    Similarly, outside of that sort of the system the \nindividual is responsible, just like an individual is \nresponsible for what they do about their own banking, or how \nthey describe their children on social media, or any of those \nthings.\n    Senator Rosen. Now, if we consider medical devices, perhaps \nplug and play, I do not want to make the pun about your \npacemaker perhaps, but we know that medical device does upload \nto your medical health record. And so, depending on what you \nhave, now we have this open platform with many kinds of medical \ndevices, many kinds of things feeding in, that can give us a \ngateway, a doorway, into the system for cyberattacks, for \nhacking, things that may ultimately change or modify your \nrecord. So, how are we preventing that doorway in? What are we \ndoing about that? Anyone can take that question.\n    Ms. Savage. I will take a first stab at it. So, FDA is very \nhard at work, certainly in helping device manufactures \nunderstand how they can upgrade the security of their equipment \nwithout having to do additional filings or changing the safety \nand functionality of that equipment. But the FDA actually does \nnot enforce security standards, except on those devices, and \nthe legal authority sits with OCR, who is enforcing it at the \ndoctor's office or hospital office level.\n    Back to what Senator Murray was asking about, as we think \nabout convergence and digital life, I think the policy question \nfor all the Senators is, how do we bring these things together \nand kind of thread stuff together that previously was happily \nliving in distinct silos. That is not the case anymore. We do \nnot want silos for individual data, and we do not want silos \nfor security authority----\n    Senator Rosen. What if something is wrong and you realize \nthat. How does a patient--how does ``us'' as a consumer get a \ncorrection through all of this?\n    Ms. Savage. For their data?\n    Senator Rosen. Yes.\n    Ms. Savage. We all have the right to ask a physician's \noffice or a hospital, any record holder, to correct data, and \nthen hopefully the right physician will say, oh, yes that \ncorrection needs to be made. I just corrected my own data \nrecently with my physician. But it is a little bit of a kludgy \nprocess, and it could be automated. For example, if you could \nask for a correction through logging into your secure portal, \nthen your identity would be proven and it would all be \nelectronic, and the physician could just make the change. I do \nnot know if Dr. Rehm wants to add anything to that.\n    Dr. Rehm. I was just going to add and kind of restate \nsomething I said earlier, which is with the open API, we are \npotentially opening up the electronic health data to a segment \nof technology that currently is not covered by HIPAA, which has \nbeen very prescriptive as to how we have to handle health \ninformation as a provider organization, or any organization \ncovered by HIPAA. So, I think that is the thing to just--what \nare we going to do legislatively to make sure that when we put \nin the door for people to pull in their information out of the \nelectronic health record into some other application, how is \nthat application governed?\n    Senator Rosen. Then, I have a quick question for you at the \nend. The huge responsibility put on the end care provider on a \nsmall family practice and on the individual at the end of the \nsystem. What is the burden for you to hire more people to take \ncare of all this data and information?\n    Dr. Rehm. The provider burden today, because it is not \ninteroperable, is huge. Because we at LifePoint, we are \nfortunate enough with our size and scale so that we can throw \nan army of people at the bridging the gaps between----\n    Senator Rosen. But if you are a small practice?\n    Dr. Rehm. But if you are a small practice, you do not have \nthose folks. And so that puts you at risk for one. Are you data \nblocking because you do not have the resources to do the custom \ninterfaces to allow this ADT message to flow from here to here. \nI mean, you might be caught in the middle of, yes, that is data \nblocking, and that is because you do not have the expertise or \nthe resources. So, I think we have run out--there is a great \nrisk in the current technology environment for practices that \ndo not have the resources because the systems are not \ninteroperable today. It takes effort and expertise, and not \neverybody has that.\n    Senator Rosen. Thank you.\n    The Chairman. Thank you, Senator Rosen. Well, thanks to \nall. I have--Senator Rosen brought up devices. These rules are \nnot about devices, I guess. They are about data, but there is \nan outfit in Nashville called a Center for Interoperability \nthat is a combination of hospitals, nonprofit and profit, all \naround, who realized they have a lot of buying power and they \nare trying to create a common platform so that anyone from whom \nthey buy things has to plug into a common platform. They use an \nanalogy of why we do not worry much about cable television, \nthat way back in the early days they got a common platform, so \nall the different cable companies use a common platform. What \ndoes what you are talking about today about devices, I mean \nabout data and interoperability, have to do with devices and \nthe data that comes from devices?\n    Ms. Savage. I will take a stab at that. So, in my longer \ncomments we gave an example of a person who has a surgery, and \nthey get a brace, and the brace has a radio chip and a \ngyroscope, and it attaches to their app, and that feeds to the \nbrace manufacturer's servers. And it may or may not feed to a \nphysician's practice. It depends on what the patient chooses.\n    When it is not going to the EHR, all of that activity is \nboth not within HIPAA, and we have talked about that quite \nextensively, but it is also health information technology with \nimportant information gate and success of the surgery, that is \nnot subject to this rule. And so that is really something to \nthink about back to this idea of convergence.\n    Mr. Moscovitch. The CMS rules also focus on getting \npatients their claims' data. And claims today for the millions \nof patients with implants lack key information. That is the \ndevice identifier of the implant they have in their body. So, \nwhen they are getting their claim's data, they will not know \nwhich brand of device or which model of the device they have in \ncase something goes wrong. And CMS can close that gap by adding \ndevice identifiers to claims.\n    Dr. Rehm. We have talked a lot about interoperability and \nusability, and I think those two are inextricably linked. And \nthe usability is made better if medical devices--when you think \nabout what is in the EHR, it is a store of data. And a lot of \nit is manually entered today by whether nurses, medical \nassistants, or physicians.\n    Devices are just one example where they are not covered but \nthe interoperability between the device and the EHR is just as \nkey as the interoperability from one EHR to another because \nthat burden of getting the data from whether it's from a blood \npressure cuff, a ventilator machine, whatever it might be, \ngetting that into the system is today either manually entered \nor a custom interface to pull that in.\n    The Chairman. Ms. Grealy, anything to add?\n    I think Senator Romney is on his way back, but as he comes, \nlet me ask each of you. If you were in my shoes or Senator \nBraun's shoes, what would be the one thing that you would like \nfor us to do or you think we can most constructively do to \nencourage interoperability of data as we consider these two \nrules over the next year or so? What is the one thing you would \nlike for us to keep our eye on or push?\n    Mr. Moscovitch?\n    Mr. Moscovitch. Sure. One thing we have not talked a lot \nabout today is patient matching. So, the ability to know that \nthe patient at one health system is the same person at another \nhealth system. And match rates can fail today around half the \ntime. Our research has found that better standards for \ndemographic data can meaningfully improve match rates. So that \nis a next step that ONC can be taking as it finalizes its \nrules.\n    The Chairman. Ms. Savage?\n    Ms. Savage. Well, I think the Committee is rightfully \nconcerned about privacy and security, and you as Committee \nMembers have a lot of expertise about how this works in the \nhealthcare system. And I think the best thing you can do is \nwork with your colleagues on what is working in healthcare that \nwould need to be migrated elsewhere because none of this will \nmatter if the consumers do not have confidence, and their \ndoctors do not have confidence that the consumers have \nconfidence.\n    The Chairman. Dr. Rehm?\n    Dr. Rehm. I mean she did not say and I think the standards \nFHIR, Argonaut, the USCDI, and the real-world testing. So as \nfolks adopt those standards, the validation through the real-\nworld testing that is working across vendors.\n    The Chairman. Ms. Grealy?\n    Ms. Grealy. I would endorse all of the comments you have \njust heard. And then the other thing I would really ask that \nyou sort of maintain oversight on the implementation of this \nand the time really necessary to do it the right way. And I \nthink you have pointed out that perhaps there may be more time \nrequired. We do not want to halt this. We do not want to \nprevent moving ahead or progress, but I think we also have to \nbe very cognizant of the challenges that providers and others \nare facing in trying to this complex work.\n    The Chairman. You have asked for 30 more days?\n    Ms. Grealy. At least for the comment period.\n    The Chairman. For the comment period for the rules.\n    Ms. Grealy. Yes.\n    The Chairman. We will let Senator Romney provide the \nbenediction.\n    [Laughter.]\n    Senator Romney. I think I will ask questions instead, Mr. \nChairman.\n    [Laughter.]\n    Senator Romney. Thank you. I appreciate the work that is \nbeing done to provide standardization and I happen to believe \nthat this is a scenario we have lagged in and there is a real \ncost financially but more importantly in terms of the quality \nof care delivered to patients by virtue of not having been able \nto have this information. I am pleased, as I consider the \nproviders of health care in my state, to recognize that they \nhave interoperability within their own systems. At LifePoint, \nof course, within your system. Intermountain Healthcare within \ntheir system. And from what I can tell from the outside, the \ninteroperability within the specific systems is having a very \nsignificant impact, particularly on the cost and quality \noverall in the enterprise.\n    I guess I have two questions that I am happy to direct this \nto anyone who wants to pick up on it. One is, does this \ninformation inform also the choice that the doctors choose to \nguide the type of treatment they might provide or the \nprescription they might provide? So, are they using the \ninformation to actually change their practice in providing care \nto the patient? That is No. 1. And then No. 2, is the data \nbeing used yet, the electronic medical record data, being used \nto allow the patient to inform their life choices?\n    If a record indicates that someone looks like they are at \nrisk for developing diabetes, for instance. Is this flagged by \nsomeone? Is someone seeing that? Is it then flagged to the \nindividual? Are they given then instructions on what type of \nfoods they should be eating and what types of things they \nshould be avoiding? So, to what extent are we using medical, \nthe advent of electronic records, not just to improve the cost \nof the healthcare system, whether it is at LifePoint or the \nIntermountain, or Mayo, or any of the others, but also to \nactually make decisions by physicians, and No. 2, allow \npatients to make--individuals to make decisions for their own \nhealth and well-being?\n    Ms. Savage. With the diabetes prevention product, I will \ntake the first step. Intermountain is actually one of our \noldest customers. We started offering DPP to Intermountain \nemployees and now it has been expanded out to their patients in \ncertain populations. In fact, we used their EHR data to decide \nwho to refer to Omada, and then we in turn engaged the person \nthat is in an asynchronous platform. You can open your \nsmartphone and see your weight record and your food intake at \nany point in time. There is a picture in our supplemental \nmaterials, and so I would say, in fact when you can figure out \nthe business relationships and the data relationships, that \nmagic alchemy occurs. And what we want to have happen is have \nit occur more widely throughout the whole healthcare system.\n    Mr. Moscovitch. What Cures did and what these rules do is \nmake sure that first and foremost patients can get their data \nand providers can get the data from other places. And better \nAPIs to make sure the data are exchanged, and better patient \nmatching can meet that end.\n    Senator Romney. Thank you.\n    Dr. Rehm. From the provider perspective, when the \ninformation is visible and present in many of our systems, even \nif it is interoperable, that information that is brought in \nfrom the outside, is outside of their workflow. So, when the \npatient is in front of you and you are trying to make clinical \ndecisions, you have everything that is native to your EMR, and \nthe outside information is frequently in a separate workflow \nthat you have to go find and get.\n    Sometimes, in some of our EMRs, that information is closer \nto your workflow, so it is leveraged. The more difficult it is \nto leverage that outside information, the less likely our \nproviders are to see it at the right time to make a care \ndecision at that moment. So, the usability and interoperability \nagain are, I think, go hand-in-hand.\n    Senator Romney. Can we make progress on that front? Are \nwe----\n    Dr. Rehm. Yes. Sorry, I did not mean to cut you off there. \nYes, so I believe some of the--what we are talking about today \nand what the rules are proposing bring us closer to narrowing \nthe playing field so that interoperability is more useful \nbecause it becomes more usable by the clinicians who are in \nfront of the computer and the patient at the same time.\n    Senator Romney. Yes. Thank you.\n    Ms. Grealy. Well, I just want to highlight with a personal \nstory. When you see this work and work well, it is amazing. Two \nyears ago, my husband had a very unusual stroke which affected \nhis vision. So, there was an ER visit, an overnight hospital \nstay, and then the next 2 days he had to see an \nophthalmologist, cardiologist, neurologist, and then back to \nthe primary care physician. All of the recommendations for most \ndifferent physicians came back to the primary care physician.\n    The most notable one being the cardiologist saying, I know \nthis will sound unusual to you and your husband because his \ncholesterol level is extremely low, but the latest research \nshows that for this type of stroke, him going on a statin would \nbe a good thing. I am not going to prescribe it now. I am \nmaking the recommendation but discuss it with your primary care \nphysician. So, we go back to the primary care physician. He has \nbeen treating my husband for many years. He looks at it, goes, \nwell this does not make sense, but that cardiologist had \nincluded the latest research. He took the time to look through \nthat and said, she is correct.\n    Next day I did have an opportunity to attend an AMA \nfunction and talk to other cardiologists, and ophthalmologists, \nand primary care physicians. And again, it was cutting edge \nresearch. To me that is the real value of having an \ninteroperable electronic health record where the physicians \nhave the information and you as the patient are able to engage \nin that discussion in how to manage your health. So, this is \nwhat we need to have nationwide, not just within these closed \nhealthcare systems.\n    Senator Romney. Thank you. Mr. Chairman, in keeping with \nyour introduction, amen.\n    [Laughter.]\n    The Chairman. I agree with Senator Romney. That helped take \nwhat can sometimes sound complex and confusing and gave it the \nkind of meaning that we hope to give it. Thanks to each of you. \nYou have been very helpful today. As I said earlier, this is \na--we all believe the 21st Century Cures Act was, as the \nMajority Leader said, the most important bill we passed in that \nCongress, and we are determined that it be implemented \ncorrectly. It sounds like these two rules are important steps \ntoward interoperability.\n    If you have other comments that you would like to make to \nthe Committee after you leave and think, oh, I wish I had said \nthis or I wish I had said that, the record will remain open for \n10 days so you may do that. Members may submit additional \ninformation too.\n    The Chairman. The HELP Committee will meet again on \nTuesday, April 2d for a hearing on higher education.\n    Thank you for being here. The Committee will stand \nadjourned.\n\n                          ADDITIONAL MATERIAL\n                          \n [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                          \n                          \n \n[Whereupon, at 11:29 a.m., the hearing was adjourned.]\n\n                                   \x17\n</pre></body></html>\n"