[Senate Hearing 116-409]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 116-409
 
                     IMPLEMENTING THE 21ST CENTURY
                      CURES ACT: MAKING ELECTRONIC
                      HEALTH INFORMATION AVAILABLE
                       TO PATIENTS AND PROVIDERS

=======================================================================

                                HEARING

                                 OF THE

                    COMMITTEE ON HEALTH, EDUCATION,
                          LABOR, AND PENSIONS

                          UNITED STATES SENATE

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                                   ON

 EXAMINING IMPLEMENTING THE 21ST CENTURY CURES ACT, FOCUSING ON MAKING 
   ELECTRONIC HEALTH INFORMATION AVAILABLE TO PATIENTS AND PROVIDERS

                               __________

                             MARCH 26, 2019

                               __________

 Printed for the use of the Committee on Health, Education, Labor, and Pensions
 
 
 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                    



        Available via the World Wide Web: http://www.govinfo.gov
        
        
        
        
                           ______                       


             U.S. GOVERNMENT PUBLISHING OFFICE 
41-393 PDF            WASHINGTON : 2021         
        
        
        
          COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS

                  LAMAR ALEXANDER, Tennessee, Chairman
MICHAEL B. ENZI, Wyoming                  PATTY MURRAY, Washington
RICHARD BURR, North Carolina              BERNARD SANDERS (I), Vermont
JOHNNY ISAKSON, Georgia                   ROBERT P. CASEY, JR., Pennsylvania
RAND PAUL, Kentucky                       TAMMY BALDWIN, Wisconsin
SUSAN M. COLLINS, Maine                   CHRISTOPHER S. MURPHY, Connecticut
BILL CASSIDY, M.D., Louisiana             ELIZABETH WARREN, Massachusetts
PAT ROBERTS, Kansas                       TIM KAINE, Virginia
LISA MURKOWSKI, Alaska                    MARGARET WOOD HASSAN, NewHampshire
TIM SCOTT, South Carolina                 TINA SMITH, Minnesota
MITT ROMNEY, Utah                         DOUG JONES, Alabama
MIKE BRAUN, Indiana                       JACKY ROSEN, Nevada

                                  
                                    
                                     
               David P. Cleary, Republican Staff Director
         Lindsey Ward Seidman, Republican Deputy Staff Director
                  Evan Schatz, Minority Staff Director
              John Righter, Minority Deputy Staff Director
              
              
                            C O N T E N T S

                              ----------                              

                               STATEMENTS

                        TUESDAY, MARCH 26, 2019

                                                                   Page

                           Committee Members

Alexander, Hon. Lamar, Chairman, Committee on Health, Education, 
  Labor, and Pensions, Opening statement.........................     1
Murray, Hon. Patty, Ranking Member, a U.S. Senator from the State 
  of Washington, Opening statement...............................     3

                               Witnesses

Moscovitch, Ben, M.A., Project Director, Health Information 
  Technology, The Pew Charitable Trusts, Washington, DC..........     6
    Prepared statement...........................................     7
    Summary statement............................................    15
Savage, Lucia, C., J.D., Chief Privacy and Regulatory Officer, 
  Omada Health, Inc., San Francisco, CA..........................    16
    Prepared statement...........................................    17
    Summary statement............................................    29
Rehm, Christopher, R., M.D., Chief Medical Informatics Officer, 
  LifePoint Health, Brentwood, TN................................    29
    Prepared statement...........................................    31
    Summary statement............................................    34
Grealy, Mary, J.D., President, Health Leadership Council, 
  Washington, DC.................................................    36
    Prepared statement...........................................    37

                          ADDITIONAL MATERIAL

Supplemental remarks of Lucia C. Savage, J.D.....................
    Digital Health Data and Information Sharing: a New Frontier 
      for Healthcare Competition.................................    54
    ONC's Proposed Rule On Information Blocking: The Potential To 
      Accelerate Innovation In Health Care.......................    83
    Comments of Omada Health, Inc. to U.S. Department of Health 
      and Human Services Office for Civil Rights in Response to 
      Request for Information, Docket # 0945AA00.................    86
Supplemental remarks of Mary Grealy, J.D.........................
    HLC BPC Report on Advancing Interoperability, Information 
      Sharing, and Data Access...................................    98


                     IMPLEMENTING THE 21ST CENTURY

                      CURES ACT: MAKING ELECTRONIC

                      HEALTH INFORMATION AVAILABLE

                       TO PATIENTS AND PROVIDERS

                              ----------                              


                        Tuesday, March 26, 2019

                                        U.S. Senate
       Committee on Health, Education, Labor, and Pensions,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SD-430, Dirksen Senate Office Building, Hon. Lamar Alexander, 
Chairman of the Committee, presiding.
    Present: Senators Alexander [presiding], Cassidy, Romney, 
Braun, Murray, Baldwin, Kaine, Jones, Hassan, Rosen, and Casey.

                 OPENING STATEMENT OF SENATOR ALEXANDER

    The Chairman. The Senate Committee on Health, Education, 
Labor, and Pensions will please come to order. Senator Murray 
and I will each have an opening statement, then we will 
introduce the witnesses. After the witnesses' testimony, 
Senators will each have about five minutes of questions.
    Reid Blackwelder is a family physician with three clinics 
in the tri-cities area of East Tennessee. A few years ago, he 
talked with the New York Times about his electronic health 
records that were supposed to make his life easier saying, ``we 
have electronic health records at our clinic but the hospital, 
which I can see from my window, has a separate system from a 
different vendor. The two do not communicate. When I admit 
patients to the hospital, I have to print out my notes and send 
a copy to the hospital so they can be incorporated into the 
hospital's electronic records.'' Dr. Blackwelder could pay for 
his patients' hospital records to be electronically sent from 
his system to the hospital system, but it would cost him 
$26,400 every month or $316,800 a year. So, for Dr. Blackwelder 
and many other doctors, record keeping is now more expensive 
and burdensome as a result of electronic health care records.
    In 1991, the National Academy of Medicine released a report 
urging the prompt development and implementation of what were 
then called computer-based patient records. We forget that was 
well before the internet was in common usage in the United 
States. The report said, these systems have a unique potential 
to improve the care of both individual patients and reduce 
waste through continuous quality improvement. Electronic health 
records, as they came to be called, got a boost in 2009 when 
the Federal Government, in a bipartisan effort, began the 
Meaningful Use Program, spending over $36 billion in grants to 
incentivize doctors and hospitals to use these systems. As was 
the prediction in the 1991 report, the hope was that electronic 
records would improve patient care and reduce unnecessary 
healthcare spending. This is important to this Committee 
because at our hearing last summer Dr. Brent James from the 
National Academies testified that up to 50 percent of what we 
spend on health care is unnecessary. So, there is bipartisan 
focus, both in the Congress and the administration, on reducing 
health care costs.
    One way to reduce what we spend on administrative tasks and 
on necessary care, is by having electronic health records that 
talk to one another, which we call interoperability. But in 
2015, six years after the Meaningful Use Program started, as 
this Committee worked on the 21st Century Cures Act, we 
realized that in many cases electronic health records added to 
administrative burden and increased unnecessary health care 
spending. A major reason for that is the records are not 
interoperable. One barrier to interoperability is called 
information blocking, which is when some obstacle is in the way 
of a patient's information being sent from one doctor to 
another. So, in 2015, this Committee held six bipartisan 
hearings, formed a working group to find ways to fix the 
interoperability of electronic health records. These hearings 
led to a bipartisan group of HELP Committee Members working 
together to include a provision in the 21st Century Cures Act, 
to stop information blocking and encourage interoperability.
    Today's hearing is about two rules that the Department of 
Health and Human Services proposed to implement this provision 
in the 21st Century Cures Act. The two rules are complicated, 
but I would like to highlight a few ways they lay out a path 
toward interoperability. One, the rules define information 
blocking so we know what we mean when we are talking about it. 
So, it is more precisely clear what we mean when one system, 
hospital, doctor, vendor, or insurer is purposely not sharing 
information with another.
    Second, the rules require that by January 1, 2020, for the 
first time insures must share a patient's health care data with 
the patient so their health information follows them as they 
see different doctors. Third, all electronic health records 
must adopt the same standards for data elements, known as 
application programming interface or API, two years after these 
rules are completed. And fourth, hospitals are required to send 
electronic notifications to a patient's doctors immediately 
when that patient is admitted to, discharged from, or 
transferred from the hospital. According to the Department of 
Health and Human Services, these new rules should give more 
than 125 million patients easier access to their own records in 
electronic format. This should be a huge relief to any of us 
who have spent hours tracking down paper copies of our records 
and carting them back and forth to different doctors' offices. 
The rules will reduce administrative burden on doctors so they 
can spend more time with patients.
    A recent study from Kaiser found that emergency room 
doctors in order use electronic health record systems make up 
to 4,000 mouse clicks per shift. If electronic health records 
data was truly interoperable, it would greatly reduce how many 
clicks doctors have to make. According to the Department of 
Health and Human Services, spending less time on these 
administrative tasks will improve efficiency and save about 
$3.3 billion a year. And because doctors can see patients full 
medical history, they can avoid ordering unnecessary tests and 
procedures. I also want to be aware, and I know this Committee 
does, of unintended consequences from these two rules. Are we 
moving too fast?
    In 2015, I urged the Obama administration to slow down the 
Meaningful Use Program, which they did not do, and looking 
back, the results would have been better if they had. Are the 
standards for data elements too rigid? Is the door still open 
for bad actors to game the system and continue to information 
block? And how can we ensure patient privacy as patients gain 
more access and control over their personal health information, 
and how do we help them keep it secure? I want to ensure these 
rules will make the problem of information blocking better not 
worse.
    I look forward to any specific suggestions to improve the 
rules from those who use electronic health record systems. 
Electronic health records that work can give patients better 
outcomes and better experiences at a lower cost.
    Senator Murray.

                  OPENING STATEMENT OF SENATOR MURRAY

    Senator Murray. Thank you very much, Mr. Chairman.
    Back in 2008, just one in 20 hospitals used electronic 
health records. A decade later, we have made enough progress to 
flip that number entirely. Today, just one in 20 hospitals have 
not adopted electronic health records. And over the past 
decade, we have seen how better information about a patient's 
health care does make a big difference. In national news, 
electronic health records played an important role in 
understanding how the water in Flint, Michigan was putting 
families in danger. And while they do not always make 
headlines, electronic health records also make a difference by 
helping care providers identify health problems sooner so 
patients can get preventive care to stay healthy, avoid 
duplicated tests or medication errors, and identify treatments 
that might be counterproductive based on a patient's medical 
history or current prescriptions.
    The HITECH Act we passed in 2009 was a big part of 
accomplishing the progress we have seen so far, but we have to 
continue building on that progress to ensure health information 
technology lives up to its full potential. And we have to 
continue oversight, following up the work we did in 2015 after 
the Office of the National Coordinator for Health Information 
Technology put out a report detailing some of the challenges 
ahead. The report made clear information blocking was a serious 
problem throughout the health care system. While high tech 
required certified electronic health record products to meet 
technical standards intended to make good information more 
accessible for care providers, the ONC report found substantial 
evidence some organizations were intentionally setting up 
barriers between their systems and other systems, like 
exorbitant fees whenever someone sent, received, or even 
searched for a patient's information, contracts that restricted 
people's ability to access and share their own health 
information, and systems built in ways that made sharing 
information needlessly complicated. Maybe they missed the day 
in kindergarten about sharing, because putting something where 
only you can reach or charging excessive fees for it is 
absolutely not how it should be done. And it is absolutely not 
acceptable when it comes to people's health.
    We cannot afford to have bad actors who prioritize their 
bottom line over patients' best interest, and block information 
hospitals, providers, and patients need to be able to share 
that with one another. We also cannot expect health IT systems 
to get better when some vendors include gag clauses that 
prevent care providers from speaking out about the problems, or 
issues, or errors they encounter. It should be easy for 
providers shopping for electronic record systems to learn about 
potential issues. It should be easy for medical professionals 
to hear about a problem with a system they use, and it should 
be easy for anyone to speak out when they see something that 
would jeopardize people's health. When systems cannot speak 
with each other and people cannot speak up about the problems 
they see, it is patients who do get hurt. Like the man in 
California who suffered brain damage after his diagnosis was 
delayed because a hospital software could not properly 
interface with a lab software, or the woman in Vermont who died 
of a brain aneurysm that might have been caught if a software 
problem had not stopped the order for a test that she needed. 
When we talk about making sure we have a strong health IT 
system, we are not just talking about technology and 
innovation. Families' lives depend on making sure we get this 
right, which is why I was glad we were able to take steps to 
address these issues in the 21st Century Cures Act.
    I look forward to hearing from our witnesses about their 
perspective on ONC's proposed rule to implement the Cures' 
provisions. In that bill, we moved to end information blocking, 
and make clear when patients and their care providers need 
information, they should not be stopped by unnecessary, 
unreasonable barriers. And we tasked ONC with clarifying what 
sort of concerns, like privacy, and safety, and security, would 
be grounds for reasonable exceptions. We also took steps to 
help ONC strengthen its certification program beyond technical 
criteria for electronic health records, so they can make sure 
that if vendors want to get the Government seal of approval, 
then they cannot engage in information blocking or use gag 
clauses.
    The new conditions also call for open application 
programming interfaces, or APIs, another step that will help 
make sure systems developed by different vendors and used by 
different doctors are able to speak to each other, and that 
patients have an easier time getting access to their medical 
records. I am glad ONC is moving to put these common sense 
steps into action. I am interested in making sure this gets 
done right. I look forward to hearing from our witnesses about 
their perspective on ONC's approach, and about the steps the 
Centers for Medicare and Medicaid Services is taking to make 
claims data more accessible and prompt care providers to be 
better about sharing information. Of course, as we continue to 
proof our health IT system, we need to make sure that health 
information is being provided in a way that works for patients 
as well.
    During our 2015 hearings, I shared the story of woman who 
had been seeking the results of her pregnancy test, but instead 
of a clear answer, her electronic health record simply reported 
her hormone levels--not helpful. We need to do better for her 
and for other patients who have gone looking for information 
they can use only to find massive binders, unreadable PDFs, and 
stacks of CDs. Engagement and usability have to be part of this 
discussion. And last but most certainly not least, we need to 
talk about security, privacy, and data stewardship. That means 
prioritizing the development of technology and best practices 
that can help prepare for the constantly evolving cyber 
security threats of the 21st century.
    It also means having a national conversation about what is 
required for all parties to be good stewards of the data people 
entrust them with, and that conversation is only going to 
become more important as tech companies and others introduce 
new products like mobile applications that empower people with 
their health care data but are not covered by existing HIPAA 
protections. Patients should be able to expect tech companies 
are going to use their most sensitive information responsibly 
and give them the tools they need to be able to control how and 
when their information is disclosed. Our objective should be to 
make sure tech companies are putting patients in the driver's 
seat, not the other way around. It is clear we have come a long 
way when it comes to strengthening our Nation's health 
information infrastructure, but it is also clear there are a 
lot of challenges ahead.
    I look forward today to hearing from all of our witnesses. 
Thank you for being here. We want to hear about how data and 
technology can actually empower patients and care providers, 
and I hope we can continue our bipartisan work on this 
important issue, Mr. Chairman.
    Thank you.
    The Chairman. Thank you Senator Murray and thank you for 
your leadership on this. I think all Members of the Committee 
would agree that the 21st Century Cures Act is one of the most 
important pieces of legislation we have had a chance to work 
on. Senator McConnell, Majority Leader, said it was the most 
important bill in the Congress in which it passed, and it was a 
bipartisan piece of legislation.
    I have noticed that we can do three things in the 
Committee, it seems to me. One, we can call attention to 
something, which we are doing today and which we did with our 
five hearings on electronic health care records. Two, we can 
pass a law, which we did with 21st Century Cures. And three, we 
can make sure the law works, which is what this hearing is 
about--it is about oversight. And we welcome our witnesses.
    The first one, Mr. Ben Moscovitch is the Project Director 
of Health Information Technology at the Pew Charitable Trust. 
He leads research on the challenges of achieving 
interoperability and highlights possible solutions.
    Next, we will hear from Ms. Lucia Savage. She is the Chief 
Privacy and Regulatory Officer at Omada Health. Omada is a 
digital behavioral health company that aims to address health 
issues including type 2 diabetes, heart disease, and obesity. 
She focuses on advancing health care using technology and 
maintaining the security of patients' health information.
    The third witness, Dr. Christopher Rehm, is Chief Medical 
Information Officer of LifePoint Health in Brentwood, 
Tennessee. It is a hospital system with 89 locations in 30 
States. He works both with physicians and patients to apply 
technology solutions to health care needs.
    Finally, we will hear from Ms. Mary Grealy, President of 
the Healthcare Leadership Council, which is comprised of health 
care executives from leading organizations and companies in the 
health care industry, health plans, hospitals, health product 
distributors, pharmacies, and academic medical centers.
    Welcome to each of our witnesses. Thank you for making time 
for us today. If you will summarize your remarks in about five 
minutes, we will then have questions. Why don't we begin, Mr. 
Moscovitch with you.

  STATEMENT OF BEN MOSCOVITCH, M.A., PROJECT DIRECTOR, HEALTH 
INFORMATION TECHNOLOGY, THE PEW CHARITABLE TRUSTS, WASHINGTON, 
                               DC

    Mr. Moscovitch. Chairman Alexander, Ranking Member Murray, 
Members of the Committee, thank you for holding this hearing 
and for the opportunity to present testimony. If one were to 
read recent news articles, it would be reasonable to think that 
our healthcare system is less efficient and less safe because 
of the transition from paper to electronic records.
    The truth is EHRs have revolutionized modern medicine by 
giving clinicians better tools to document patients' needs, 
safely prescribe medications, and administer care. But, as 
Congress recognized in the 21st Century Cures Act, gaps remain. 
They keep EHRs from reaching their full potential. Oversight 
from this Committee can help fill those gaps. My testimony will 
focus on three aspects of the recently proposed regulations to 
implement Cures that could one, enable easier use of health 
data, two, promote better matching of patient records, and 
three, improve safety and reduce clinician burden.
    First, interoperability requires patients and clinicians to 
be able to effectively access and extract information from 
EHRs. To address that, Congress directed ONC to develop new 
criteria for EHRs, which help different systems communicate. 
These are called APIs or Application Programming Interfaces. 
APIs are the foundation of the modern internet. They allow 
travel websites to aggregate airline fares, personal financial 
applications to pull data from an individual's accounts, and 
countless other everyday uses. For APIs to be effectively used, 
different systems need to exchange data in the same way. To 
accomplish this, ONC identified the use of a standard called 
FHIR for data exchange and provided guidance on how to 
consistently implement it for better interoperability. As ONC 
finalizes the rule, Congress should ensure that the agency 
maintains its commitment to these standard APIs.
    Interoperability also requires health organizations to know 
that they are communicating about the same person. This is 
often referred to as patient matching. When data are exchanged, 
records may not be matched up to half the time. Pew has 
identified concrete steps that Congress should encourage ONC to 
take, including ones recently highlighted in a GAO report 
required by Cures. We found that better standardization of data 
can improve match rates. For example, Pew funded research at 
Indiana University revealed that use of the U.S. Postal Service 
standard for address would increase match rates by 
approximately 3 percent, a significant improvement. One 
technology developer told us this would help their system match 
an additional tens of thousands of records per day. To improve 
matching, ONC should specify use of the postal service standard 
for address and include other routinely collected elements like 
email address, which is already in half of records but not used 
for matching. In Cures, Congress also recognized that EHR 
usability must be improved. Usability refers to system design, 
as well as how they are customized and used. Poor usability can 
contribute to clinician burden and contribute to medical 
errors.
    Pew collaborated with MedStar Health to examine the 
contribution of EHR usability to medication safety events, such 
as dosing errors in three pediatric health care facilities. The 
research found that EHR usability contributed to more than a 
third of the 9,000 events examined. This Committee can 
encourage ONC to make patient safety a priority in implementing 
Cures. Congress charged ONC with developing new criteria for 
EHRs used in pediatric care. While ONC rightly identified 10 
priorities for pediatric care, such as the dosing of drugs 
based on weight, the agency should better focus on safety and 
usability. For example, ONC should clarify that developers 
seeking certification for pediatric functions involve 
pediatricians and pediatric nurses to test the system.
    Congress also required ONC to establish an EHR reporting 
program. The agency should embed safety in the usability 
aspects of this program, as recommended by clinicians, 
technology professionals, and others. In conclusion, the 
bipartisan passage of Cures launched a new era for digital 
health by providing patients and clinicians with better access 
to data and reducing medical errors. As the administration 
continues its implementation, this Committee can ensure that 
Congress's goals are met by supporting secure, standard API 
access to a wide range of health data, encouraging ONC to 
address patient matching through better standards, and pressing 
ONC to focus on patient safety throughout the implementation of 
Cures.
    Thank you for holding this hearing, and I look forward to 
answering your questions.
    [The prepared statement of Mr. Moscovitch follows:]
                  prepared statement of ben moscovitch
    Chairman Alexander, Ranking Member Murray, Members of the 
Committee, thank you for holding this hearing and for the opportunity 
to present testimony.

    My name is Ben Moscovitch; I serve as the Project Director of 
Health Information Technology at The Pew Charitable Trusts (Pew), a 
nonprofit, nonpartisan research and policy organization. Our health 
information technology project focuses on improving the safety of 
electronic health record (EHR) systems, and enhancing the exchange of 
information so that health care providers and patients have the data 
they need to make informed decisions.

    EHRs have revolutionized how clinicians deliver care by equipping 
them with better tools to document patients' health status, safely 
prescribe medications, and otherwise order health care interventions. 
And, these tools have the potential to make it easier for patients and 
clinicians to have more complete and robust data to coordinate care 
across health care settings.

    Seeking to build on the improvements spurred on by the digitization 
of paper records, Congress recognized that gaps remain in realizing the 
full potential of EHRs to give patients their data, make clinical care 
more efficient, and enhance patient safety. The 21st Century Cures Act 
(Cures), passed in 2016, marked an important step toward remedying 
these deficiencies by addressing barriers to both the effective 
exchange of health data, known as interoperability, and the usability 
of these systems.

    Congress, through Cures, set a positive vision for the future of 
EHRs--a vision where patient data are securely accessible to patients 
and clinicians wherever and whenever they need them. Access to health 
data would help advance the coordination of care for patients who see 
multiple physicians. This coordination would help patients live longer 
and better lives, and reduce costs associated with duplicate laboratory 
and other services. And, this vision would have EHRs serve as a 
critical, helpful tool that clinicians can seamlessly use to administer 
higher quality care. In this vision, EHRs are indispensable, yet almost 
invisible to patients because the systems are easily and efficiently 
used, and only interject in care to offer essential support services to 
help clinicians provide safer, higher quality care.

    Earlier this month, the Office of the National Coordinator for 
Health Information Technology (ONC) and the Centers for Medicare & 
Medicaid Services (CMS) issued proposed rules to begin implementing 
that vision captured in Cures. The regulations aim to ease the exchange 
of health data when patients want to access their information or have 
it transmitted to their health care providers, and otherwise focus on 
barriers to the use of these systems to improve patient care.

    My testimony will focus on three key aspects of the proposed rules 
from ONC and CMS published earlier this month that address Congress' 
desire to improve the interoperability of health data and effective use 
of EHRs. Specifically, I will discuss:

          provisions enabling easier extraction and use of 
        health data from EHRs via application programming interfaces 
        (APIs), which enable different technologies to communicate;

          needed enhancements to better match patient records 
        across the different health care providers where individuals 
        seek care; and

          necessary improvements to the usability of EHR 
        systems to address design and implementation factors that can 
        both introduce burdens on clinicians and contribute to medical 
        errors.

    Enhanced Interoperability via Application Programming Interfaces
    For patients to obtain their records or health care providers to 
exchange information, they first need the ability to effectively 
extract data from EHRs. To address that challenge, Congress required 
ONC to develop new criteria for EHRs to make ``all data elements'' 
available via APIs, which are software tools that allow systems to 
request and deliver information to other systems. APIs are the 
foundation to the modern internet; they allow travel websites to 
aggregate fares from different airlines, personal financial 
applications to pull data from an individual's accounts, and countless 
other everyday uses. \1\
---------------------------------------------------------------------------
    \1\  The Pew Charitable Trusts, ``Electronic Tools Can Strengthen 
Health Care Data Access, Sharing'' (2018), https://www.pewtrusts.org/
en/research-and-analysis/issue-briefs/2018/09/electronic-tools-can-
strengthen-health-care-data-access-sharing.

    Currently, EHRs often do not support the robust use of APIs for 
data exchange, or if they do, those APIs can be implemented in 
proprietary ways that inhibit the use of the data by clinicians and 
patients. The Cures provision on APIs--colloquially referred to as 
``open APIs''--would let other technologies more readily access data 
within the system in a secure manner. The term ``open'' does not 
suggest that health data can be freely accessed by any user. Instead, 
``open'' refers to the fact that these APIs would be easier to use, 
such as that the business and technical documentation would be publicly 
---------------------------------------------------------------------------
available.

    By including this provision in Cures, Congress recognized that APIs 
reflect the future of data exchange in health care. They can enable 
patients to access their health records, hospitals to better exchange 
data with other organizations, and health care facilities to build and 
implement new decision support tools on top of their EHRs.

    In the recently proposed regulations, ONC implements this API 
provision, making several critical decisions on the standards to use 
for data and what information EHRs must be able to release.
                   ONC Advances Standard, Secure APIs
    For third-party technologies--like smartphone applications that 
patients use to download their records or clinical decision support 
tools that sync with EHRs--to utilize APIs to access data, the 
developers of these tools must know how to request and access the 
information. When EHRs use different standards for APIs, each third-
party technology must change its systems to reflect every variation.

    Recognizing this challenge, ONC sought to minimize the variability 
across systems by requiring the use of standards for APIs. Achieving 
standardization across APIs necessitates consistency both for how 
information can be accessed and how the data elements are represented. 
ONC accomplishes that goal by requiring use of the Fast Healthcare 
Interoperability Resources (FHIR) standard, which technology developers 
are increasingly adopting, for how to exchange information.

    However, FHIR permits the depiction of data elements in different 
ways and considers the inclusion of some data as optional, which could 
inhibit interoperability. To reduce this variability, ONC proposes to 
require the use of an implementation guide developed by the Argonaut 
Project--a collaboration among technology developers and health care 
providers--that provides constraints on how to implement FHIR.

    This combination of the FHIR standard and the Argonaut Project 
implementation guidelines will reduce the barriers to API use, so that 
patients and clinicians are better able to access data contained in 
EHRs. As ONC finalizes the rule, Congress should ensure that the agency 
maintains its commitment to standardized APIs--both through the use of 
FHIR and refined implementation guidelines.
                ONC Expands Data Elements Made Available
    To fully take advantage of APIs as a tool to improve 
interoperability and patient access to electronic health data, Congress 
required that they provide access to ``all data elements'' within an 
EHR system. In ONC's proposed rule, the agency provides guidance on 
what information constitutes ``all data elements'' that systems would 
be required to make available.

    In prior regulations, ONC has required EHRs to have APIs that make 
certain information--referred to as the Common Clinical Data Set 
(CCDS)--available for patient access, such as through a smartphone 
application. The CCDS contains some critical information, including 
medications, laboratory tests ordered, and problem lists, but lacks 
other data, such as physicians' notes. ONC has proposed expanding and 
adjusting the CCDS to meet the statutory requirement of making ``all 
data elements'' available. This expanded data set would be renamed the 
U.S. Core Data for Interoperability (USCDI), and would include 
additional key information. ONC's proposed additions include:

           Different types of clinical notes. These clinical 
        notes include free text entered by clinicians and other data 
        about laboratory and imaging observations, treatment plans, and 
        other aspects of care. In clinical notes, clinicians describe 
        the nuances of care and patients' medical conditions. The 
        addition of notes to the USCDI can give patients and other 
        clinicians critical information that may not be captured 
        effectively in structured fields or medical codes.

           Provenance. Provenance indicates the author, the 
        author's organization, and a time stamp for data elements in 
        the EHR. The inclusion of provenance would allow patients and 
        clinicians to understand the origin of the data, such as 
        whether a medication was entered by a primary care physician or 
        at a hospital. The time stamp will allow applications to chart 
        or sort information, such as by listing patients' medications 
        starting with the most recent. The addition of provenance to 
        the USCDI would provide much needed context for the data.

           Patients' addresses and phone numbers. The 
        availability of addresses and phone numbers will better enable 
        systems to link patient records across systems, and is 
        described in more depth below.

           Pediatric vital signs. The inclusion of pediatric 
        vital signs would enable more precise care for children by 
        allowing different applications to model the growth of a 
        patient according to biologic reference ranges, and prescribe 
        the proper dosing of drugs based on weight and age.

    ONC has also requested comments on whether to expand the 
``medication allergies'' list to also encompass reactions for other 
substances, such as food. By expanding this capability, clinical 
decision support tools could, for example, alert clinicians when 
patients are allergic to substances from which medications are made, 
such as eggs or pigs, and could improve patient safety.
         Electronic Health Information Export Could be Enhanced
    ONC's implementation of the API provision from Cures supports API-
based access to some--but not all--data contained in EHRs. In parallel, 
the ONC proposed rule also includes provisions that would facilitate 
the extraction of a broader group of data--referred to as electronic 
health information (EHI)--from health information technology systems. 
The EHI provision in the proposed rule would require EHR systems to 
support the export of all their patient data, and potentially 
information from other data bases connected to it. The EHI export 
function must support the export of an individual patient's data as 
well as information on all patients in the system to allow health care 
providers to switch EHR systems if they so choose.

    Unlike the API provisions in the proposed rule, ONC does not 
propose to require that technologies make this information available 
via any specific standards or format. Indeed, no such standard exists 
to describe all possible data elements across all EHRs. Instead, ONC 
indicates that the information should be extracted and remain 
computable wherever possible. Eventually, ONC states, it expects that 
health technologies would increasingly enable the extraction of EHI via 
APIs.

    As noted above, Cures required ONC to issue new criteria for EHRs 
to make ``all data elements'' available via APIs. However, ONC has 
proposed API requirements that would only expose a subset of data--the 
USCDI--via APIs. To address the gap between what Congress required in 
Cures and ONC's current proposal for APIs, Congress should encourage 
ONC to expeditiously make all EHI available via APIs wherever possible. 
\2\ However, unlike the USCDI data, much of EHI data may not have 
widely adopted standards or be easily exchanged via FHIR. Therefore, 
ONC should require EHR vendors to support an API-based export 
capability for all data elements (i.e., information beyond the USCDI), 
even without requiring any particular standard for EHI that is not part 
of the USCDI. Eventually, as standards are more widely adopted for 
different data elements that are made available via the EHI provision, 
ONC should expand the USCDI to encompass more of this information.
---------------------------------------------------------------------------
    \2\  Josh Mandel, ``Cures Envisions APIs for `All data'; ONC 
Proposes `a Limited Set' '' (2019), https://github.com/jmandel/interop-
2019-nprms/blob/master/ehi-export.md.
---------------------------------------------------------------------------
               Timeline for Health Care Provider Adoption
    Historically, ONC releases regulations for a new edition of 
certification criteria for EHRs and separately CMS issues rules for 
health care providers to adopt technologies that meet those 
requirements.

    However, as currently written, ONC's regulations would require 
technologies certified to the 2015 version of the criteria to upgrade 
to meet provisions in the new regulations within approximately 2 years 
of when they are finalized by the agency. By the end of that 2-year 
period, health care providers that have not upgraded their systems to 
include functions--such as for APIs and EHI--required by the new 
regulations would no longer be using certified products and could fall 
out of compliance with CMS requirements.

    In effect, ONC has created a system that would require several 
steps to occur in approximately 2 years: the development of new 
functions by EHR vendors; the testing and certification of those 
functions; implementation of changes at health care facilities; 
customization and configuration of the technology by health care 
providers; the testing of systems to ensure that they function properly 
within a facility and do not introduce inadvertent patient safety 
risks; and the training of staff.

    Given all the steps that need to occur during that time period, 
Congress should ensure that these systems, once implemented, are 
sufficiently tested--including for safety--by health care providers. 
Additionally, ONC should work with CMS to ensure that the timeline the 
agency finalizes in the regulations is not subsequently delayed. This 
assurance would provide certainty to both EHR developers and health 
care providers on government's expectations on when these provisions 
take effect.
      CMS Regulations Advance API Use for Patient Access to Claims
    In parallel to ONC's regulations, the CMS proposed rule also 
advances the use of standard, FHIR-based APIs for patients to gain 
access to their information held by health plans. This would allow 
patients to--for example--download claims data on their phones, giving 
them a holistic understanding of the services and treatments that they 
have received from different health care providers. Equipping patients 
with their claims data builds on previous efforts from CMS to leverage 
this information, including by providing increased access to the data 
by researchers working to identify ways to improve care quality and 
reduce costs. \3\
---------------------------------------------------------------------------
    \3\  Centers for Medicare & Medicaid Services, ``CMS Administrator 
Verma Unveils New Strategy to Fuel Data-driven Patient Care, 
Transparency,'' Apr. 26, 2018, https://www.cms.gov/newsroom/press-
releases/cms-administrator-verma-unveils-new-strategy-fuel-data-driven-
patient-care-transparency.

    Claims are especially useful because, unlike other information 
sources, they contain data for nearly every encounter an individual has 
with the health care system. Claims are standardized for providers and 
payers, resulting in easier aggregation of information across the 
health care system. As CMS states in this proposed rule, ``[w]hereas 
EHR data is frequently locked in closed, disparate health systems, care 
and treatment information in the form of claims and encounter data is 
---------------------------------------------------------------------------
comprehensively combined in a patient's claims and billing history.''

    CMS' efforts to give patients access to their claims data and 
provide researchers with this information, while laudable, omits one 
critical element particularly important for the Medicare population. 
Currently, claims only indicate that a procedure was performed--for 
example, a total knee replacement--but not the brand and model of 
implant used. In parallel, the unique device identifier system 
developed by the Food and Drug Administration (FDA) provides each 
medical device with a code corresponding to its brand and model. Adding 
the device identifier to claims can fill the gap, and provide patients, 
clinicians, and researchers with additional information on products 
used to sustain life and support care. \4\
---------------------------------------------------------------------------
    \4\  The Pew Charitable Trusts, ``Unique Device Identifiers Improve 
Safety and Quality'' (2016), https://www.pewtrusts.org/en/research-and-
analysis/fact-sheets/2016/07/unique-device-identifiers-improve-safety-
and-quality.

    Incorporating device identifiers in claims can also generate 
significant savings. The Department of Health and Human Services Office 
of the Inspector General (OIG) found that the failures of just seven 
types of cardiac implants cost Medicare $1. 5 billion to treat affected 
patients, and an additional $140 million directly to beneficiaries in 
out-of-pocket costs. \5\ These findings led the OIG to support the 
addition of device identifiers to claims. The White House's fiscal 2020 
budget request for FDA also listed strong support for the addition of 
device identifiers to claims. \6\ For CMS to effectively equip patients 
with their data--including from claims--and provide researchers with 
information to evaluate care, the agency should ensure that claims 
contain critical information on the products used.
---------------------------------------------------------------------------
    \5\  Department of Health and Human Services Office of Inspector 
General, ``Shortcomings of Device Claims Data Complicate and 
Potentially Increase Medicare Cost for Recalled and Prematurely Failed 
Devices'' (2018), https://oig.hhs.gov/oas/reports/region1/11500504.pdf.
    \6\  Food and Drug Administration, ``FDA Fiscal Year 2020 
Justification of Estimates for Appropriations Committees'' (2019), 
https://www.fda.gov/downloads/AboutFDA/ReportsManualsForms/Reports/
BudgetReports/UCM633738.pdf.

    Given broad support across the health care industry and CMS' 
recognition of the importance of access to claims data, Congress should 
ensure that device identifiers are incorporated into claims.
 Ineffective Patient Matching Also Inhibits Widespread Interoperability
    To achieve interoperable exchange of medical data, health 
organizations must also know that they are communicating about the same 
person. Presently, up to half of the information exchanges made by 
health care organizations may fail to accurately match records for the 
same patient. Both ONC and CMS included requests for information (RFIs) 
on patient matching in their proposed rules.

    To accurately match records held at different health care 
facilities, organizations typically compare patients' names, dates of 
birth, and other demographic data to determine if records refer to the 
same individual. Health care facilities use algorithms to conduct these 
matches, and also employ staff to manually review records--which is 
both costly and time consuming. This process, referred to as patient 
matching, often fails to accurately link records because of typos 
entered into the system; similarities in names, birth dates or 
addresses among different patients; changing information, such as when 
individuals move or get married; and many other reasons. \7\
---------------------------------------------------------------------------
    \7\  The Pew Charitable Trusts, ``Enhanced Patient Matching Is 
Critical to Achieving Full Promise of Digital Health Records'' (2018), 
https://www.pewtrusts.org/en/research-and-analysis/reports/2018/10/02/
enhanced-patient-matching-critical-to-achieving-full-promise-of-
digital-health-records.

    While some private sector technologies--such as referential 
matching, wherein third-party data are used to support matches--show 
promise, market forces have been unable to solve the patient matching 
problem for decades. In fact, patient matching requires collaboration 
between unaffiliated organizations, even competitors, that lack 
incentive to agree to a set of standards or develop systems that 
---------------------------------------------------------------------------
seamlessly exchange information.

    Recognizing that effective patient matching is necessary to achieve 
interoperability, a provision in Cures championed by several Members of 
this Committee required the Government Accountability Office (GAO) to 
evaluate steps that ONC and the private sector have taken to address 
this challenge. \8\ The GAO report highlights a solution that many 
organizations--including a contractor to ONC--have proposed: consistent 
use of standards for demographic data. \9\
---------------------------------------------------------------------------
    \8\  Government Accountability Office, ``Approaches and Challenges 
to Electronically Matching Patients' Records across Providers'' (2019), 
https://www.gao.gov/products/GAO-19-197.
    \9\  Genevieve Morris et al., ``Patient Identification and Matching 
Final Report'' (2014), https://www.healthit.gov/sites/default/files/
patient_identification_matching_final_report.pdf.

    In parallel, Pew conducted 2 years of research--including 
interviews with health care providers, focus groups with patients, and 
contracted studies--to examine different ways to address matching 
challenges. The Pew research--summarized in a report released in 
October 2018--examined four main opportunities: the standardization of 
data; the use of unique identifiers or biometrics (such as facial 
recognition or fingerprint scans); a smartphone-based, patient-led 
solution; and referential matching.
       ONC Should Advance Standardization to Improve Match Rates
    While no single solution will completely solve the patient matching 
problem, our research identified concrete steps ONC can take to make 
meaningful progress to address this challenge.

    First, ONC should require the use of standards for certain 
demographic data elements. In Pew-funded research published earlier 
this month, researchers at Indiana University studied whether the 
standardization of different data elements improves patient matching 
rates. \10\ Indiana University researchers attempted to match records 
in four data bases, standardized the data in those data bases, and then 
retried matching the records to determine whether that standardization 
yielded better results.
---------------------------------------------------------------------------
    \10\  Shaun J Grannis et al., ``Evaluating the Effect of Data 
Standardization and Validation on Patient Matching Accuracy,'' Journal 
of the American Medical Informatics Association (2019), https://
doi.org/10.1093/jamia/ocy191.

    The research revealed that the standardization of address to the 
standard employed by the U.S. Postal Service (USPS), which details the 
preferred abbreviations for street suffixes and states, for example, 
would improve match rates by approximately 3 percent. One technology 
developer indicated that this would help their system match an 
additional tens of thousands of records per day. Separately, 
standardizing last name--while showing limited utility on its own--
would further improve match rates if done in addition to address 
---------------------------------------------------------------------------
standardization.

    ONC already proposes in the new recent regulations to embed address 
in the USCDI, but further improvements in match rates could be realized 
if the agency simply updates this provision to require use of the USPS 
standard when matching records. Software that automatically converts 
addresses to the USPS standard after they are input into the system is 
available in the commercial market; it is the reason many websites, for 
example, automatically make format changes to your address at the time 
you place an online order. Use of this standard would not necessarily 
require workflow changes at the point of patient registration, and 
would meaningfully help better link records using the general processes 
that providers already employ.

    Second, the use of additional data elements could also improve 
match rates. For example, research published in 2017 showed that email 
addresses are already being captured in more than half of patient 
records. \11\ However, email address is not typically used for matching 
despite its widespread availability. ONC could improve match rates by 
identifying and including in the USCDI readily available data 
elements--potentially email address, mother's maiden name, or insurance 
policy identification number--that health information technologies 
should use for matching.
---------------------------------------------------------------------------
    \11\  Adam Culbertson et al., ``The Building Blocks of 
Interoperability: A Multisite Analysis of Patient Demographic 
Attributes Available for Matching,'' Applied Clinical Informatics 8, 
no. 2 (2017): 322-336, https://doi.org/10.4338/ACI-2016-11-RA-0196.

    Given the effect of low match rates on patient safety and health 
care spending, as well as the failure of the market to address this 
challenge, Congress should work with ONC to ensure that the agency is 
requiring use of better standards for address and enabling the 
utilization of additional data elements for matching.
   ONC Should Leverage Key Cures Provisions to Improve Usability and 
                                 Safety
    Along with barriers to the interoperable exchange of data among 
health care providers and to patients, Congress also recognized in 
Cures that subpar EHR usability hampers the ability of these systems to 
meet their full potential in delivering more efficient and safer care.

    Usability refers to the layout and design of systems, and how their 
customization, configuration, and implementation affects their use by 
clinicians. Usability-related safety problems can emerge due to 
confusing interfaces, the need to develop workarounds to complete 
tasks, an overabundance of unnecessary alerts, and many other issues 
given the central role that EHRs increasingly have in helping 
clinicians order procedures, review health information, and obtain 
decision support.

    Poor usability has two major consequences. First, ineffective 
usability can contribute to clinician burden and burnout, which can 
make them more susceptible to making errors. \12\ Second, poor 
usability can contribute directly to patient harm through errors that 
occur when clinicians interact with the EHR. Pew collaborated with 
MedStar Health's National Center for Human Factors in Healthcare to 
examine the contribution of EHR usability to medication safety events 
in three health care organizations that treat pediatric patients. The 
research, published in Health Affairs last year, revealed that EHR 
usability contributed to 3,243 of 9,000 safety events examined. \13\ Of 
those usability-related events, more than 80 percent involved an 
inappropriate drug dose, and 609 of the usability-related events 
reached patients. In one case, a transplant patient missed days-worth 
of medication that would help prevent organ rejection. In another case, 
the blood transfusion for a newborn in critical condition was delayed 
due to the inability to create a record. These findings, including 
other research conducted by MedStar Health, found a clear link between 
the usability of EHRs and patient safety. \14\
---------------------------------------------------------------------------
    \12\  Louise H. Hall et al., ``Healthcare Staff Well-being, 
Burnout, and Patient Safety: A Systematic Review,'' PLOS One, July 8, 
2016: https://doi.org/10.1371/journal.pone.0159015; and Maria Panagioti 
et al., ``Association Between Physician Burnout and Patient Safety, 
Professionalism, and Patient Satisfaction: A Systematic Review and 
Meta-analysis,'' JAMA Internal Medicine 2018;178(10):1317-1331. 
doi:10.1001/jamainternmed.2018.3713.
    \13\  Raj M. Ratwani et al., ``Identifying Electronic Health Record 
Usability and Safety Challenges in Pediatric Settings,'' Health Affairs 
vol. 37, no. 11: Patient Safety (2018): https://doi.org/10.1377/
hlthaff.2018.0699.
    \14\  Jessica L. Howe et al., ``Electronic Health Record Usability 
Issues and Potential Contribution to Patient Harm,'' Journal of the 
American Medical Association 319, no. 12 (2018): 1276-78, http://
dx.doi.org/10.1001/jama.2018.1171.

    ONC has an opportunity to improve system usability and patient 
safety under the existing authority provided to the agency by Congress 
as part of Cures. Congress has required that ONC create voluntary 
certification criteria for EHRs used in the care of children and 
develop a new EHR reporting program that could be used to identify and 
address usability issues. Patient safety could be greatly improved if 
ONC makes it a priority during their implementation of these 
provisions.
   Pediatric EHR Certification Program Should Include Patient Safety
    The health care needs of children and adults differ substantially; 
for example, pediatric patients often receive medication dosage amounts 
based on their weight. Given differences such as this, Congress 
included provisions in Cures for ONC to develop and adopt new voluntary 
criteria for EHRs used in the care of children.

    In the proposed rule, ONC identified 10 clinical priorities for 
pediatrics, including weight-based dosing, use of biometric norms for 
growth charts, as well as age-and weight-specific dose range checking. 
The 10 clinical priorities selected by ONC rightly recognize many of 
the key clinical priorities for pediatric patients, including factors 
that research has shown contribute to patient safety problems. However, 
ONC should build on the provisions in its regulations to further 
improve the usability and safety of EHRs. Specifically, ONC could take 
concrete steps to tailor the certification program to pediatric care 
and improve patient safety:

           Involve pediatric end users. ONC currently requires 
        EHR developers to involve at least 10 end users of the system 
        in testing the system for certification. However, research 
        suggests that some health information technology developers do 
        not use appropriate end users to test their systems. \15\ ONC 
        should clarify that any EHR developer seeking certification for 
        pediatric functionalities should test the system using 
        pediatric-focused clinicians, such as pediatricians and 
        pediatric nurses. ONC could indicate, for example, that at 
        least five of the 10 end-users participating in testing have 
        pediatric expertise to obtain this certification.
---------------------------------------------------------------------------
    \15\ Raj M. Ratwani et al., ``Electronic Health Record Vendor 
Adherence to Usability Certification Requirements and Testing 
Standards,'' Journal of the American Medical Association 314, no. 10 
(2015): 1070-71, http://dx.doi.org/10.1001/jama.2015.8372.

           Use pediatric-focused scenarios. EHR developers 
        currently use different testing scenarios--which mimic real 
        clinic events and workflows--to demonstrate the functionality 
        of their systems. To obtain certification for pediatric 
        functionality, ONC should clarify that some of the testing 
        scenarios must focus on situations involving children as 
---------------------------------------------------------------------------
        patients.

           Utilize mock pediatric data. EHR developers use data 
        on mock patients to demonstrate that their technologies meet 
        ONC's certification program. ONC supplies some test data for 
        those assessments. For a pediatric-focused certification, ONC 
        should supply test data for mock pediatric patients and clarify 
        that the test data used must involve mock data of children.

    As ONC revises its approach to the voluntary certification program 
for EHRs used in the care of children, Congress should work with the 
agency to prioritize patient safety and system usability by ensuring 
that these common-sense approaches are incorporated.
   Usability Criteria in EHR Reporting Program Should Include Safety
    Through Cures, Congress also requires ONC to develop a reporting 
program to examine several different functions of EHRs, including 
system interoperability, security, usability and user-centered design. 
Findings obtained via this EHR Reporting Program, as envisioned by 
Congress, would be publicly available on ONC's website.

    Late last year, ONC began implementing this provision. The agency 
selected a contractor to administer the program, and issued an RFI to 
obtain input on what data to collect on the use and functions of EHRs. 
\16\ While the recent regulations do not implement this provision from 
Cures, ONC is expected to issue associated rulemaking in the future.
---------------------------------------------------------------------------
    \16\  Office of the National Coordinator for Health Information 
Technology, ``Request for Information Regarding the 21st Century Cures 
Act Electronic Health Record Reporting Program,'' Federal Register, 
Aug. 17, 2018, https://www.regulations.gov/document?D=HHS-ONC-2018-
0022-0001.

    In response to the RFI, organizations representing clinicians, 
health technology professionals, and hospitals--among others--urged ONC 
to incorporate safety in the usability aspects of the program, though 
importantly not as a separate category. \17\ Pew provided 
recommendations to ONC on how to collect some of this information, and 
is collaborating with MedStar Health to identify additional 
opportunities for embedding safety into the usability aspects of the 
EHR Reporting Program.
---------------------------------------------------------------------------
    \17\  Ben Moscovitch, ``Medical Groups Urge Federal Government to 
Strengthen Health IT Usability, Safety,'' Dec. 11, 2018, https://
www.pewtrusts.org/en/research-and-analysis/articles/2018/12/11/medical-
groups-urge-Federal-government-to-strengthen-health-it-usability-
safety.

    Congress has provided ONC a prime opportunity to improve the 
usability--and consequently, safety--of EHRs. As ONC implements this 
program, this Committee should work with ONC to ensure that the 
usability aspects of the EHR Reporting Program focus on the facets of 
usability that contribute to unintended patient harm.
                               Conclusion
    The bipartisan passage of Cures launched a new era for improving 
EHR interoperability and patient safety. As CMS and ONC continue their 
implementation of Cures and other policies related to health 
information technology, this Committee can play an important role in 
the coming months by ensuring that these agencies carry out the goals 
expressed by Congress. Specifically, this Committee can conduct 
oversight in several key areas:

          Support ONC's efforts to require secure, standard API 
        access to a wide range of health data, including clinical 
        notes;

          Address the gap between Congress' requirements in the 
        21st Century Cures Act and ONC's current proposal to advance 
        the release of more data--including all EHI--via APIs;

          Advance the addition of device identifiers to claims;

          Encourage ONC to address patient matching through the 
        use of the USPS standard for address and the incorporation of 
        additional demographic data elements in the USCDI;

          Press ONC to focus on addressing the risks to patient 
        safety as part of the voluntary criteria for EHRs used in the 
        care of children; and

          Urge ONC to embed safety in the usability aspects of 
        the EHR Reporting Program.

    By taking these steps in the coming months, Congress can provide 
patients and clinicians with better access to health data, reduce 
medical errors associated with the use of EHRs, and continue to ensure 
that the potential of the 21st Century Cures Act is fully realized on 
behalf of patients and clinicians across the country.

    Thank you for holding this hearing today, and for your bipartisan 
commitment to improving the interoperability, usability and safety of 
electronic health records. I look forward to answering any questions 
you may have.
                                 ______
                                 
                 [summary statement of ben moscovitch]
    Electronic health records (EHRs) have revolutionized how clinicians 
deliver care by equipping them with better tools to document patients' 
health status, safely prescribe medications, and otherwise order health 
care interventions. And, these tools have the potential to make it 
easier for patients and clinicians to have more complete and robust 
data to coordinate care across health settings.

    Seeking to build on the improvements spurred on by the digitization 
of paper records, Congress recognized that gaps remain in realizing the 
full potential of EHRs to give patients their data, make care more 
efficient, and enhance patient safety. The 21st Century Cures Act 
(Cures) marked an important step toward addressing these gaps by 
optimizing the use of these technologies and addressing barriers to 
both the effective exchange of health data, known as interoperability, 
and the usability of these systems.

    My testimony will focus on three key aspects of the recently 
proposed rules from the Office of the National Coordinator for Health 
Information Technology (ONC) and the Centers for Medicare & Medicaid 
Services (CMS) published earlier this month that address Congress' 
vision to improve the interoperability of health data and effective use 
of EHRs. Specifically, I will focus on:

          provisions enabling easier extraction and use of 
        health data from EHRs via application programming interfaces 
        (APIs), which enable different technologies to communicate;

          needed enhancements to better match patient records 
        across different health care providers; and

          necessary improvements to the usability of EHR 
        systems to address design and implementation factors that can 
        both introduce burdens on clinicians and contribute to medical 
        errors.

    As CMS and ONC continue their implementation of Cures, this 
Committee has an opportunity to ensure that these agencies carry out 
the goals expressed by Congress. Specifically, this Committee can 
conduct oversight in several key areas:

          support ONC's efforts to require secure, standard API 
        access to a wide range of health data;

          advance the addition of device identifiers to claims;
          encourage ONC to address patient matching through the 
        use of the better standards for address and exchange of 
        additional demographic data elements;

          press ONC to focus on addressing the risks to patient 
        safety as part of the voluntary criteria for EHRs used in the 
        care of children; and

          urge ONC to embed safety in the usability aspects of 
        the EHR Reporting Program establish by Cures.

    By taking these steps in the coming months, Congress can provide 
patients and clinicians with better access to health data, reduce 
medical errors associated with the use of EHRs, and continue to ensure 
that the potential of the 21st Century Cures Act is fully realized for 
patients and clinicians across the country.
                                 ______
                                 
    The Chairman. Thank you, Mr. Moscovitch.
    Ms. Savage, welcome.

     STATEMENT OF LUCIA C. SAVAGE, J.D., CHIEF PRIVACY AND 
   REGULATORY OFFICER, OMADA HEALTH, INC., SAN FRANCISCO, CA

    Ms. Savage. Chairman Alexander, Ranking Member Murray, and 
the entire Committee, thank you for the opportunity to speak 
with you today.
    From October 2014 through January 2017, I served as Chief 
Privacy Officer at ONC. I was the senior advisor for efforts to 
enable patients to get their health information through apps, 
and I provided technical assistance as you were drafting 21st 
Century Cures. After leaving ONC, I joined Omada Health, a 
late-stage, privately held healthcare company that focuses on 
chronic disease prevention and management, as well as 
supporting people with anxiety and depression. We utilize a 
secure digital communications platform to connect individuals 
to professional health coaches--no robots here. In the process, 
our participants share their health information just like they 
would with any other provider. We analyze that information in 
real time using proprietary data science and we feed actionable 
insights back to the individual and his or her health coach in 
real time on a secure app. The result is health care services 
that scale quickly and leverage those individual insights at 
the population health level.
    One of my duties at Omada is to oversee its operations as a 
health care service provider and covered entity under HIPAA. In 
other words, we are just like a doctor's office under Federal 
law. That means that for our business, all of the HIPAA 
privacy, security, and breach notification rules apply. ONC 
proposes some bold reforms that could significantly impact the 
way facts are shared and that should foster innovation. Among 
the most impactful things they propose is that information 
blocking rules apply to business-to-business transactions. This 
is a logical and necessary next step to achieving the vision of 
an innovative healthcare system where health facts can flow 
appropriately and securely to benefit patients.
    Included in my supplemental remarks is an article published 
yesterday by the American Bar Association Antitrust Law Journal 
where professors Martin Gaynor, Julia Adler-Milstein, and I 
examine the anti-competitive effects of B2B health information 
exchange absent ONC's rule. There are, however, three areas 
where ONC could push its vision more aggressively or the agency 
may want to consider unintended consequences of its rulemaking.
    First, the ONC rule does strike a good balance on privacy 
and security. It has appropriate exceptions for privacy 
promises made to individuals, for state or Federal laws, for 
securing one's own system, for system maintenance, and for 
safety. However, the rule proposes ongoing deference to 
organizational policies that might be at odds with 
democratically developed privacy laws that support 
interoperability. I encourage ONC to consider a transition or 
sunset period, during which institutions have time to adapt to 
app-enabled health information exchange, and to eliminate 
organizational policies that block appropriate flow of health 
facts.
    Second, 21st Century Cures applies the prohibition against 
information blocking to developers of health information 
technology. However, the ONC proposal applies that only to a 
subset or certified health information technology, primarily 
certified EHRs. This limitation leaves out many types of health 
information technology where individuals' health facts are 
collected. For example, the proposed rule does not reach to 
health information technology in the emerging world of 
connected devices or software as a medical device, and it seems 
to omit any non-certified EHR, such as a lab or pharmacy 
electronic record system that is not certified.
    Third, ONC proposes to allow technology developers to 
license interoperability elements. Licenses must not be so 
expensive or so restricted as to interfere with or stifle 
innovation, or create barriers to new entrance. As ONC 
finalizes the concept of interoperability elements it is 
critical that it clarify that the health facts within that 
software are never to be licensed. Omada made this point in our 
recent proposal response to the RFI from the Office for Civil 
Rights, and I have included those comments in my supplemental 
materials.
    Finally, I applaud CMS's efforts to ensure that people have 
the same app-enabled access to their health facts from health 
plans as they do from providers. CMS expects that common 
consumer tools like laptops, smartphones, and apps will be used 
throughout the healthcare system. In the health care startup 
world, we use these common consumer tools every day to connect 
with and deliver valuable health care services to individuals.
    We are excited to have the barriers to interoperability 
fall, and we look forward to a time when the barriers fall for 
us to be paid for efficacious health care services with these 
common consumer tools.
    Thanks again for the opportunity to testify and I look 
forward to answering your questions.
    [The prepared statement of Ms. Savage follows:]

                 PREPARED STATEMENT OF LUCIA C. SAVAGE
                 
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                 
                 

                  [summary statement of lucia savage]
    Lucia C. Savage, JD, is Chief Privacy and Regulatory Officer at 
Omada Health. From October 2014 to January 2017 she served as Chief 
Privacy Officer at the Office of the National Coordinator for Health IT 
(ONC). At ONC, Ms. Savage was the senior privacy advisor on an 
individual's rights to get their own health data electronically and by 
app. She also provided technical assistance in drafting the health 
information technology provisions of Cures.

    Her current employer, Omada Health, is a late-stage, privately-held 
health care company focused on chronic disease prevention and 
management, as well as supporting those dealing with anxiety and 
depression. Omada utilizes a secure digital communications platform to 
connect individuals to professional coaches. In the process, its 
participants share their health information, just as they would with 
any healthcare provider. Omada is a health care provider and a covered 
entity under HIPAA, legally just like a doctor's office. The HIPAA 
Privacy, Security and Breach Notification rules apply to Omada.

    Ms Savage will testify that:

          While the ONC rule strikes a good balance on privacy 
        and security, the rule proposes ongoing deference to 
        organizational policies that might be at odds with privacy laws 
        that support interoperability. Rather than deference, a 
        transition or sunset period might be appropriate for 
        organizational policies.

          The prohibition against information blocking should 
        apply more widely to ``health information technology'' (a term 
        defined in 21st Century Cures), and not just to certified EHR 
        developers. A more expansive reach will more effectively and 
        quickly assure that individuals can get and use their health 
        facts wherever they are collected in the healthcare system.

          ONC should clarify its proposal on licensing 
        ``interoperability elements'' to ensure that an individual's 
        health facts are never subjected to such licenses, and that the 
        licenses themselves are not so strict or expensive as to 
        inhibit innovation.

          Omada is fully committed to interoperable exchange of 
        health facts, and sees the full implementation of these rules 
        as an opportunity for growth, even if it means that Omada, 
        which is not currently a provider type proposed to be covered 
        by the rule, is in scope for the rule's reach.

          CMS timely proposes to require health plans to make 
        individuals' health facts available from plans on the same 
        conditions as those facts are available from providers. This 
        proposal, if finalized will ensure consumers can continue to 
        use everyday consumer tools, like laptops, smartphones and apps 
        to get care and manage their health.
                                 ______
                                 
    The Chairman. Thank you, Ms. Savage.
    Dr. Rehm, welcome.

STATEMENT OF CHRISTOPHER REHM, M.D., CHIEF MEDICAL INFORMATICS 
            OFFICER, LIFEPOINT HEALTH, BRENTWOOD, TN

    Dr. Rehm. Thank you very much. Chairman Alexander, Ranking 
Member Murray, and Members of the Senate HELP Committee, thank 
you for the opportunity to testify before you today.
    As Chairman Alexander stated, I am the Chief Medical 
Informatics Officer at LifePoint Health. And LifePoint Health 
is a provider organization that provides care in over 89 
communities in 30 states across the United States. Our clinical 
technology environment consists of over 20 distinct inpatient 
and ambulatory EHRs, and countless vendor partners providing 
departmental and point solutions. It takes a tremendous amount 
of effort for our team to build, configure, and tie together 
these systems so that our medical teams are set up for success 
to provide safe, efficient, high quality care to every patient 
we see in the communities that we serve. Despite our best 
efforts, our providers and patients are impacted by the lack of 
interoperability daily.
    The desire to make electronic health information freely 
available spans the political spectrum and has been a long-
standing goal of both patients and medical teams. I am here 
today as a healthcare provider, someone who has taken care of 
patients, and supports others who take care of patients. I love 
my work and my colleagues love their work, but this is hard. 
The lack of interoperability associated with our medical 
technology, some of it related to the technology itself, some 
of it related to the regulations that apply to this technology, 
make it harder to do our job. Electronic medical records, 
medical devices, and patient monitors are supposed to help us 
be better caregivers. Instead these technologies frequently add 
to the complexity and burden that we feel.
    Today, I will touch on some of the causes and offer 
suggested solutions to lessen the provider burden and move 
toward the interoperable future that we all desire. First, 
providers do not build these technologies. We purchase them 
from vendors. It is commonplace that vendors develop products 
that do not interoperate. Many vendors release products that 
meet minimum standards for ONC certified technology. Their 
contracts do not cover the maintenance for updating them when 
new regulations come about. It is up to the provider 
organizations to cover the cost and the burden of implementing 
these add-ons to cover new regulations.
    In addition to being costly, upgrades take time. Where we 
are often given 6 months to comply with CMS regulations, it can 
take up to 12 months for a provider organization to review, 
configure, test, train all of our end users, and deploy 
numerous vendor technologies, ensuring that we do not break 
hundreds of existing custom interfaces that are already in 
place. We applaud the ONC proposal to require health IT vendors 
demonstrating that their products are usable for patients and 
providers in a real-world environment. We need our health care 
technology and software systems to work in real life settings 
in concert with other vendor technologies if we expect to meet 
the needs of patients and providers now and in the future.
    Second, where the HITECH Act catalyze the new from paper to 
digital records via provider-based incentives and penalties, 
unfortunately it did not address or create the underlined 
infrastructure of interoperability to enable data liquidity 
across technologies. Provider organizations have been left to 
bridge the gap with interface engines, workarounds, and manual 
processes with varying degrees of success and reliability. This 
lack of infrastructure is troublesome for a number of reasons, 
from privacy and security challenges to the ability of 
providers to seamlessly send and receive data. For example, the 
CMS proposed rule would require hospitals to send electronic 
notifications when a patient is admitted, discharged, or 
transferred as part of the conditions of participation.
    In order to comply with the condition of participation, 
providers must clearly understand the requirement and the 
objective compliance measure. This proposal lacks both of those 
elements, which is concerning given the tremendous penalties 
hospitals face for failing to comply with conditions of 
participation. Instead, I encourage the administration to focus 
on its current activities to improve interoperability, such as 
continuing to advance the goals of the Trusted Exchange 
Framework and Common Agreement, known as TEFCA, and vendor 
accountability for the products that they develop. Another 
victim of this lack of infrastructure is patient-provider trust 
that data will be secure and used appropriately. The proposals 
both envision that unvetted third-party applications will be 
accessing patient electronic health data via open APIs.
    Personally, I like the idea of controlling my own data, but 
the truth is the vast majority of us, me included, do not read 
the entire terms of use agreement on every app or website that 
we enroll in. We believe our data is more private and secure 
than it actually is. The entrance of non-health care actors 
into the healthcare market, particularly those that fall 
outside of HIPAA requirements, necessitates strong principles 
of trust and security. One approach that supports innovation 
and provides the needed safeguards to govern personal 
electronic health data is an industry backed process to 
independently vet these applications to ensure they meet all 
relevant security standards, use data appropriately and in line 
with consumer expectations, and for those applications that 
offer medical advice, is the advice clinically sound?
    In closing, Government policies must allow digital health 
information to be exchanged in a way that protects and 
prioritizes the health interests of individuals and the health 
systems and clinicians who care for them. In this technological 
age, it is important we all remember that deployment of health 
information technology, interoperability, data exchange, and 
security are all in service of delivering the highest quality 
care. It is not about the technology. It is about the patients, 
their care, and their outcomes.
    Thank you for the opportunity to speak today. I have 
additional information on these topics in my written testimony 
I hope you will also consider.
    [The prepared statement of Dr. Rehm follows:]
                 prepared statement of christopher rehm
    Chairman Alexander, Ranking Member Murray, and Members of the 
Senate HELP Committee, thank you for the opportunity to testify before 
you today. It is an honor to be invited to participate in today's 
discussion.

    My name is Christopher Rehm. I am a physician and the Chief Medical 
Informatics Officer at LifePoint Health. LifePoint Health is a provider 
organization that delivers Acute, Emergency, Post-Acute and Outpatient 
care for over 85 communities in 30 states. Our clinical technology 
environment consists of 10 different Inpatient electronic health 
records (EHRs), greater than 10 Ambulatory EHRs, and countless vendor 
partners providing departmental, ancillary and point solutions. My team 
and I work with our hospitals and providers to build, configure and tie 
together these systems so that our providers are set up for success to 
provide safe, efficient, high quality care to each and every patient we 
see in the communities we serve.

    The desire to make electronic health information freely available 
spans the political spectrum and has been a long-standing goal of 
patients and those who care for them. These proposed rules represent an 
important step in our journey to achieve the ultimate aims of a truly 
person-centric health care delivery system. I applaud this Committee 
and Federal health agencies for recognizing the need to improve 
existing regulations to keep pace with evolving technologies and 
innovations. I support the ability of patients to have access to their 
health information and understand that the future health of our 
population and the sustainability of our industry depends upon the 
timely, efficient movement of data.

    There are several ways that we can choose to navigate toward this 
future state. The new Centers for Medicare & Medicaid Services (CMS) 
and Office of the National Coordinator for Health Information 
Technology (ONC) rules represent the interpretation of the great work 
that this Committee did on the 21st Century Cures Act. And we support 
the general direction of the rules. Having said that, if we do not take 
time to consider how these new rules may affect certain stakeholders in 
the health care ecosystem, especially providers and patients, the 
decisions that we make today may have unintended consequences for years 
to come.
          Cost and Regulatory Burden of Health IT on Providers
    I am here today as a health care provider--someone who has taken 
care of patients and oversees others who take care of patients. I love 
my work because there is no other place or profession where people are 
so consistently caring and devoted to alleviating human suffering 
caused by disease. But many of the forces facing hospitals, doctors, 
nurses and patients make it really hard to do the job well.

    Some of the most stifling forces are those imposed by our 
technology and the regulatory policies that govern them. Electronic 
medical records, devices, diagnostics, monitors--these are all things 
that are supposed to augment our practice, to help us be better 
caregivers. Instead, our technology only adds to the complexity and 
burden that we feel. Part of the problem is that there is no 
underpinning that supports a system-of-systems for technology in the 
health care industry. No one has established the rules of the road for 
data exchange, like industries such as banking, aviation, cable, 
telecom and others did decades ago. Vendors develop products and 
services that do not interoperate. In order to support some level of 
communication across systems, the market has created even more products 
and services--like integration and interface engines--that help to glue 
together these proprietary technologies. But it is up to the providers 
to bear the burden and cost of implementing and integrating all of 
these separate pieces, and it doesn't stop once we have bought them.

    Many vendors release products that meet minimum viability standards 
for ONC certified technology, but their service contracts do not 
include the cost of maintaining and updating them to remain compliant 
with new regulations. Coming into compliance with new or updated 
regulations generally involves upgrading the EHR or device to modify 
how information is documented, collected and reported. \1\ The average-
sized community hospital (161 beds) spends nearly $760,000 annually on 
information technology investments needed to support compliance with 
Federal regulations. \2\ These IT changes and associated costs are 
crushing our industry where margins are already thin.
---------------------------------------------------------------------------
    \1\  Assessing the Regulatory Burden on Health Systems, Hospitals 
and Post-acute Care Providers. American Hospital Association. February 
2018.
    \2\  Assessing the Regulatory Burden on Health Systems, Hospitals 
and Post-acute Care Providers. American Hospital Association. February 
2018.

    Additionally, these upgrades take time. Six months is simply not 
enough time for a provider organization to review, build, configure, 
test, train and deploy numerous vendor technologies following new 
releases to be ready to meet the regulatory deadlines for reporting 
under the CMS programs. IT product design, testing and implementation 
requires lead time, particularly when it involves a vendor. Time frames 
for implementation and updates need to be adjusted to reflect what is 
reasonable and acceptable, for instance, 12 months after a Generally 
---------------------------------------------------------------------------
Available release date from a vendor.

    We applaud the ONC proposal to require health IT vendors to 
demonstrate that their products are usable to patients and providers in 
a real-world environment. Any solution can work in a vacuum. We need 
our health care technology and software systems to work in real life 
settings and in concert with many other vendor technologies if we 
expect them to meet the needs of patients and providers now and in the 
future.

    While the HITECH Act catalyzed the move from paper to digital 
records via incentives and penalties on health care providers, it did 
not, unfortunately, address or create an underlying infrastructure of 
interoperability to enable data liquidity among technologies. Think 
about this for moment: it is the equivalent of telling people they must 
buy cars and move those cars from place to place, but there are no 
roads and no agreed upon design for the roads, let alone the funding to 
actually pay for the construction. In the case of EHRs, it is the 
provider organizations who have been left to bridge the gap with 
everything from integration and interface engines, to workarounds that 
lead to significant ``clicks'' for clinicians, to even a combination of 
electronic and manual processes.

    Health care providers are trying hard to persist in their 
dedication, but the increasing pressure of having to do more with less 
weighs heavily on these well-meaning people. Atul Gawande's November 
2018 article was aptly titled ``Why Doctors Hate Their Computers,'' \3\ 
and a joint Fortune and Kaiser Health News article just last week 
highlighted and astounding average of 4,000 clicks per shift for an 
emergency room doctor. \4\ Clinicians need our support, encouragement, 
and appreciation for the value they bring to patients and to society.
---------------------------------------------------------------------------
    \3\  Atul Gawande, Why Doctors Hate Their Computers, The New Yorker 
(Nov. 12, 2018), https://www.newyorker.com/magazine/2018/11/12/why-
doctors-hate-their-computers.
    \4\  Erika Fry and Fred Schulte, Death by a Thousand Clicks: Where 
Electronic Health Records Went Wrong, Fortune and Kaiser Health News 
(Mar. 18, 2019), http://fortune.com/longform/medical-records/.

    As a health care provider, I support the ability of patients to 
have access to their health information and the sharing of information 
across disparate technologies, systems, and providers. The CMS proposed 
rule would require, as part of the Medicare Conditions of Participation 
(CoPs), hospitals to send electronic notifications when a patient is 
admitted, discharged, or transferred. Hospitals would be required to 
send these notifications to other facilities, providers, or community 
care providers with an established patient relationship who the 
hospital has reasonable certainty will receive the notifications. While 
I support this idea directionally--and look forward to achieving this 
level of information sharing--this is unfortunately putting the cart 
before the horse. It sounds like it would be simple to implement, but 
there are numerous unanswered questions and operational considerations. 
For example, not all EHRs can generate these messages--and this 
functionality is not required of vendors under the ONC certification 
rules. And if a provider is not connected to a health information 
exchange or similar network, of which the most advanced ones are quite 
costly, it is an enormous undertaking--in both time and money--to 
---------------------------------------------------------------------------
connect to these other providers and facilities individually.

    In order to comply with a CoP, providers must clearly understand 
what it is they must do and how they will be surveyed and judged to 
determine compliance. This proposal lacks both of those elements, which 
is concerning given the tremendous penalties hospitals face for failing 
to comply with CoPs, including termination from the Medicare program. 
Instead, I encourage the administration to focus on its current 
activities to improve interoperability, such as continuing to advance 
the goals of the Trusted Exchange Framework and Common Agreement 
(TEFCA), as well as its proposals in this rule to further ensure 
vendors are accountable for the products they develop. The 
responsibility for interoperability cannot and should not be borne 
solely by providers, and there are plenty of things that vendors, 
business associates, plans and other organizations can and should be 
expected to do and contribute.
                      Patient Privacy and Security
    It is clear that Congress and this administration are committed to 
solving the issue of interoperability and achieving complete patient 
access in the U.S. health care system. So far, the administration is 
relying on third party apps and the private market to solve these 
problems. The rules state that they wish to ``enable patients to access 
their health information electronically . . . to make the data 
available through an application programming interface [API] to which 
third party software applications connect to make the data available to 
patients.'' \5\
---------------------------------------------------------------------------
    \5\  84 Fed. Reg. 7610, 7612 (Mar. 4, 2019).

    Providing unvetted third party applications fairly open access to 
patient digital health data concerns me as both a clinician and a 
consumer. I am well-aware of the argument that it is the patient's 
prerogative to specify where and to whom their data goes. Personally, I 
like the idea of controlling my own data. But reality does not always 
align with our ideas, particularly when it comes to our personal 
information--whether health-related, financial, or even demographic. 
The truth is that the vast majority of us, myself included, do not read 
the entire ``terms of use'' agreement on every app or website that has 
some of our personal information, and we often mistakenly believe our 
---------------------------------------------------------------------------
data is more private or more secure than it actually is.

    While it may be tempting to allow access to personal digital health 
information for any and all entities who claim to operate under the 
banner of ``promoting care coordination,'' we would be wise to take a 
lesson from the consumer data privacy events of the past few years. 
Millions of individuals were surprised and angry to learn how Facebook 
was using and selling their data, while other consumers weren't even 
aware that all their financial information is funneled through three to 
four major credit bureaus, two of which experienced major breaches in 
the last few years.

    Digital data is the currency of the modern technology ecosystem and 
marketplace. There are fortunes to be made in mining and monetizing 
your personal digital health data. New rules and processes that govern 
and protect digital health data must be sensitive to the reality that 
not all covered entities, business associates, and third parties are 
created equal. Particularly with regard to entities that fall outside 
of the HIPAA requirements, it is imperative that patients, their 
families, providers, and consumers can trust that these applications--
and the data both sent to and received from them--are secure, private, 
and clinically sound.

    The vision for the future is one in which a patient's data flows 
between her/his care providers, the patient and her/his providers, and 
between the patient's personal electronic device and the provider.

    That vision presupposes that data is vetted, clinically sound and 
comes from a trusted source. The reality is that neither clinicians nor 
patients have the ability to validate that it is trusted data.
                         A Trust-Based Approach
    I believe there are ways to support the innovation coming from the 
external marketplace while providing the needed safeguards to govern 
personal digital health data. The entrance of non-health care actors 
into the health care market--particularly those that fall outside of 
the HIPAA requirements--necessitates strong principles for trust and 
security. One such idea is an industry-backed trust platform technology 
architecture, supported by an appropriate governance model.

    This is a wide-ranging solution that would encompass all health-
related digital information on a single platform architecture. In the 
meantime, I also encourage a smaller scale solution to address privacy, 
security, and clinical efficacy of third-party applications, 
specifically an industry-backed process to independently vet these 
applications to ensure they are meeting all relevant security 
standards; are using data appropriately and in line with consumer 
expectations; and, for those applications that offer medical advice, 
are clinically sound. Such a process will go a long way toward ensuring 
trust while removing the burden of this process from consumers and 
providers.
                       What Federal Policy Can Do
    Policymakers must strike a balance between their desire to make 
personal digital health information available and the burdens that 
these requirements place on health systems under proposed timelines. 
Government policies must allow digital health information to be 
exchanged in a way that protects and prioritizes the interests of 
individuals--and the health systems and clinicians who care for them--
while allowing the marketplace to innovate and interact in a 
responsible and controlled way.

    In this technological age, it is important we all remember that the 
deployment of health information technology, interoperability, data 
exchange, privacy and security are all in service of patients receiving 
and providers delivering the safest, highest quality care. It is not 
about the technology; it is about patients, their care, and their 
outcomes.
                                 ______
                                 
                [summary statement of christopher rehm]
    Chairman Alexander, Ranking Member Murray, and Members of the 
Senate HELP Committee, thank you for the opportunity to testify before 
you today.

    My name is Christopher Rehm. I am a physician and the Chief Medical 
Informatics Officer at LifePoint Health. LifePoint Health is a provider 
organization that delivers Acute, Emergency, Post-Acute and Outpatient 
care for over 85 communities in 30 states. Our clinical technology 
environment consists of 10 different Inpatient EHR's, greater than 10 
Ambulatory EHR's, and countless vendor partners providing departmental, 
ancillary and point solutions. My team and I work with our hospitals 
and providers to build, configure and tie together these systems so 
that our providers are set up for success to provide safe, efficient, 
high quality care to each and every patient we see in the communities 
we serve.

    The desire to make electronic health information freely available 
spans the political spectrum and has been a long-standing goal of both 
patients and medical teams. I am here today as a health care provider--
someone who has taken care of patients and supports others who take 
care of patients. I love my work--and my colleagues love their work. 
But sometimes health IT and the regulatory policies that govern them 
are stifling and make it harder to do our job. Electronic medical 
records, medical devices, and patient monitors are supposed to help us 
be better caregivers. Instead, these technologies frequently add to the 
complexity and burden that we feel. I will touch on some of these 
causes today as well as offer suggested solutions to help alleviate a 
portion of this burden to support providers as we move toward the 
interoperable future we all desire.

    First, providers do not build these technologies; we purchase them 
from vendors. I have frequently found, however, that vendors develop 
products and services that do not interoperate. Many vendors release 
products that meet minimum standards for ONC certified technology, and 
their contracts do not include the cost of maintaining and updating 
them to remain compliant with new regulations. It is up to the 
providers to bear the burden and cost of implementing and integrating 
these separate pieces.

    In addition to being costly, upgrades take time. While we are often 
given 6 months to comply with CMS regulations, it can take up to 12 
months for a provider organization to review, configure, test, train 
and deploy numerous vendor technologies, ensuring we did not break 
hundreds of custom interfaces, following new releases.

    We applaud the ONC proposal to require health IT vendors to 
demonstrate that their products are usable for patients and providers 
in a real-world environment. We need our healthcare technology and 
software systems to work in real life settings and in concert with many 
other vendor technologies if we expect to meet the needs of patients 
and providers now and in the future.

    Second, while the HITECH Act catalyzed the move from paper to 
digital records via provider-based incentives and penalties, it did 
not, unfortunately, address or create an underlying infrastructure of 
interoperability to enable data liquidity across technologies. Provider 
organizations have been left to bridge the gap with interface engines, 
work arounds and manual processes--with varying degrees of success.

    This lack of infrastructure is troublesome for a number of 
reasons--from privacy and security challenges to the ability of 
providers across the country to send and receive data. For example, the 
CMS proposed rule would require hospitals to send electronic 
notifications when a patient is admitted, discharged, or transferred as 
part of the Conditions of Participation (CoPs).

    In order to comply with a CoP, providers must clearly understand 
the requirement and the objective compliance measure. This proposal 
lacks both of those elements, which is concerning given the tremendous 
penalties hospitals face for failing to comply with CoPs, including 
termination from the Medicare program. Instead, I encourage the 
administration to focus on its current activities to improve 
interoperability, such as continuing to advance the goals of the 
Trusted Exchange Framework and Common Agreement (TEFCA) and vendor 
accountability for the products they develop.

    Another victim of this lack of infrastructure is patient and 
provider trust that data will be secure and used appropriately. The 
proposals envision unvetted third party application access to patient 
digital health data via open API's. Personally, I like the idea of 
controlling my own data. But the truth is that the vast majority of us, 
me included, do not read the entire ``terms of use'' agreement on every 
app or website, and we believe our data is more private or more secure 
than it actually is.

    I believe there are ways to both support the innovation coming from 
the external marketplace while providing the needed safeguards to 
govern personal digital health data. The entrance of non-healthcare 
actors into the healthcare market--particularly those that fall outside 
of the HIPAA requirements--necessitates strong principles for trust and 
security. One idea is an industry-backed process to independently vet 
these applications to ensure they meet all relevant security standards; 
use data appropriately and in line with consumer expectations; and, for 
those applications that offer medical advice, are clinically sound.

    Government policies must allow digital health information to be 
exchanged in a way that protects and prioritizes the health interests 
of individuals--and the health systems and clinicians who care for 
them--while allowing the marketplace to innovate and interact in a 
responsible and controlled way.

    In this technological age, it is important we all remember that 
deployment of health information technology, interoperability, data 
exchange, privacy and security are all in service of delivering the 
highest quality care. It is not about the technology; it is about the 
patients, their care and their outcomes.

    Thank you for the opportunity to speak to the Committee today. I 
have additional information on these topics in my written testimony 
that I hope you will also consider.
                                 ______
                                 
    The Chairman. Thank you, Dr. Rehm.
    Ms. Grealy, welcome.

     STATEMENT OF MARY GREALY, J.D., PRESIDENT, HEALTHCARE 
               LEADERSHIP COUNCIL, WASHINGTON, DC

    Ms. Grealy. Excuse my laryngitis, please. Chairman 
Alexander, Ranking Member Murray, and Members of the Senate 
HELP Committee, thank you for inviting the Healthcare 
Leadership Council to testify before you today.
    HLC is a coalition of Chief Executives from all disciplines 
within American healthcare. It provides a forum for the 
Nation's health care leaders to work together toward their 
vision of a 21st century healthcare system that makes 
affordable, high-quality care accessible to all Americans. 
Members of HLC, hospitals, academic health centers, health 
plans, pharmaceutical companies, medical device manufacturers, 
laboratories, biotech firms, health product distributors, post-
acute care providers, and information technology companies, 
advocate for measures to increase the quality and efficiency of 
health care through a patient-centered approach.
    The members of HLC are saying that the time is here, the 
time is now, to achieve full nationwide interoperability of 
health information and to have secure, seamless access to data 
for clinicians, patients, and health care consumers. Today, I 
am pleased to present to you a significant project undertaken 
by HLC with the Bipartisan Policy Center, two organizations 
that between us represent many of the major companies that 
purchase healthcare, pay for healthcare, provide healthcare, 
and deliver access to the data that drives quality health care.
    Despite all the progress we have seen in health care moving 
into the digital age with more providers utilizing electronic 
health records and more consumers able to get health 
information on our smartphones, everyone in this room knows 
that we still have a long way to go. Today, we do not interact 
with just one family physician. We as patients interact with 
primary care doctors, specialists, hospitals, clinical labs, 
pharmacies, insurers, and more, yet these entities often do not 
talk to each other electronically. And if we are to reach our 
goal of a healthcare system that provides high-quality, 
patient-centered care, interoperability is not simply 
desirable, it is absolutely necessary.
    HLC and the Bipartisan Policy Center set out to determine 
what needs to be done to achieve nationwide health data 
interoperability. We engaged the University of California at 
San Francisco to interview dozens of experts from multiple 
health care sectors and the Government. What we learned in 
these interviews led to the recommendations and our call to 
action that we provided as an attachment in our written 
testimony. There are a couple of exciting aspects to this 
project and the proposals that emerged from it that I would 
like to highlight for the Committee. It is significant that 
leaders from the private sector across the entire health care 
continuum have come together and agreed upon mechanisms to 
accelerate nationwide interoperability. And this is not just a 
matter of telling Government what it should be doing, but 
rather these private-sector entities are placing the 
responsibility among themselves and upon themselves, pledging 
action and embracing accountability.
    Thus, you see us calling for collaboration between 
healthcare payers and providers to use payment incentives to 
drive adoption of baseline interoperability expectations. And a 
call for providers to work with electronic health record 
companies and software developers in incorporating these same 
expectations into their business contracts. We are calling for 
common standards to be utilized to improve patient matching, 
and we are calling for the rapid adoption and implementation of 
open standards-based APIs. These just touch the surface of the 
recommendations you will see in the report.
    We are pleased that the leaders in the public sector 
stepped forward with the proposed Federal rules we are 
discussing today on data access and interoperability, and we 
see a great deal of alignment in these rules with what we are 
offering in our report. We applaud the efforts of ONC and CMS 
to eliminate information blocking and ensure the consumers have 
easy access and ability to share their health information as 
they wish. These rules represent an important and perhaps 
ground breaking first step for true nationwide 
interoperability.
    I would note that both proposed rules include changes to 
how patient health information is used and shared. These rules 
incorporate new innovative products such as third-party 
applications that are not currently covered by the HIPAA 
Privacy Law. We need to ensure a thoughtful approach in how 
entities currently subject to HIPAA share information with 
these new entities to ensure the safeguarding of sensitive and 
valuable personal health information.
    Any future legislation or rulemaking that addresses the 
electronic flow of identifiable health information should 
engender the same trust as the HIPAA privacy standards have 
done for the past 20 years. Given the significant impact of 
these rules, including the strong enforcement, penalties, we 
are requesting that ONC and CMS grant a 30-day extension of the 
comment period for the proposed rules.
    Thank you for the opportunity to speak to the Committee 
today, and I look forward to discussing the comments of HLC 
members and our commitment toward advancing nationwide 
interoperability.
    [The prepared statement of Ms. Grealy follows:]
                   prepared statement of mary grealy
    Chairman Alexander, Ranking Member Murray, and Members of the 
Senate Health, Education, Labor, and Pensions (HELP) Committee, thank 
you for the opportunity to testify today.

    My name is Mary Grealy, and I am President of the Healthcare 
Leadership Council (HLC). HLC is a coalition of chief executives 
representing all disciplines within American healthcare. It is the 
exclusive forum for the Nation's healthcare leaders to jointly develop 
policies, plans, and programs to achieve their vision of a 21st century 
healthcare system that makes affordable high-quality care accessible to 
all Americans. Members of HLC--hospitals, academic health centers, 
health plans, pharmaceutical companies, medical device manufacturers, 
laboratories, biotech firms, health product distributors, post-acute 
care providers, home care providers, and information technology 
companies--advocate for measures to increase the quality and efficiency 
of healthcare through a patient-centered approach. All of these health 
sectors, and the patients they serve, are affected by and committed to 
comprehensive access to health data.

    The members of HLC are saying that the time is here, the time is 
now to achieve full nationwide interoperability of health information 
and to have secure, seamless access to data for clinicians, patients 
and healthcare consumers.

    Today, I'm pleased to present to you the results of a significant 
project undertaken by HLC with the Bipartisan Policy Center (BPC), two 
organizations that, between us, represent many of the major companies 
that purchase healthcare, pay for healthcare, provide healthcare, and 
deliver access to the data that drives quality healthcare.

    For all the progress we've seen in healthcare moving into the 
digital age--with more providers utilizing electronic health records 
and more consumers able to get health information on our smartphones--
everyone in this room knows we still have a long way to go. Today, we 
don't just interact with one family doctor. We as patients interact 
with primary care doctors, specialists, hospitals, clinical labs, 
pharmacies, insurers, and more. Yet, these entities often don't talk to 
each other electronically. And if we're to reach our goal of a 
healthcare system that provides high-value, high-quality, safe, cost-
effective, patient-centered care, interoperability is not simply 
desirable--it's necessary.

    HLC and BPC set out to determine what needs to be done to achieve 
nationwide health data interoperability. We engaged the University of 
California at San Francisco to interview dozens of experts from 
multiple healthcare sectors and the government. These interviews gave 
us an idea of the barriers that stand between the present and our 
essential future, and how to overcome them, leading to the 
recommendations we've provided as an attachment to this testimony.

    Our goals today and moving forward are clear and unwavering--we 
intend to bring information seamlessly to the point of care to support 
care delivery, and we will meet the information needs of patients and 
consumers to support their health and healthcare. There are a couple of 
exciting aspects to this project and the proposals that emerged from it 
that I want to highlight for the Committee.

    It's quite significant that leaders from the private sector--across 
the entire healthcare continuum--have come together not only to say 
that we must accelerate the movement toward nationwide 
interoperability, but they have agreed upon mechanisms by which to do 
it. And this isn't just a matter of telling government what it should 
be doing, but rather, these private sector entities are placing the 
responsibility upon themselves--pledging action and embracing 
accountability.

    Thus, you see us calling for collaboration between healthcare 
payers and providers to use payment incentives to drive adoption of 
baseline interoperability expectations, and a call for providers to 
work with electronic health record (EHR) companies and software 
developers in incorporating those same expectations into their business 
contracts.

    We're calling for common standards to be utilized to improve 
patient matching, to make certain the right patient is getting the 
right treatment at the right time, all the time. And we're calling for 
providers, EHR companies, software developers, payers and other sectors 
to pursue rapid adoption and implementation of open standards-based 
APIs. These just touch the surface of the recommendations you will see 
in the attached report.

    But the other aspect of this project that is so encouraging is that 
we are in alignment with the Federal Government and its goals in this 
area.

    We are pleased that leaders in the public sector stepped forward 
with proposed Federal rules on data access and interoperability and we 
see a great deal of agreement in these rules with what we are offering 
in our report.

    We applaud the efforts of the Office of the National Coordinator 
for Health Information (ONC) and the Centers for Medicare and Medicaid 
Services (CMS) to eliminate information blocking and ensure that 
consumers have easy access and the ability to share their health 
information as they wish. These rules represent an important, and 
perhaps groundbreaking, step toward true nationwide interoperability.

    It should be noted that both proposed rules include changes to how 
patient health information is used and shared. These rules incorporate 
new, innovative products, such as third-party applications, that are 
entering the healthcare market at a rapid pace but are not covered by 
the Health Insurance Portability and Accountability Act (HIPAA) privacy 
and security rules. We need to ensure a thoughtful approach in how 
those entities currently covered by HIPAA share information with new 
entities to ensure the safeguarding of sensitive--and valuable--
personal health information. Any future legislation or rulemaking that 
addresses the electronic flow of identifiable health information should 
engender the same trust as the HIPAA privacy standards have done for 
the past 20 years.

    Given the significant impact of these proposed rules, including 
strong enforcement and penalties, we are requesting that ONC and CMS 
grant, at a minimum, a 30-day extension of the deadline for submitting 
comments on the proposed rules. An extension would provide more 
adequate time to conduct a thoughtful analysis of the proposed rules 
and their impact, and to fully address the multiple requests for 
comments and information embedded within them.

    Thank you for the opportunity to speak to the Committee today. I 
look forward to discussing the commitment of HLC members toward 
advancing nationwide interoperability. These commitments are explicitly 
included in the HLC BPC Report on Advancing Interoperability, 
Information Sharing, and Data Access, which is included as part of my 
written testimony.
                                 ______
                                 
    The Chairman. Thank you, Ms. Grealy, and thanks to each of 
you. We will now have a round of 5 minute questions.
    We will begin with Dr. Cassidy.
    Senator Cassidy. Thank you, Mr. Chairman. I thank you all 
for being here. Raised several interesting things. Ms. Grealy, 
I just learned that in my state, the patient does not own her 
data. Does HLC have a position on whether or not the patient 
should own her data?
    Ms. Grealy. We think it is important that patients do own 
their data and that they have access to that data. And that 
really, the providers and those working with that patient 
health information, really are the stewards of that 
information.
    Senator Cassidy. Simple answer, yes. Thank you for that. 
Ms. Savage, you raised a point, I think you did, of the ability 
for the health plan--again, do I own the data that the health 
plan has? Or should I own that data?
    Ms. Savage. As you mentioned, it is really a matter of 
state law. So technically within a health plan, you may not own 
the data, but you certainly have a right to get a copy. That is 
the state of the law.
    Senator Cassidy. Let me ask, define the data. If the health 
plan is purchasing data from data brokers, not just about the 
doctor who saw me for a busted arm, but rather the data from 
the grocery store as to whether or not I am buying high 
cholesterol food, should I have the right to that data?
    Ms. Savage. You have a right to get any data that the 
health plan is using to make a medical decision about you.
    Senator Cassidy. Now, define medical decision.
    Ms. Savage. Well, it is a little bit ambiguous and so I----
    Senator Cassidy. Oh, that is what I thought.
    Ms. Savage. That is right. But I want to definitely 
distinguish is you do not have a right to get data that is 
used, for example, to calculate a measure because that is not--
--
    Senator Cassidy. To calculate a measure----
    Ms. Savage. Like a measure. Like a plan, HEDIS measure for 
how many people referred to a mammogram or something like that.
    Senator Cassidy. Got it.
    Ms. Savage. That is not about you. But if they are using 
that data to decide that you should or should not have a 
particular treatment or should or should not have a premium 
increase that is definitely within the data you should be able 
to get access to.
    Senator Cassidy. Now, you say should, implying that you 
personally think that we should, but legally do I--legally do I 
have access to that data?
    Ms. Savage. Absolutely, you legally have access to that. 
The problem is that in caring that out, obviously there is a 
lot of gaps in how people do that. That issue of individuals 
getting their own data, I think is a top five complaint at OCR.
    Senator Cassidy. Do we have a need therefore for 
standardization of how the patient would access her data and 
what exactly comprises that data so that there is not this 
variability in response?
    Ms. Savage. I think there are some great paths of 
standardization beginning to take hold. The idea of using an 
app and a standard API is one, although not all data will be 
available behind that API in the immediate future. A second is 
the Association of Health Information Management, AHIMA, is 
working on a standardized form and they are urging people to 
adopt it voluntarily so that it can be turned into an online 
form so people can use it, but it is not enough.
    Senator Cassidy. I think that my colleagues and I would be, 
and I certainly am interested, if you all have ideas as to how 
I could know if the health app that I am using does--feeding up 
to the insurance plan, that I actually have that data as well 
as that which they purchase from data brokers, which I am told 
is quite extensive.
    Ms. Savage. Right. So that is a couple of different issues, 
but in my longer testimony I refer to an article that I did 
with ten or so tips people could just adopt right now that 
would make it easier for patients and nothing prevents a health 
insurer from adopting those. I want to separate that for a 
moment from the broker purchased data because we do not know 
exactly which health plans are doing that, and second or third 
from the app you choose to use. All different things.
    Senator Cassidy. I get that. So that is my question for 
you, Dr. Rehm. So, I recently read of somebody partnering with 
somebody so that smart watches were on the wrist of the 
insured. And I thought to myself, now they know how many steps 
I am taking today and whether or not my gate becomes shuffling 
and so maybe I have the first onset of Parkinson's disease, 
right. And should that be protected, the fact that I am 
basically telling them that I may be at risk for a neurologic 
disease--by the way I do not have a neurologic disease for the 
record, that I know of.
    [Laughter.]
    Dr. Rehm. I would characterize that, as soon as that 
personal health data gets transmitted into the healthcare 
system that information should be protected so----
    Senator Cassidy. But I do not believe it necessarily 
currently is, correct?
    Dr. Rehm. Well, if that, let us say you have an EMR that 
allows you to add personal health devices to that EMR so that 
the patient that is wearing that watch or scale, for that 
instance, feeds my EMR, then that information is entered into 
the EMR and it is protected, at least in my practice.
    Senator Cassidy. Now you are speaking of the theoretical, 
but I am pressing on you, do we know that is the case?
    Dr. Rehm. Only if it answers the EMR. So, I would say we do 
not know that is the case.
    Senator Cassidy. If it goes to the health plan, and not to 
the doc, but if it goes to the health plan, is that part of the 
data that Ms. Savage referred to as being a covered entity--a 
HIPAA protected set of data or not?
    Dr. Rehm. I do not know.
    Senator Cassidy. I do not know either. Ms. Savage?
    Ms. Savage. Yes, the health plan is a covered entity under 
HIPAA just like a physician's office.
    Senator Cassidy. But is the app, the information that they 
are receiving from the app considered part of that covered 
data?
    Ms. Savage. When it flows into the covered entity's 
custody, it becomes covered by HIPAA. The second thing to 
remember is, OCR has been very clear, when the app is sponsored 
by or paid for by the covered entity, the collection by the app 
is in fact covered by HIPAA. The one place we do not, that OCR 
does not reach, is to an app that is not paid for or sponsored 
by a covered entity itself.
    Senator Cassidy. Got it. So, if I just voluntarily give. I 
am going over. Thank you, Mr. Chairman.
    The Chairman. Thank you, Senator Cassidy.
    Senator Murray.
    Senator Murray. Thank you very much. And Ms. Savage, you 
talked about the importance balance between protecting patient 
privacy and making sure patients have access to their data. I 
think that is what the Senator was going after. Let me ask a 
little differently. Do patients who share their health care 
information with third-party apps have their information 
protected under the patient privacy laws of HIPAA?
    Ms. Savage. It is going to go back to who is sponsoring 
that app. So, in the Omada context, our app is sponsored by us. 
We are a healthcare provider under HIPAA. All the HIPAA rules 
apply within the app, however, we do not stop people from 
taking whatever they want about the health information, just 
like Senator Cassidy did, and blurting it out in whatever 
context they want. And so, unless the context in which that 
blurt is received is also covered by HIPAA, it would not be 
covered.
    That might be a third party app that is not covered, that 
is covered only by the Federal Trade Commission or State 
Attorneys General, as opposed to being within kind of the 
confines of a HIPAA-covered entity and its sponsorship.
    Senator Murray. Well, what should patients know? What 
should we all know about how our data can be shared if we use 
an app that is not covered by HIPAA privacy protections? Can 
their data be sold or just goes to drug companies or 
advertisers?
    Ms. Savage. Yes. It is a very confusing place for consumers 
when in 2016 we sent a report up to Congress on this very 
thing. It is footnoted in ONC's rule, and consumers just--it is 
too much information for them to understand and it is very 
confusing for them. I think that they have the ability to rely 
pretty well on what their doctors do and how the healthcare 
system works, and those rules are very familiar, but people 
definitely feel that--think those rules apply when they do not.
    Senator Murray. Can your data be sold?
    Ms. Savage. Outside of HIPAA, yes. Within HIPAA, it cannot 
be sold in an identifiable way. There is a very specific rule 
on that.
    Senator Murray. Like to drug companies? It could be sold to 
drug companies?
    Ms. Savage. Well, if you were, if it was a third party app, 
without naming names, and any kind of social media app, of 
course.
    Senator Murray. Okay. Well, so there is a lot of potential 
for digital records, but it also comes with risks. I think that 
is pretty clear.
    Ms. Savage. Correct.
    Senator Murray. Tell us what policy recommendations would 
you make to better protect patient privacy.
    Ms. Savage. It is a very complicated area that I know many 
Senators and many of your colleagues and also House Members are 
working on, and what I think is to look at the totality of the 
fact that the digital life is no longer sliced up into economic 
sectors and we really need policies to converge.
    Whether that is things that look like HIPAA migrating 
outwards or some uniform policy that everyone can, as a 
consumer, easily understand, that would be my policy 
recommendation. And that is not an easy thing to do given our 
Federalized system but that is where I think the direction 
needs to go, is how to converge it so that it is the same and 
the expectations are the same for consumers wherever they go.
    Senator Murray. Consumers understand it better because it 
is uniform?
    Ms. Savage. Yes.
    Senator Murray. Okay. Mr. Moscovitch, open APIs are really 
an essential programming feature that allow programs to share 
information with each other, and the requirement that 
electronic health records make them available was a very high 
priority for this Committee. As you said in your testimony, 
APIs are the foundation of the modern internet. So, to ensure 
that the APIs are truly open, the Office of the National 
Coordinator for Health Information Technology proposes 
electronic health records developers publish business and 
technical documentation associated with their APIs. Talk to us 
about why that requirement is so important.
    Mr. Moscovitch. The documentation is much like an 
instruction manual for how third-party developers can request 
information and how it is formatted so they can use it. In 
other industries, that documentation is publicly available to 
spur innovation. If a technology has an API, for developers to 
use it they need that instruction manual or that documentation 
or else they do not know how to request the documentations, 
whether it is behind a paywall or some other proprietary manner 
or made public on a website and it still needs to be developed.
    Senator Murray. Is that going to impose a burden on 
electronic health-record developers in your opinion?
    Mr. Moscovitch. One thing ONC did in the regulations is 
leverage existing work that is already done through different 
standards bodies, and which many EHR developers are already 
implementing. That is through the work, the standards and FHIR 
work that ONC is doing. So, the industry is already moving in 
this direction and are already developing documentation based 
off of FHIR standards.
    Senator Murray. Okay. And quickly, Ms. Savage and I can go 
back to you. We want to make sure the Department of Health and 
Human Services takes the time to implement Cures right away, 
but if health organizations are hoarding data in order to gain 
a competitive advantage for themselves, there are real 
consequences if the Department takes too long to implement 
these policies. So, what do you think the risks are of delaying 
the prohibition on information blocking?
    Ms. Savage. Well, I cannot do an economic estimation. You 
have to go to my co-author, Martin Gaynor, on that, but I think 
that we know that there is lots of savings that have been 
documented for the little teeny bits of interoperability we 
have right now and avoided redundant costs. And that will only 
grow. And then there is the whole consumer frustration piece. 
In every part of their lives they are quickly and efficiently 
using the supercomputers in their pocket except in this.
    I cannot even estimate the increase in productivity if we 
all don't have to spend hours and hours and hours chasing down 
our records and moving them around in the system for ourselves.
    Senator Murray. Okay. Thank you. Thank you very much, Mr. 
Chairman.
    The Chairman. Thank you, Senator Murray. And Ms. Savage, 
your last comment was important to me. This all--listing this 
testimony sounds very complex, difficult, obtuse, all those 
things, but we are really talking about a very common everyday 
experience for most Americans. I mean, as we think about our 
health care records, we think on the one hand, well, I can make 
an airline reservation just like that. Two, I can order 
something over Amazon just like that, and if I want to take my 
health care records from Vanderbilt to the Mayo Clinic, the 
best thing for me to do is to go down to the bottom floor of 
the hospital with a wheelbarrow and put them all in there, and 
then pack them in a suitcase, and then fly to Minneapolis, and 
then drive to Rochester, and hand them to the doctor. So that 
is--even though each of those two institutions do not use those 
because they are leading the country really in terms of 
interoperability within their systems.
    We are well-meaning here. But I can still remember going to 
Vanderbilt to find out about electronic health care records and 
they said, Meaningful Use 1 was helpful, Meaningful Use 2 was 
Okay, Meaningful Use 3 was terrifying because as we project our 
good intentions out to the real world of hundreds of thousands 
of doctors, and thousands of hospitals, and millions of 
patients, sometimes it does not work like we hope it would. So 
that is how we got to standards that we are talking about today 
and how we got to these rules about information blockage.
    My question is about the standards. I had this great fear, 
as we were doing the 21st Century Cures bill, that if we 
required standards that somebody would write them in Washington 
and that they would be the wrong standards and they would not 
imply properly to everybody. We would just create more of an 
administrative burden and big mess than existed.
    If I am remembering it right, what we just said was you 
have to have standards. We are not going to write them for you. 
And now the rules are saying but you are going to have to use 
these standards written in the private sector so everybody can 
work together and talk with each other.
    My question is, Dr. Rehm, let me ask you, are these the 
right standards? Are we correct to insist that there be the 
same standard for everybody, and are we going too fast in 
asking doctors and hospitals to implement these rules?
    Dr. Rehm. I will start with the first one. I think we are 
headed in the right direction with being very prescriptive in 
the standard, because when the standard is broad and you leave 
it up to the industry to implement, they will take advantage of 
the breath of what is allowed in the standard, which then 
leaves the provider organization trying to do all the manual 
work in between because it is not interoperable.
    I do think being as prescriptive and precise in the 
standard and requiring people to develop to that standard will 
accelerate interoperability. And the second part of your 
question as it relates to going too fast, I think you just have 
to keep in mind that the provider side is always months behind 
when the technology is developed to cover us----
    The Chairman. What I am meaning by that is on Meaningful 
Use 3, it was my strong feeling that if we could kind of slow 
the train down a year or two, that we would get where everybody 
wanted to go more effectively than if we insisted on pushing 
it. Well there were two different views on that and maybe it 
was the train was going too fast to slow down, but I want to 
make sure that these new rules are implemented at a pace that 
gets us where we want to go but does not do it so rapidly that 
it makes it more difficult to get where we want to go.
    Dr. Rehm. Right now there is 24 months for the technology 
organizations to come alongside the final rule and implement 
whatever is in the final rule. I think that you got to add time 
to the end of that for the provider organizations to be able to 
react to whatever it is they release, because we will have to 
understand and work with whatever technology is released at the 
end of those 24 months, and the provider side will need time.
    The Chairman. Ms. Grealy, I have a little less than a 
minute. What about the standard, should we require standards? 
Are these the right standards, and is the time that the 
administration is allocating for implementing the standards 
appropriate?
    Ms. Grealy. I think there is a need for standards. I think 
your concern, and it is a concern that we share, is making sure 
that we are still allowing for innovation within those 
standards. We do not want to stifle the innovation and 
improvement, electronic records and the exchange of 
information. I think we will hear from everyone that they 
probably will want a bit more time. We are at the outset asking 
for a longer time to analyze and comment on these rules----
    The Chairman. Well, before you stop, does the proposal 
allow for innovation? I mean I have always imagined that these 
problems would be solved not by anyone here writing them, but 
by somebody showing up with a, Delta Airlines reservation 
system and then everybody is, oh, that is the way to do it, and 
they use it. Or maybe it was American, I do not remember who it 
was but that is the way it happened.
    Ms. Grealy. But I think standards like open APIs--I think 
there is just broad, deep agreement that is the way we should 
go, and the FHIR standard. So, there is a need for standards. I 
do not think we view these as stifling innovation at this 
point. We never want to be micromanaged, again, because that 
would stifle the innovation, but I think you are hearing--
everyone is committed to interoperability and we do need some 
rules of the road that we can all understand and implement.
    The Chairman. Thank you.
    Senator Baldwin.
    Senator Baldwin. Thank you, Mr. Chairman. Thank you to our 
witnesses. I hail from Wisconsin and we have a long history of 
playing a major role in technological transformation. My 
colleagues, many have heard about successful health IT 
innovations from Gundersen Health System and La Crosse from 
Marshfield Clinic, and of course Epic Systems in Verona, 
Wisconsin, which exchanges nearly 4 million records a day.
    However, our system has not yet achieved the ultimate goal 
of being fully interoperable, which is why I was proud to play 
a role on this Committee in crafting the 21st Century Cures 
Act. The proposed rules released by the administration to 
advance implementation of the 21st Century Cures Act are 
critical steps to achieving interoperability and improving 
patient access to health data. Several provisions would allow 
patients to become more engaged with their own care by 
requiring electronic health-record systems to make patient data 
available to be exported and available through third-party 
apps, as we have been discussing.
    We need to do more to empower patients, however I am 
concerned that the proposal may expose new vulnerabilities for 
patient confidentiality. Dr. Rehm, these proposals to expand 
patient data sharing through third-party applications 
potentially lead to breaches in patient privacy and security, 
and how can we best balance patient access while preserving the 
confidentiality of the physician-patient relationship in our 
fast, developing digital era?
    Dr. Rehm. Right. So, as I put in the written testimony and 
in the oral testimony, I do think that there is risk with 
third-party applications that do not necessarily--HIPAA does 
not apply to them all, potentially, in this scenario of what 
the open API--a third party app can be developed, can be 
directed toward consumers and there is nobody vetting or 
currently there is no organization that would be vetting just 
the technology infrastructure security of that application.
    At LifePoint, we have a technology review board that looks 
at applications that some of our member hospitals want to bring 
into the fold, and it is frequent that when we do a deep dive 
into that technology, we find a cybersecurity risk and so we do 
not bring that technology into our technology stack.
    We need to do something to protect the patients because if 
they are drawn to a consumer-driven app, they use it, they use 
the open API to pull their health information into that 
application, who is it that is making sure that company is 
putting the proper safeguards to keep that data secure? So, I 
think it is a risk.
    Senator Baldwin. Thank you. Mr. Moscovitch, you noted that 
the proposal requires electronic health record systems to 
ensure that all of their patient data and electronic health 
information can be exported to patients, which could include 
other information from vendors' data bases.
    I have certainly heard concerns from my constituents about 
the lack of clarity and standards in the rule concerning what 
constitutes this electronic health information. In fact, there 
is currently no standard for this broader group of data. Can 
you elaborate on this gap in existing standards and how 
requiring extraction of large, potentially undefined data sets 
may create obstacles for a vendor compliance or other risks to 
patient privacy.
    Mr. Moscovitch. Sure. The goal of that electronic health 
information provision is so that if patients want their data 
that, including it is outside of the core data elements that 
ONC wants exchange for APIs, that patients can get it. And that 
is correct for many of these data elements, that standards do 
not exist. And so, as ONC finalizes its regulations, it should 
absolutely clarify which data element, or which information 
more broadly, needs to be available to patients, and where 
possible, to do that in an easy way for patients.
    Senator Baldwin. Great. Thanks. I yield back.
    The Chairman. Thank you, Senator Baldwin.
    Senator Braun.
    Senator Braun. Thank you, Mr. Chairman. For me it is 
surprising that we have to be talking about interoperability 
and information blocking, and I think it is part and parcel of 
what is wrong with the healthcare industry in general. I know 
in my own business, which is a logistics and distribution 
business, we due to competitive pressures and transparency, 
embraced the latest, the leading edge. And here, that we are 
having to nudge the healthcare industry itself to get with it 
on these topics, it is to me, it is what is wrong with the 
healthcare industry in general, which is a lack of 
transparency.
    The industry knowing all this stuff, has been out there for 
a long time, and when it comes to, drug pricing, when it comes 
to embracing transparency to engender competition that drives 
most other industries, I think that is why we are talking about 
it. And every time I get the opportunity, I want to challenge 
the industry to get with it. To do what almost all other 
industries have done, and when you have got a leading edge of 
anything, you grab it, because if you do not, you are left in 
the dust by your competition. The cloaking and shrouding of the 
healthcare industry, mostly due to the industry itself 
embracing that rather than transparency and technology, leads 
us to this discussion.
    I, again, challenge the industry to get with it or else you 
are going to have one business partner, the Federal Government. 
Let us go back to interoperability and information blocking. 
Which of the two, and any of the panelists can weigh in on it, 
is more important leading us to this point to where we are 
dysfunctional when it comes to information sharing, and where 
should we spend the resources, if we can in some way through 
Government, help speed the process? I would like to know the 
relative importance of these two issues. So, you can start.
    Mr. Moscovitch. The Congress had a lot of foresight in the 
21st Century Cures Act in leveraging APIs, which as you 
mentioned, many other industries are already taking advantage 
of these kinds of technological tools. And ONC has implemented 
that provision also with a lot of foresight in leveraging these 
standards that are already adopted throughout the industry and 
being refined through various collaborative groups like the 
Argonaut Project, which brings technology organizations 
together to identify a refined way to implement the standard.
    Senator Braun. You sense that if we were not here today 
talking about it, the industry would be pushing forward on its 
own? And you can either answer that or not. I would love your 
opinion.
    Mr. Moscovitch. Congress certainly have accelerated the 
adoption of APIs in a meaningful way.
    Senator Braun. Thank you.
    Ms. Savage. I would like to say that is true. I think the 
nudges both from high-tech and from Cures have been crucial. 
And all you have to do is go on the right Twitter feed and you 
will see the hashtag #axethefax because everyone is still using 
faxes in healthcare. So, we need to move beyond that just like 
the rest of industry has.
    Dr. Rehm. I would just double down on that. I think the 
focus on forcing the industry, when I say industry the 
technology side for the interoperability piece because data 
blocking--some of it is just you cannot accomplish it or 
sometimes it is so costly or outside your normal workflow that 
you do not accomplish it, but if the technology was more plug-
and-play from an interoperability perspective, you would see 
data flow more freely because the providers, they want access 
to information to care for the patient. Right place, right 
time, right now. And so, the providers are pushing from their 
side, but the struggle is in the middle where time, money, and 
effort to overcome the interoperability challenges.
    Ms. Grealy. I would just underscore how welcomed these 
proposed rules are. It is not often that you see, I think, such 
great alignment between what the Government is offering here 
and what the private sector has been asking for and wants to 
work with them. But I think an area that you touched on is one 
that we really need to do more work on, and that is how do we 
create better consumer, or more consumer demand for this?
    We need to engage patients and consumers as to what should 
be available to them, how it is going to improve their health, 
and the efficiency of the healthcare system. So, I think we 
would welcome a public-private partnership type of campaign to 
really educate people on how best to use this information, and 
that they should have access to it. Just like when you change 
cell phone carriers, you do not have to get a new cell phone 
number anymore, you get to transfer that number. We should have 
that same ease of operation with electronic health information.
    Senator Braun. For consumers to be part of the process, 
which is what we did in my own company, to make it consumer-
driven, you have got to have transparency. And all I am saying, 
in the entire industry, across the board, start working on this 
stuff, doing it on your own where you do not need to be nudged 
by hearings like this because I think you will regret the 
outcome down the road if you do not start embracing what all 
the rest of us do, transparency and competition. Thank you, Mr. 
Chairman.
    The Chairman. Thank you, Senator Braun.
    Senator Rosen.
    Senator Rosen. Thank you. I would like to thank you, Mr. 
Chairman. Thank you for your testimony today. You know, I am a 
former applications programmer so a lot of this interface stuff 
is near and dear to my heart, but recent study by the Kaiser 
Family Foundation show that 88 percent of patients say their 
medical provider does use electronic medical records. That is 
up almost 50 percent from 10 years ago, but the biggest concern 
everybody has is privacy, of course. And so being a former 
applications programmer, systems analyst, this is something 
that I focus on a lot.
    What I want to ask you, Ms. Savage, is this, who in your 
view is ultimately responsible for the integrity of an 
individual's medical record? Is it the doctor, provider, 
electronic health vendor, the hospital? I mean, who? All of 
them? I mean, where does accountability ultimately lie?
    Ms. Savage. In our system, we have pieces of our record in 
the hands of various entities. When they are covered entities 
under HIPAA, each entity is responsible for what is in its 
custody. At Omada, we have we are responsible for what we have 
custody for. If we are sharing that data at a patient's request 
with their physician's office, the transom is a great visual. 
It crosses the transom, the physician takes responsibility for 
it. And that is how the current rules work.
    Similarly, outside of that sort of the system the 
individual is responsible, just like an individual is 
responsible for what they do about their own banking, or how 
they describe their children on social media, or any of those 
things.
    Senator Rosen. Now, if we consider medical devices, perhaps 
plug and play, I do not want to make the pun about your 
pacemaker perhaps, but we know that medical device does upload 
to your medical health record. And so, depending on what you 
have, now we have this open platform with many kinds of medical 
devices, many kinds of things feeding in, that can give us a 
gateway, a doorway, into the system for cyberattacks, for 
hacking, things that may ultimately change or modify your 
record. So, how are we preventing that doorway in? What are we 
doing about that? Anyone can take that question.
    Ms. Savage. I will take a first stab at it. So, FDA is very 
hard at work, certainly in helping device manufactures 
understand how they can upgrade the security of their equipment 
without having to do additional filings or changing the safety 
and functionality of that equipment. But the FDA actually does 
not enforce security standards, except on those devices, and 
the legal authority sits with OCR, who is enforcing it at the 
doctor's office or hospital office level.
    Back to what Senator Murray was asking about, as we think 
about convergence and digital life, I think the policy question 
for all the Senators is, how do we bring these things together 
and kind of thread stuff together that previously was happily 
living in distinct silos. That is not the case anymore. We do 
not want silos for individual data, and we do not want silos 
for security authority----
    Senator Rosen. What if something is wrong and you realize 
that. How does a patient--how does ``us'' as a consumer get a 
correction through all of this?
    Ms. Savage. For their data?
    Senator Rosen. Yes.
    Ms. Savage. We all have the right to ask a physician's 
office or a hospital, any record holder, to correct data, and 
then hopefully the right physician will say, oh, yes that 
correction needs to be made. I just corrected my own data 
recently with my physician. But it is a little bit of a kludgy 
process, and it could be automated. For example, if you could 
ask for a correction through logging into your secure portal, 
then your identity would be proven and it would all be 
electronic, and the physician could just make the change. I do 
not know if Dr. Rehm wants to add anything to that.
    Dr. Rehm. I was just going to add and kind of restate 
something I said earlier, which is with the open API, we are 
potentially opening up the electronic health data to a segment 
of technology that currently is not covered by HIPAA, which has 
been very prescriptive as to how we have to handle health 
information as a provider organization, or any organization 
covered by HIPAA. So, I think that is the thing to just--what 
are we going to do legislatively to make sure that when we put 
in the door for people to pull in their information out of the 
electronic health record into some other application, how is 
that application governed?
    Senator Rosen. Then, I have a quick question for you at the 
end. The huge responsibility put on the end care provider on a 
small family practice and on the individual at the end of the 
system. What is the burden for you to hire more people to take 
care of all this data and information?
    Dr. Rehm. The provider burden today, because it is not 
interoperable, is huge. Because we at LifePoint, we are 
fortunate enough with our size and scale so that we can throw 
an army of people at the bridging the gaps between----
    Senator Rosen. But if you are a small practice?
    Dr. Rehm. But if you are a small practice, you do not have 
those folks. And so that puts you at risk for one. Are you data 
blocking because you do not have the resources to do the custom 
interfaces to allow this ADT message to flow from here to here. 
I mean, you might be caught in the middle of, yes, that is data 
blocking, and that is because you do not have the expertise or 
the resources. So, I think we have run out--there is a great 
risk in the current technology environment for practices that 
do not have the resources because the systems are not 
interoperable today. It takes effort and expertise, and not 
everybody has that.
    Senator Rosen. Thank you.
    The Chairman. Thank you, Senator Rosen. Well, thanks to 
all. I have--Senator Rosen brought up devices. These rules are 
not about devices, I guess. They are about data, but there is 
an outfit in Nashville called a Center for Interoperability 
that is a combination of hospitals, nonprofit and profit, all 
around, who realized they have a lot of buying power and they 
are trying to create a common platform so that anyone from whom 
they buy things has to plug into a common platform. They use an 
analogy of why we do not worry much about cable television, 
that way back in the early days they got a common platform, so 
all the different cable companies use a common platform. What 
does what you are talking about today about devices, I mean 
about data and interoperability, have to do with devices and 
the data that comes from devices?
    Ms. Savage. I will take a stab at that. So, in my longer 
comments we gave an example of a person who has a surgery, and 
they get a brace, and the brace has a radio chip and a 
gyroscope, and it attaches to their app, and that feeds to the 
brace manufacturer's servers. And it may or may not feed to a 
physician's practice. It depends on what the patient chooses.
    When it is not going to the EHR, all of that activity is 
both not within HIPAA, and we have talked about that quite 
extensively, but it is also health information technology with 
important information gate and success of the surgery, that is 
not subject to this rule. And so that is really something to 
think about back to this idea of convergence.
    Mr. Moscovitch. The CMS rules also focus on getting 
patients their claims' data. And claims today for the millions 
of patients with implants lack key information. That is the 
device identifier of the implant they have in their body. So, 
when they are getting their claim's data, they will not know 
which brand of device or which model of the device they have in 
case something goes wrong. And CMS can close that gap by adding 
device identifiers to claims.
    Dr. Rehm. We have talked a lot about interoperability and 
usability, and I think those two are inextricably linked. And 
the usability is made better if medical devices--when you think 
about what is in the EHR, it is a store of data. And a lot of 
it is manually entered today by whether nurses, medical 
assistants, or physicians.
    Devices are just one example where they are not covered but 
the interoperability between the device and the EHR is just as 
key as the interoperability from one EHR to another because 
that burden of getting the data from whether it's from a blood 
pressure cuff, a ventilator machine, whatever it might be, 
getting that into the system is today either manually entered 
or a custom interface to pull that in.
    The Chairman. Ms. Grealy, anything to add?
    I think Senator Romney is on his way back, but as he comes, 
let me ask each of you. If you were in my shoes or Senator 
Braun's shoes, what would be the one thing that you would like 
for us to do or you think we can most constructively do to 
encourage interoperability of data as we consider these two 
rules over the next year or so? What is the one thing you would 
like for us to keep our eye on or push?
    Mr. Moscovitch?
    Mr. Moscovitch. Sure. One thing we have not talked a lot 
about today is patient matching. So, the ability to know that 
the patient at one health system is the same person at another 
health system. And match rates can fail today around half the 
time. Our research has found that better standards for 
demographic data can meaningfully improve match rates. So that 
is a next step that ONC can be taking as it finalizes its 
rules.
    The Chairman. Ms. Savage?
    Ms. Savage. Well, I think the Committee is rightfully 
concerned about privacy and security, and you as Committee 
Members have a lot of expertise about how this works in the 
healthcare system. And I think the best thing you can do is 
work with your colleagues on what is working in healthcare that 
would need to be migrated elsewhere because none of this will 
matter if the consumers do not have confidence, and their 
doctors do not have confidence that the consumers have 
confidence.
    The Chairman. Dr. Rehm?
    Dr. Rehm. I mean she did not say and I think the standards 
FHIR, Argonaut, the USCDI, and the real-world testing. So as 
folks adopt those standards, the validation through the real-
world testing that is working across vendors.
    The Chairman. Ms. Grealy?
    Ms. Grealy. I would endorse all of the comments you have 
just heard. And then the other thing I would really ask that 
you sort of maintain oversight on the implementation of this 
and the time really necessary to do it the right way. And I 
think you have pointed out that perhaps there may be more time 
required. We do not want to halt this. We do not want to 
prevent moving ahead or progress, but I think we also have to 
be very cognizant of the challenges that providers and others 
are facing in trying to this complex work.
    The Chairman. You have asked for 30 more days?
    Ms. Grealy. At least for the comment period.
    The Chairman. For the comment period for the rules.
    Ms. Grealy. Yes.
    The Chairman. We will let Senator Romney provide the 
benediction.
    [Laughter.]
    Senator Romney. I think I will ask questions instead, Mr. 
Chairman.
    [Laughter.]
    Senator Romney. Thank you. I appreciate the work that is 
being done to provide standardization and I happen to believe 
that this is a scenario we have lagged in and there is a real 
cost financially but more importantly in terms of the quality 
of care delivered to patients by virtue of not having been able 
to have this information. I am pleased, as I consider the 
providers of health care in my state, to recognize that they 
have interoperability within their own systems. At LifePoint, 
of course, within your system. Intermountain Healthcare within 
their system. And from what I can tell from the outside, the 
interoperability within the specific systems is having a very 
significant impact, particularly on the cost and quality 
overall in the enterprise.
    I guess I have two questions that I am happy to direct this 
to anyone who wants to pick up on it. One is, does this 
information inform also the choice that the doctors choose to 
guide the type of treatment they might provide or the 
prescription they might provide? So, are they using the 
information to actually change their practice in providing care 
to the patient? That is No. 1. And then No. 2, is the data 
being used yet, the electronic medical record data, being used 
to allow the patient to inform their life choices?
    If a record indicates that someone looks like they are at 
risk for developing diabetes, for instance. Is this flagged by 
someone? Is someone seeing that? Is it then flagged to the 
individual? Are they given then instructions on what type of 
foods they should be eating and what types of things they 
should be avoiding? So, to what extent are we using medical, 
the advent of electronic records, not just to improve the cost 
of the healthcare system, whether it is at LifePoint or the 
Intermountain, or Mayo, or any of the others, but also to 
actually make decisions by physicians, and No. 2, allow 
patients to make--individuals to make decisions for their own 
health and well-being?
    Ms. Savage. With the diabetes prevention product, I will 
take the first step. Intermountain is actually one of our 
oldest customers. We started offering DPP to Intermountain 
employees and now it has been expanded out to their patients in 
certain populations. In fact, we used their EHR data to decide 
who to refer to Omada, and then we in turn engaged the person 
that is in an asynchronous platform. You can open your 
smartphone and see your weight record and your food intake at 
any point in time. There is a picture in our supplemental 
materials, and so I would say, in fact when you can figure out 
the business relationships and the data relationships, that 
magic alchemy occurs. And what we want to have happen is have 
it occur more widely throughout the whole healthcare system.
    Mr. Moscovitch. What Cures did and what these rules do is 
make sure that first and foremost patients can get their data 
and providers can get the data from other places. And better 
APIs to make sure the data are exchanged, and better patient 
matching can meet that end.
    Senator Romney. Thank you.
    Dr. Rehm. From the provider perspective, when the 
information is visible and present in many of our systems, even 
if it is interoperable, that information that is brought in 
from the outside, is outside of their workflow. So, when the 
patient is in front of you and you are trying to make clinical 
decisions, you have everything that is native to your EMR, and 
the outside information is frequently in a separate workflow 
that you have to go find and get.
    Sometimes, in some of our EMRs, that information is closer 
to your workflow, so it is leveraged. The more difficult it is 
to leverage that outside information, the less likely our 
providers are to see it at the right time to make a care 
decision at that moment. So, the usability and interoperability 
again are, I think, go hand-in-hand.
    Senator Romney. Can we make progress on that front? Are 
we----
    Dr. Rehm. Yes. Sorry, I did not mean to cut you off there. 
Yes, so I believe some of the--what we are talking about today 
and what the rules are proposing bring us closer to narrowing 
the playing field so that interoperability is more useful 
because it becomes more usable by the clinicians who are in 
front of the computer and the patient at the same time.
    Senator Romney. Yes. Thank you.
    Ms. Grealy. Well, I just want to highlight with a personal 
story. When you see this work and work well, it is amazing. Two 
years ago, my husband had a very unusual stroke which affected 
his vision. So, there was an ER visit, an overnight hospital 
stay, and then the next 2 days he had to see an 
ophthalmologist, cardiologist, neurologist, and then back to 
the primary care physician. All of the recommendations for most 
different physicians came back to the primary care physician.
    The most notable one being the cardiologist saying, I know 
this will sound unusual to you and your husband because his 
cholesterol level is extremely low, but the latest research 
shows that for this type of stroke, him going on a statin would 
be a good thing. I am not going to prescribe it now. I am 
making the recommendation but discuss it with your primary care 
physician. So, we go back to the primary care physician. He has 
been treating my husband for many years. He looks at it, goes, 
well this does not make sense, but that cardiologist had 
included the latest research. He took the time to look through 
that and said, she is correct.
    Next day I did have an opportunity to attend an AMA 
function and talk to other cardiologists, and ophthalmologists, 
and primary care physicians. And again, it was cutting edge 
research. To me that is the real value of having an 
interoperable electronic health record where the physicians 
have the information and you as the patient are able to engage 
in that discussion in how to manage your health. So, this is 
what we need to have nationwide, not just within these closed 
healthcare systems.
    Senator Romney. Thank you. Mr. Chairman, in keeping with 
your introduction, amen.
    [Laughter.]
    The Chairman. I agree with Senator Romney. That helped take 
what can sometimes sound complex and confusing and gave it the 
kind of meaning that we hope to give it. Thanks to each of you. 
You have been very helpful today. As I said earlier, this is 
a--we all believe the 21st Century Cures Act was, as the 
Majority Leader said, the most important bill we passed in that 
Congress, and we are determined that it be implemented 
correctly. It sounds like these two rules are important steps 
toward interoperability.
    If you have other comments that you would like to make to 
the Committee after you leave and think, oh, I wish I had said 
this or I wish I had said that, the record will remain open for 
10 days so you may do that. Members may submit additional 
information too.
    The Chairman. The HELP Committee will meet again on 
Tuesday, April 2d for a hearing on higher education.
    Thank you for being here. The Committee will stand 
adjourned.

                          ADDITIONAL MATERIAL
                          
 [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                          
                          
 
[Whereupon, at 11:29 a.m., the hearing was adjourned.]

                                   