Florida Senate - 2019                                    SB 1544
       By Senator Harrell
       25-01042-19                                           20191544__
    1                        A bill to be entitled                      
    2         An act relating to data innovation; creating s. 11.52,
    3         F.S.; providing a short title; providing legislative
    4         intent; establishing the Office of Data Innovation and
    5         Governance for specified purposes; providing duties of
    6         the office; requiring the office to develop an
    7         interagency governance committee; providing committee
    8         membership; requiring the committee to develop
    9         operating guidelines; requiring the office to provide
   10         a certain recommendation to the Governor and the
   11         Legislature by a specified date; amending s. 408.051,
   12         F.S.; requiring certain health care providers to
   13         quarterly report their secure messaging direct
   14         addresses to the Agency for Health Care
   15         Administration; requiring the agency to publish a
   16         directory of such direct addresses in a certain
   17         format; creating s. 408.0522, F.S.; providing
   18         legislative intent; defining terms; requiring certain
   19         certified electronic health record (EHR) vendors
   20         conducting business in this state to provide
   21         interoperability and data integration; requiring such
   22         EHR vendors to make a certain attestation to the
   23         agency; requiring the agency to quarterly publish a
   24         certain list of EHR vendors; requiring licensed health
   25         care entities and licensed providers to report EHR
   26         vendor information blocking; requiring the agency to
   27         impose a specified fine on an EHR vendor for certain
   28         noncompliance or information blocking; providing for
   29         the distribution of collected fines; requiring any
   30         integrating partner to meet security requirements for
   31         EHR vendors; providing immunity from liability for an
   32         EHR vendor under certain circumstances; prohibiting
   33         discriminatory pricing; clarifying that the qualifying
   34         entity is responsible for integration; prohibiting EHR
   35         vendors from taking certain actions; providing an
   36         effective date.
   38  Be It Enacted by the Legislature of the State of Florida:
   40         Section 1. Section 11.52, Florida Statutes, is created to
   41  read:
   42         11.52 Office of Data Innovation and Governance;
   43  interoperability; portfolio rationalization.—
   44         (1) SHORT TITLE.—This section shall be known and may be
   45  cited as the “Legislature’s Office of Data Innovation
   46  Governance, Interoperability, and Portfolio Rationalization
   47  Act.”
   48         (2) LEGISLATIVE INTENT.—The Legislature recognizes that no
   49  state agency or entity is tasked with ensuring that the state’s
   50  data is interoperable. It is the intent of the Legislature to
   51  create the Office of Data Innovation and Governance to ensure
   52  that all state agencies collaborate and synthesize data securely
   53  through interoperability, and to create software and information
   54  technology (IT) application procurement with the intent of
   55  achieving interoperability, thereby reducing the number of
   56  standalone applications that do not communicate with each other.
   57  It is the intent of the Legislature to minimize the costs
   58  associated with areas of data management; to ensure accurate
   59  procedures around regulation and compliance activities; to
   60  increase transparency within any data-related activities; to
   61  institute better training and educational practices for the
   62  management of data assets; to increase the value of this state’s
   63  data while providing standardized data systems, data policies,
   64  and data procedures; to aid in the resolution of past and
   65  current data issues; to facilitate improved monitoring and
   66  tracking mechanisms for data quality and other data-related
   67  activities; to increase overall state data standards, thereby
   68  translating data into actionable information and workable
   69  knowledge of this state’s IT system; and to improve the health
   70  of all persons in this state. It is the intent of the
   71  Legislature to enable agencies to transform their use of
   72  technology to offer services in an effective, efficient, and
   73  secure manner.
   75  Data Innovation and Governance is established to evaluate and
   76  execute interagency data-sharing agreements, to develop common
   77  data definitions across the executive and legislative branches
   78  of government, to provide interagency transparency, to create an
   79  assessment of all IT systems in this state, to create an IT
   80  software procurement process, and to recommend a software
   81  portfolio rationalization to the Governor, the President of the
   82  Senate, and the Speaker of the House of Representatives each
   83  fiscal year. The President of the Senate shall appoint a chief
   84  data officer to direct the office.
   85         (a) Data catalog.—The Office of Data Innovation and
   86  Governance shall identify all data elements contained within
   87  state agencies and publish a comprehensive data catalog.
   88         (b) Data dictionary.—The office shall develop common data
   89  definitions across state agencies and publish a data dictionary.
   90  Where data definitions are limited to agency functionality, the
   91  data dictionary shall define each data element, depending upon
   92  each agency’s need.
   93         (c) Interagency data-sharing agreements.—By the end of the
   94  2018-2019 fiscal year, the office shall inventory all existing
   95  interagency data-sharing agreements, identify areas of data
   96  sharing needs which are not currently addressed, and execute an
   97  interagency agreement.
   98         (d) Transparency.—The office shall inform state agencies of
   99  types of data collected by the agencies which are reported
  100  publicly or to the federal government for the purpose of
  101  identifying where interagency data sharing can create staff
  102  efficiencies and technology efficiencies.
  103         (e) Software procurement.—All state agency software
  104  procurement efforts must be reviewed by the office to ensure the
  105  procurement efforts and the solutions sought provide
  106  interoperability between the agencies. An agency procurement
  107  request may not be published without the approval of the office.
  108         (f) Portfolio rationalization.—The office shall report to
  109  the Executive Office of the Governor, the President of the
  110  Senate, and the Speaker of the House of Representatives an
  111  inventory of all technology currently being used by state
  112  agencies. This inventory of systems and applications must
  113  identify duplicate systems and make recommendations for reducing
  114  the number of legacy systems supporting each separate agency.
  115         (g) System of algorithms.—By the end of the 2019-2020
  116  fiscal year, all agencies housing health-related data must
  117  implement a system of algorithms to continuously search for
  118  duplicate patient records in the databases of such agencies. The
  119  algorithms must scan for data elements within a patient’s
  120  information, including, but not limited to, his or her name,
  121  address, medical record number, social security number, and
  122  insurance company or health care provider, to determine whether
  123  records belong to the same patient or if more research is
  124  needed. The system shall use both deterministic and
  125  probabilistic algorithms to match patient records.
  126         (h) Identity management.—The office shall implement an
  127  identity verification function capable of authenticating the
  128  digital identity of a person, organization, device, or
  129  application. The identity verification function must allow for
  130  the authentication across state agencies without the need to
  131  physically store protected health information or personal
  132  identifying information in order to ensure data connectivity and
  133  integration across all agency data sets.
  134         (i) Direct address directory.—The office shall develop a
  135  direct address directory for all relevant providers in this
  136  state and publish the directory in a format that can be
  137  digitally digested by qualified entities.
  138         (j) Security.—The digital front door recommended by the
  139  office:
  140         1. Must enable the secure exchange of digital information
  141  with, and use of digital information from, other IT systems
  142  without special effort on the part of the user;
  143         2. Must allow for complete access, exchange, and use of all
  144  electronically accessible information for authorized use under
  145  applicable state or federal law; and
  146         3. Does not constitute information blocking as defined in
  147  s. 408.0522(2).
  148         (4) INTERAGENCY GOVERNANCE COMMITTEE.—The Office of Data
  149  Innovation and Governance shall develop an interagency
  150  governance committee consisting of all of the following members:
  151         (a) One representative from each state agency that houses
  152  health-related data, appointed by the Governor.
  153         (b) One member from the health plan industry, appointed by
  154  the President of the Senate.
  155         (c) One member from the hospital industry, appointed by the
  156  President of the Senate.
  157         (d) One member from an ambulatory surgical center,
  158  appointed by the President of the Senate.
  159         (e) One member from the long-term care community, appointed
  160  by the President of the Senate.
  161         (f) Two members from the banking industry, one appointed by
  162  the President of the Senate and one appointed by the Speaker of
  163  the House of Representatives.
  164         (g) One member from the IT industry, appointed by the
  165  Speaker of the House of Representatives.
  166         (h) One member from the social services industry, appointed
  167  by the Speaker of the House of Representatives.
  168         (i) One member from the licensed practitioner community,
  169  appointed by the Speaker of the House of Representatives.
  170         (j) One member involved with promoting civil justice,
  171  appointed by the Speaker of the House of Representatives.
  172         (5) GUIDELINES.—The committee shall develop operating
  173  guidelines that must:
  174         (a) Serve the best interests of the state;
  175         (b) Prioritize technology capabilities to improve delivery
  176  of mission-critical services;
  177         (c) Prioritize projects that can serve as common solutions
  178  or inspire reuse;
  179         (d) Abide by an open, transparent, and fair process for
  180  evaluating project proposals;
  181         (e) Implement a fair evaluation process based on consistent
  182  criteria that include a strong technical and security approach
  183  with an execution strategy led by a highly capable team;
  184         (f) Require agencies to articulate why they are requesting
  185  funds for IT software and provide assurance of sound project
  186  cost and savings estimates;
  187         (g) Accept proposals for new projects or ideas that require
  188  funding to implement and for ongoing projects that need an input
  189  of funds or technical expertise to improve project execution and
  190  produce stronger results;
  191         (h) Publish updates, success stories, funding
  192  recommendations, and additional information that allows agencies
  193  to learn from the office’s operating model; and
  194         (i) Develop an agile project implementation process that
  195  supports the mission of the office.
  196         (6) RECOMMENDATION.—The Office of Data Innovation and
  197  Governance shall recommend to the Governor, the President of the
  198  Senate, and the Speaker of the House of Representatives by the
  199  2020-2021 fiscal year a statewide framework for a digital front
  200  door for managing information throughout this state. The digital
  201  front door must address eligibility for state services,
  202  treatment by state-licensed practitioners, payment, policy
  203  research, patient outcomes improvement, and state and federal
  204  governmental reporting.
  205         Section 2. Subsection (6) is added to section 408.051,
  206  Florida Statutes, to read:
  207         408.051 Florida Electronic Health Records Exchange Act.—
  208         (6)SECURE MESSAGING DIRECT ADDRESS.—Each provider that
  209  uses an electronic health records company that has received
  210  certification by the federal Office of the National Coordinator
  211  shall quarterly report its secure messaging direct address to
  212  the agency. The direct address is the address at which the
  213  provider prefers to receive direct messages. The agency shall
  214  publish in an open-sourced and digestible format a dynamic
  215  directory of direct addresses for providers treating patients in
  216  this state, whether in person or remotely.
  217         Section 3. Section 408.0522, Florida Statutes, is created
  218  to read:
  219         408.0522 Florida Health Data Interoperability Act.—
  220         (1) It is the intent of the Legislature to create a robust
  221  interoperability between health systems and to ensure that
  222  health care providers are able to leverage their EHR investments
  223  to achieve their unique desired outcomes.
  224         (2) As used in this section, the term:
  225         (a)“Agency” means the Agency for Health Care
  226  Administration.
  227         (b)“DCF” means the Department of Children and Families.
  228         (c)“Department” means the Department of Health.
  229         (d)“DOEA” means the Department of Elder Affairs.
  230         (e)“EHR” means an electronic health record, a digital
  231  version of a patient’s paper chart which presents information in
  232  real-time and allows information to be made available instantly
  233  and securely to authorized users. The term may include a
  234  patient’s medical history, diagnoses, medications, treatment
  235  plans, immunization dates, allergies, radiology images, and
  236  laboratory and test results.
  237         (f)“EHR vendor” means a company that develops and creates
  238  for sale an EHR system.
  239         (g) Information blocking” means a practice that is likely
  240  to interfere with, prevent, or materially discourage access,
  241  exchange, or use of electronic health information that is
  242  conducted by an EHR vendor or provider who knows, or should
  243  know, that such practice is likely to interfere with, prevent,
  244  or materially discourage the access, exchange, or use of
  245  electronic health information.
  246         (h)“Interoperable” means the ability of two or more
  247  systems or components to exchange information and to use the
  248  information that has been exchanged.
  249         (i) “Licensed health care entity” means a licensed health
  250  care facility regulated by the agency.
  251         (j) “Provider” means a licensed health care practitioner
  252  whose practice is regulated by the department.
  253         (k) “Qualified entity” means a third party that meets the
  254  security requirements necessary to securely integrate with an
  255  EHR vendor that received certification by the federal Office of
  256  the National Coordinator.
  257         (3) An EHR vendor certified by the federal Office of the
  258  National Coordinator for Health Information Technology, or
  259  qualified entities conducting business in this state with a
  260  licensed health care entity or a provider, shall provide
  261  interoperability and data integration at the direction of a
  262  qualified entity or a provider.
  263         (4) An EHR vendor doing business in this state must attest
  264  to the agency whether it has the required functionality to
  265  support interoperability and seamless third-party integrations.
  266  The attestation must list all the types of integrations
  267  supported, if any.
  268         (5) The agency shall quarterly publish an open-sourced and
  269  dynamic list of EHR vendors that support interoperability. The
  270  list must include:
  271         a. Each EHR vendor’s name and the location of its
  272  headquarters;
  273         b. The name and contact information of each EHR vendor’s
  274  registered agent; and
  275         c. The name of each EHR vendor’s software and version
  276  number.
  277         (6) Licensed health care entities and licensed providers
  278  shall report to the agency any instance of an EHR vendor
  279  conducting business in a way that creates information blocking
  280  that results in a lack of interoperability.
  281         (7) The agency shall impose a fine on an EHR vendor that
  282  fails to comply with the interoperability standards or that
  283  creates information blocking in an amount equal to the greatest
  284  amount, whether expressed as a fixed sum or a proportion of
  285  revenue generated, charged to a third party for integration
  286  times the revenue generated from business in this state.
  287  Proceeds of any such settlement shall be distributed as:
  288         (a) Thirty percent to fund clinical trials, as deemed
  289  appropriate by the Office of Data Innovation and Governance;
  290         (b) Forty percent to fund pilot programs that include cost
  291  based, rather than fee schedule-based, reimbursements;
  292         (c) Twenty percent to fund unreimbursed care in this state
  293  on a cost basis, rather than on a fee schedule basis, via the
  294  Medicaid low-income pool; and
  295         (d) Ten percent to the whistleblower hospital, practice, or
  296  provider that discovers and reports the information blocking.
  297         (8) A qualified entity must meet the security requirements
  298  that EHR vendors are held accountable for in both federal and
  299  state regulations. EHR vendors are immune from liability when
  300  the qualified entity is denied integration because the data
  301  integration partner does not meet the security requirements
  302  necessary or does not have the necessary technical capacities to
  303  integrate.
  304         (9) There are no pricing mandates for integration and data
  305  costs. EHR vendors may not use price to discriminate in a manner
  306  that hinders data integration and innovation.
  307         (10) This section does not require an EHR vendor to develop
  308  technological capabilities to meet the needs of qualified
  309  entities. The qualified entity is responsible for integrating
  310  the use of existing, uninteroperable digitized electronic
  311  medical records.
  312         (11) EHR vendors may not use existing technological
  313  resources to discriminate against qualified entities. EHR
  314  vendors may not publish an application programming interface to
  315  one qualified entity and require another qualified entity
  316  needing the same functionality to use the interoperability
  317  standards of Health Level Seven International.
  318         Section 4. This act shall take effect July 1, 2019.