Overview: The Transparent Ratings on Usability and Security to Transform Information Technology Act of 2015

The article was selected as a Wolters Kluwer Legal Scholar winner​ and discusses important asp​ects and implications of this important law.​​​​

As technology becomes more integrated in health care, some individuals and organizations are calling for better regulations of health information technology (HIT) systems. On October 6, 2015, U.S. Senators Sheldon Whitehouse (D-RI) and Bill Cassidy (R-La) answered the call by introducing bipartisan legislation to strengthen accountability and improve transparency in HIT. Submitted as the Transparent Ratings on Usability and Security to Transform Information Technology (TRUST IT) Act of 2015, the TRUST IT Act is meant to be consumer-facing support for health care organizations selecting an electronic health records system (EHRs).

Currently, EHRs must be certified in order to qualify for an incentive program with CMS and the Office of the National Coordinator for Health Information Technology (ONC). The incentive program requires EHR technology to give assurances to purchasers and users that the EHR system offers the necessary technological capability, functionality, and security to meet meaningful use criteria. Although certification offers some guarantees, Whitehouse and Cassidy created the TRUST IT Act since they believe “there is no way to ensure health IT continues to deliver as promised for doctors and patients, and no way to easily compare one product to another.” The TRUST IT Act would establish safeguards so certified HIT systems do not underperform on their promised outcomes, and would also allow consumers to compare different HIT products based on the system’s performance.

To enable transparency in the market, the TRUST IT Act creates a rating system that would evaluate the performance of certified HIT in the areas of security, usability, and interoperability. The rating system would be promulgated as a star rating: three stars signifying excellence, two stars equaling satisfactory performance, and one star being less than satisfactory. The rating system would be published on the ONC website, and developed through a transparent stakeholder input process. For vendors who had received a one-star rating, the Secretary of HHS would create a corrective action plan. Any failure by the vendor to improve their status in the timeframe designated by the corrective action plan could result in the decertification of the vendor’s technology.

The rating system would be overseen by a development council including one representative from each of the accredited HIT certifying bodies and testing laboratories, and one representative from the ONC. Reporting criteria for the vendors to establish a rating would be required, and the council would create the reporting criteria within one year of the TRUST IT Act’s enactment. As written, the TRUST IT Act proposes to evaluate the areas of security, usability and user-centered design, interoperability, conformance to certification testing, and other categories as appropriate to measure the performance of HIT. The public would have a 60-day comment period to speak on the reporting criteria and methodology prior to the issuance of the final rule.

Additionally, the TRUST IT Act would create a confidential process for collecting and verifying feedback from users for security, usability, and interoperability. Feedback would also be received from vendors on common practices of users that could inhibit interoperability. Vendors would submit this feedback, and every two years the vendors would also be responsible to report their performance. Any vendor who did not report their performance would incur fines for failure to do so. The fines collected from this type of vendor violation would be used to create a revolving user compensation fund to help offset costs of purchasing new certified HIT systems for users whose system had been decertified.