Wide-ranging health care bill gets final approval from CT House

The House gave final passage Monday to a wide-ranging health care bill that would add protections for home care workers, boost preparedness for cyberattacks at medical facilities and establish new regulations for the state’s health information exchange, among other reforms.

The measure was adopted by a vote of 112-37. The vote was split mostly along party lines.

The sections on additional protections for home care workers were prompted by the murder of visiting nurse Joyce Grayson, who was killed in October while working at a halfway house in Willimantic. A man has been charged in connection with her murder, news outlets have reported.

“Many who were affected by the death of Joyce Grayson know how important this work and this conversation is,” said Rep. Cristin McCarthy Vahey, D-Fairfield, co-chair of the Public Health Committee.

The bill requires home health aide agencies to collect certain client information upon intake and make it available to any employee assigned to the client. Information includes a history of violence against health care workers, domestic abuse, substance use, psychiatric history, any listing on a sex offender registry, the crime rate of the municipality the person lives in, and whether there are any weapons or safety hazards in the home. The measure prohibits agencies from denying a client services based solely on the data collected or a refusal to provide it.

The proposal also mandates that home health agencies perform monthly safety assessments with direct care staff and implement a home care worker health and safety training curriculum. The state’s social services commissioner must ensure agencies provide evidence that they implemented training curriculums to continue receiving Medicaid reimbursements.

Additionally, home health agencies must report to the state clients’ verbal threats or abuse, and the public health department has to report annually to the legislature’s Public Health Committee the number of incidents and what steps were taken to ensure safety.

The measure also adds accountability measures for cyberattack readiness at health care facilities. Beginning Jan. 1, 2025, hospitals must annually submit plans for responding to a cybersecurity breach to an audit by an independent, certified cybersecurity auditor or expert credentialed by the Information Systems Audit and Control Association or similar entity. The auditor would review the adequacy of the plans, identify improvements, and make it available for state agencies, such as the public health department, to inspect.

That provision of the bill follows a cyberattack at three Connecticut hospitals that caused patients to be diverted for weeks, snarled operations at the facilities and created financial setbacks due to billing difficulties.

Records obtained by The Connecticut Mirror show the facilities — Rockville General, Manchester Memorial and Waterbury hospitals — had to cancel nearly half of their elective procedures and at times over the nearly six-week period couldn’t process X-rays or CT scans that are vital for treating potential stroke or heart attack victims.

Legislators pledged to enhance preparedness for future cyberattacks. An earlier version of the bill would have required the state to provide resources to hospitals in the event of a ransomware attack, including a radio communication system, intranet system for secure communication, cardiac monitors, fax machines and other equipment. The proposal was amended due to budget constraints.

The bill adopted Monday also makes changes to rules surrounding the statewide health information exchange. It exempts providers from connecting to the network under certain circumstances, including if they have no patient medical records or are licensed in the state and exclusively practicing as employees of a covered entity under Health Insurance Portability and Accountability Act (and the covered entity is legally responsible for decisions on the safeguarding or release of health information).

Providers also don’t have to share information with the exchange if doing so is prohibited by state or federal privacy and security laws or if the patient’s consent is legally required and has not been obtained, the measure states. A working group will study issues of privacy and cybersecurity related to the exchange.

The 40-section bill also:

• Creates a home health worker safety grant program.
• Requires the health department to obtain educational material on gun safety practices for primary care providers to give their patients.
• Requires the consumer protection department to study prescription drug shortages.
• Allows hospitals and other health care facilities to record data on the amount of employee time spent on requesting prior authorizations or pre-certifications from health carriers.
• Makes it a discriminatory practice for nursing homes to refuse applicants for admission solely because they received mental health services.
• Establishes a definition of “direct care” for the purposes of minimum nursing home staffing levels.
• Requires the mental health and addiction services commissioner to establish a peer-run respite center (run by a contracted nonprofit group) to provide peer respite and support services to adults.
• Requires licensed hospice agencies to encourage their staff to spend three weeks each in a pediatric intensive care unit or pediatric oncology unit to enhance their skills and expertise to prepare for roles in pediatric hospice care.
• Allows physicians and physician assistants who are employed at facilities licensed by the state health department to unionize in certain situations.

Rep. Susan Johnson, D-Windham, said the sections increasing protections for home care workers are necessary.

“This is what happens when we don’t take the precautions to make sure people are protected,” she said, referring to Grayson’s murder. “These are not the things we want to see our providers go through. We don’t want to see them assaulted. We don’t want to see them murdered. We want to make sure … they will be protected when they go into homes.”

Rep. Farley Santos, D-Danbury, praised the move to study the expansion of hospice services for children.

“As a father of a son who passed away and required pediatric hospice care, what this section is going to do is outline the need throughout the state. It’s going to outline what the cost may be,” he said. “It’s also going to investigate how we can expand those services. As someone whose family had to rely on those services, I applaud the committee for putting this section in here.”

Rep. Tammy Nuccio, R-Tolland, raised concerns about edicts in the bill that could drive up the overall cost of care, including a requirement that certain insurance policies cover coronary calcium scans.

“Every mandate that we pass does nothing to bring down the cost of care,” she said. “All it does is say insurance companies have to pay more money, which increases the cost of care because it increases the claims.

“In June, when we come back in here to look at the [insurance] rate review, and everybody throws their hands up in mock-disgust that rates are going up and insurance is so expensive — not a single person in this chamber will stop and say, ‘What did we do in the last legislative session that increased the cost of health care?’”

The Senate approved the measure last week with a vote of 34-1. Sen. Rob Sampson, R-Wolcott, was the lone dissenter.

Sen. Saud Anwar, co-chair of the Public Health Committee and a physician under contract at Manchester Memorial Hospital, said during the prolonged technology outage at the three Connecticut hospitals affected by a cyberattack, thousands were unable “to get the level of care they should have gotten.”

“Unfortunately, it’s a matter of time before more hospitals in our state will be impacted by cybersecurity and cyberterrorist attacks,” he said. “This is important for us to address. It is critical to be prepared. If you plan in advance, the risk and complication rates are going to be much less.

“Every single day, across the country, our hospitals and health care systems are being compromised through cyberattacks and their information — or the patient’s — is at risk. That’s precisely why we need a comprehensive plan in the state of Connecticut to be ready anytime there is an issue.”

The measure now heads to Gov. Ned Lamont’s desk for a signature.