ONC’s Trusted Exchange Framework and Common Agreement (TEFCA): Impacts on Health Information Networks and Healthcare Organizations
The Office of the National Health Information Technology (ONC) Coordinator of the U.S. Department of Health and Human Services released the Trusted Exchange and Common Agreement (TEFCA) framework earlier this year, which aims to improve electronic interoperability between health information networks (HINs) and facilitate the exchange of health information between connected organizations.
It is important to note that TEFCA is not just about HINs. Under TEFCA, any organization that connects to a HIN designated as a Qualified HIN (QHIN) may be able to meet many interoperability and information sharing obligations without implementing technology integrations on a request-by-request basis. . ONC believes that TEFCA will “reduce the need for duplicate network connectivity interfaces, which are expensive, complex to create and maintain, and an inefficient use of healthcare IT vendor and developer resources.” The ONC said connected organizations “will be able to share information with all other connected entities, regardless of which QHIN they choose.”
However, participation in TEFCA comes at a price. Organizations that connect to QHINs, directly or indirectly, will likely have to agree to new contractual requirements that arise from QHINs.
What is TEFCA?
TEFCA fulfills a 21st Century Cures Act mandate for ONC to “develop or support a trust exchange framework for trust policies and practices” and to create “a common agreement for the exchange between networks of ‘health information’. The new framework imposes data sharing requirements on QHINs, as well as organizations connected to the QHIN (participants) and organizations that connect indirectly to a QHIN through an intermediary (sub-participants).
TEFCA complies with other health technology regulations and rules that we have previously covered on this blog. The ONC expects information sharing between QHINs and downstream organizations to improve access to health information where the patient needs and wants it, continuing government efforts to improve individual access to health information. The interoperability improvements made possible by QHINs can also simplify and speed up the sharing of health information, consistent with proposed patient-friendly changes to the HIPAA Privacy Rule and the Interoperability and Information Blocking Rules of the United Nations. ‘ONC.
Qualified Health Information Networks
TEFCA starts with the HINs. HINs may voluntarily apply to become a QHIN if the HIN (1) agrees to execute a contract that incorporates the binding Standard Operating Procedures (SOPs) required for each QHIN (referred to as the “Common Agreement”) and (2) adheres to Technical Interoperability Elements (the “QHIN Technical Framework”).
The ONC has designated Project Sequoia, a nonprofit advocate for nationwide health information exchange, as a Registered Coordinating Entity (RCE) to oversee TEFCA. HINs applying for certification as QHINs must receive approval from the RCE. After certification, QHINs must undergo ongoing monitoring and collaboration with the RCE as specified by the Common Agreement and the QHIN Technical Framework.
Trust Exchange Framework
The ONC has also published a set of non-binding strategic priorities (the “Trusted Exchange Framework”) to help increase interoperability between HINs. These principles attempt to align information sharing priorities between systems that use or store health information, including QHINs, Health Information Exchanges (HIEs), qualified clinical data registries ( QCDR), networked Electronic Health Records (EHRs) and other types of HIN in general. . The Sequoia Project’s “TEFCA User’s Guide” provides additional details on the Common Agreement, the QHIN Technical Framework, and the Trust Exchange Framework.
The new contractual requirements imposed by QHIN under the terms of the joint agreement are perhaps most relevant to organizations considering participation.
Top-down flows of a common agreement: impacts of TEFCA on participants and sub-participants
QHIN Participants and Sub-Participants will be required to sign an Agreement which includes the “transfer” provisions of the Common Agreement. Some of the transfer provisions are similar to obligations in HIPAA Business Associate Agreements (eg, privacy and security safeguards). However, the transfer obligations may be entirely new for organizations not currently subject to HIPAA (including many mobile app developers) that want to make it easier for patients to access health information through a QHIN. For this reason, the intended reach of TEFCA goes beyond current rules and regulations (e.g. ONC Interoperability and Information Blocking Rules) by protecting health information while promoting its availability across all the platforms.
Transfer requirements applicable to participants and sub-participants include, for example:
- Respond to health information exchange inquiries in a timely manner;
- Collaborate in discussions with the REB and LHINs to address common understanding interpretations and transfer requirements;
- Notify persistent and widespread connectivity outages and cooperate to remedy them;
- Provide information to help understand, contain, and mitigate a data security incident, subject to assertions of privilege and confidentiality obligations;
- Do not include exclusivity clauses in contracts related to the sharing of health information;
- Do not impede authorized or required exchange of health information or limit interoperability in a discriminatory manner;
- Limit the use and disclosure of confidential information;
- Limit the use and disclosure of health information received from a QHIN;
- Respond to certain health information requests received by a QHIN.
Additionally, individual access service providers (i.e. services used by patients to access, inspect, or obtain their health information directly or indirectly from the QHIN Network) may have additional contractual obligations. under TEFCA. Individual access service developers who agree to these contractual terms can then connect to the QHIN network via a single QHIN connection. These contractual requirements include:
- Publish detailed privacy and security notices;
- Obtain consent before requesting and receiving health information directly or indirectly from QHINs;
- Grant users the right to delete or export data;
- Implement certain data security measures, including encryption of data in transit and at rest.
Impact on health information exchange
The ONC said the joint agreement will require the exchange of health information between QHINs for six purposes (the “Exchange Purposes”). Initially, the common agreement requires the exchange of health information between QHINs for the purposes of exchanging (i) treatment and (ii) patient access services. Going forward, health information exchange by QHINs will encompass the exchange purposes of (iiia) payment, (iv) healthcare operations, (vc) public health, and (vid) determination of government benefits. Other exchange goals can also be added. These requirements are intended to promote the sharing of health information for a variety of purposes, in addition to the more familiar processing, payment, and transaction functions specified by HIPAA.
In addition to promoting the exchange of health information among QHINs, TEFCA can increase the availability of health information for health care providers and other organizations. ONC released TEFCA to reduce the friction that arises when organizations must manage connections to multiple HINs to access relevant information (since single sign-on can involve complex technical planning and contract negotiations). Once TEFCA is fully operational, ONC posits that an organization can connect to a QHIN which will then provide access to health information accessible from all (a) organizations that connect to that QHIN, (b) d other QHINs and (c) organizations that connect to those other QHINs. If QHINs can achieve sufficient scale, there would be little or no need to link and contract with multiple HINs.
An important consideration is that organizations required to comply with interoperability and information blocking rules may have a new tool in their toolbox for responding to health information requests. Currently, many organizations may find it difficult to respond to various requests under the information blocking rule. These organizations are looking for reasonable alternatives to new interfaces, integrations or various other solutions to deliver relevant data.
If TEFCA impacts ONC plans, these organizations could fulfill some of their obligations under interoperability and information blocking rules by making the data available to a QHIN, which in turn is required to make health information available to applicants in accordance with consistent TEFCA rules. standards.
Project Sequoia is expected to begin approving QHINs in late 2022, so the ultimate impact of TEFCA remains to be seen. A major EHR vendor has already announced plans to become a QHIN, and more may soon follow.
Even after QHINs are designated, TEFCA will continue to evolve over time, including updates to the Common Agreement, new technical standards, and more SOPs to implement for Participants and Sub-Participants. . Organizations with a critical need for health data could benefit from a connection, but many details remain unresolved, including the cost of the connection and the extent of involvement of different health system actors.
In the meantime, similar state efforts could provide a glimpse of future possibilities under TEFCA. For example, California’s Data Exchange Framework (requiring information sharing between medical providers and state social service agencies) may inform pending TEFCA SOPs regarding the exchange of medical information to address the social determinants of health and support general public health.