HHS Issues Trusted Health Data Exchange Governance Framework


Electronic medical records , Governance and risk management , Health

Documents aim to advance secure and interoperable health information exchange nationwide

Marianne Kolbasuk McGee (HealthInfoSec) •
January 18, 2022

This developing story has been updated.

See also: Securing healthcare against post-COVID-19 ransomware

The Department of Health and Human Services has released the final versions of its long-awaited Trusted Exchange Framework and Common Agreement, which provides a governance framework to promote secure and interoperable health information exchange across the country. national scale – an ongoing effort for many years.

Tuesday’s release of TEFCA by the HHS Office of the National Coordinator for Health Informatics follows at least two earlier drafts of the ONC released in 2018 and 2019, which were amended after regulators took incorporates public and industry feedback (see: Sizing the Revised Model for National Health Data Exchange).

TEFCA is part of a federal effort to improve the interoperability of health information technologies, including electronic medical records systems, and strengthen the secure national exchange of health information. The ultimate goal is to improve healthcare coordination and patient outcomes – as required by the 21st Century Cures Act, which was signed into law in 2016.

Two components

TEFCA contains two main components. The Trusted Exchange Framework is a set of non-binding but fundamental principles for the exchange of health information, while the Common Agreement is a legal contract that advances those principles, the ONC said Tuesday in a statement.

“The joint agreement establishes the technical infrastructure model and governance approach for enabling different health information networks and their users to securely share clinical information with each other – all under rules of conduct. mutually agreed upon,” the ONC said.

The joint agreement supports several exchange goals critical to improving healthcare, he says, and has the potential to benefit a wide variety of healthcare entities.

Three main objectives

The ONC says that TEFCA has three main objectives:

  • Establish a universal policy and technical floor for nationwide interoperability;
  • Simplify connectivity for organizations to securely exchange information to improve patient care, improve people’s well-being, and drive healthcare value;
  • Allow individuals to collect their health information.

TEFCA’s “flexible structure” allows stakeholders, including health information networks, outpatient practices, hospitals, health centers, federal government agencies, public health agencies, payers and individuals, to have better access to health information, according to the ONC.

“The joint agreement will operationalize the simplified electronic exchange of health information for many people across the United States and provide easier ways for individuals and organizations to connect securely,” said the ONC.

Qualified Health Information Networks

The joint agreement is a new legal contract that ONC’s recognized coordinating entity, The Sequoia Project, will sign with each qualifying health information network, according to ONC.

It says entities will soon be able to apply for and be designated as QHINs, which will connect with each other and allow their participants to engage in the exchange of health information across the country.

QHINs will execute various corresponding policies within their own networks, the ONC says, and a recently released QHIN Technical Framework defines the functional and technical requirements that QHINs must support for this new connectivity to come online.

“While road-tested production standards are used in the beginning, we are also actively working to develop a TEFCA Health Level Seven Rapid Healthcare Interoperability Resource Roadmap to outline how FHIR will also become an established part of the TEFCA-based exchange over time,” according to ONC.

Confidentiality, security considerations

Among TEFCA’s main principles for an exchange of trust are confidentiality, security and safety.

“Health information networks should exchange digital health information in a way that respects confidentiality, ensures the confidentiality, integrity and availability of data, and promotes patient safety,” the TEFCA document states. the ONC.

“HINs should ensure that digital health information is exchanged and used in a way that promotes safe care and well-being, including consistently and accurately matching digital health information to a individual,” he says.

According to the document, health plans and most healthcare providers and their business associates must follow HIPAA rules to protect health information.

“However, digital health information is increasingly being collected, shared, or used by new types of organizations that go beyond the traditional healthcare organizations covered by HIPAA rules. HIPAA,” he says.

Additionally, within applicable law, HINs should enforce policies regarding the ability of individuals to consent to the exchange of access to or use of their digital health information, TEFCA states.

Long trip

Some experts say HHS ONC has been pursuing its efforts to advance national health information sharing for a very long time, dating back to around 2004 when the agency was launched under the administration of President George W. Bush.

“This has been a long time coming, dating back to the ONC’s early efforts to establish nationwide governance, which began before the enactment of the 21st Wages Act – to today, with the publication by the ONC of the final documents regarding the TEFCA infrastructure,” says privacy lawyer Deven McGraw. , chief regulatory officer of Ciitizen, a consumer health technology company.

“I am pleased to see that individual access services are given the same priority as data sharing for processing purposes. Individual access has always been a priority in TEFCA, from the very first drafts – but to see it valued as one of the two initial use cases required speaks volumes about the value that ONC and the Sequoia Project place on the needs of individuals to access their health information,” said McGraw, former deputy director of the Health Information Privacy at HHS Office of Civil Rights and Acting Chief Privacy Officer for ONC.

other supplies

Privacy attorney Lucia Savage, privacy and regulatory officer at Omada Health and former privacy officer at ONC, says she is pleased with TEFCA’s use of the concept of “permitted uses” for the ‘exchange.

“This could be particularly beneficial for non-traditional, virtual-first providers like Omada, because although the delivery modality may be new – virtual-first – we fit well within the regulatory definitions of the provider, and we will want to use FHIR-based transactions to exchange data for processing with providers in physical environments.”

Savage says some of the common agreement’s security provisions for non-HIPAA organizations are potentially helpful, including some advantageous security foundations required for signatories. “This means that to the extent a non-HIPAA entity becomes a sub-delegate, it will have to meet certain minimum security standards, which is a good thing.”

But some other commonly agreed provisions, such as the one relating to patients’ access to their health information, are disappointing, she says.

“QHIN and/or its sub-delegates do not have to trade for a patient’s right of access. I know that this limitation is legal because a request for access is a right only against a HIPAA-covered entity. A patient has no right to force a business associate to give them their own data,” she says.

“But it was still daunting, because it means that if patient access isn’t adopted by QHIN, then a patient has to make a separate request to each upstream covered entity where their data is located.

“Even though this is legal, it continues to place a significant burden on patients to determine which covered entities have their data.”

Email issues

The final version of the QHIN technical framework retained many features that the DirectTrust community does not support, says Scott Stuewe, CEO of DirectTrust, which is best known for building and maintaining trust frameworks for secure email in the health sector.

Stuewe says the requirement for QHINs to use the XCDR standard for QHIN-to-QHIN push messaging has remained intact, despite the fact that Direct Secure Messaging is already enabled for push messaging in virtually all healthcare systems and country offices.

He says that in public comments on the Sequoia website that answered the question posed about using XCDR, less than a third of respondents said it should be mandatory, while more than half said direct secure messaging should be considered as an alternative.

“Unlike the federal rule-making or standards-making process, there was no specific attempt to reconcile public input. This leaves industry wondering if their concerns were heard in the process” , said Stuewe.


Comments are closed.