HHS Issues Trusted Health Data Exchange Governance FrameworkDocuments Aim to Advance Secure, Interoperable Health Info Exchange Nationwide
This developing story has been updated.
The Department of Health and Human Services has released the final versions of its long-awaited Trusted Exchange Framework and Common Agreement, which provide a governance framework to promote secure, interoperable nationwide health information exchange - an effort that has been in the making for many years.
The publication of the TEFCA on Tuesday by the HHS Office of the National Coordinator for Health IT follows at least two earlier ONC draft versions issued in 2018 and 2019, which were modified after regulators took into consideration public and industry feedback (see: Sizing Up Revised Model for National Health Data Exchange).
TEFCA is part of a federal effort to improve the interoperability of health information technology, including electronic medical records systems, and bolster secure, national health information exchange. The ultimate goal is to improve healthcare coordination and patient outcomes - as called for under the 21st Century Cures Act, which was signed into law in 2016.
TEFCA contains two main components. The Trusted Exchange Framework is a set of nonbinding but foundational principles for health information exchange, while the Common Agreement is a legal contract that advances those principles, ONC said in a statement Tuesday.
"The Common Agreement establishes the technical infrastructure model and governing approach for different health information networks and their users to securely share clinical information with each other - all under commonly agreed-to rules-of-the-road," ONC says.
The Common Agreement supports multiple exchange purposes critical to improving healthcare, it says, and has the potential to benefit a wide variety of healthcare entities.
Three Main Goals
ONC says TEFCA has three main goals:
- Establish a universal policy and technical floor for nationwide interoperability;
- Simplify connectivity for organizations to securely exchange information to improve patient care, enhance the welfare of populations and generate healthcare value;
- Enable individuals to gather their healthcare information.
TEFCA's "flexible structure" allows stakeholders, including health information networks, ambulatory practices, hospitals, health centers, federal government agencies, public health agencies, payers and individuals improved access to health information, ONC says.
"The Common Agreement will operationalize simplified electronic health information exchange for many across the U.S. and will provide easier ways for individuals and organizations to securely connect," ONC says.
Qualified Health Information Networks
The Common Agreement is a new legal contract that ONC’s recognized coordinating entity, The Sequoia Project, will sign with each Qualified Health Information Network, ONC says.
It says entities will soon be able to apply and be designated as QHINs, which will connect to one another and enable their participants to engage in health information exchange across the country.
QHINs will execute various corresponding policies within their own networks, ONC says, and a newly published QHIN Technical Framework sets the functional and technical requirements that QHINs need to support to make this new connectivity come online.
"While road-tested production standards are being used at the start, we are also actively working to develop a TEFCA Health Level Seven Fast Healthcare Interoperability Resource Roadmap to outline how FHIR will also become an established part of TEFCA-based exchange over time," according to ONC.
Privacy, Security Considerations
Among TEFCA's main principles for trusted exchange are privacy, security and safety.
"Health information networks should exchange digital health information in a manner that supports privacy; ensures data confidentiality, integrity, and availability; and promotes patient safety," ONC's TEFCA document says.
"HINs should ensure that digital health information is exchanged and used in a manner that promotes safe care and wellness, including consistently and accurately matching digital health information to an individual," it says.
Health plans and most healthcare providers and their business associates must follow the HIPAA Rules to safeguard health information, according to the document.
"However, digital health information is increasingly collected, shared, or used by new types of organizations that are beyond the traditional health care organizations covered by the HIPAA Rules. Privacy and security should be a foundation for all HINs and HIN participants, including those that are not subject to HIPAA," it says.
Also, within the context of applicable law, HINs should enforce policies concerning individuals' ability to consent to the access exchange, or use of their digital health information, TEFCA says.
Some experts say that HHS ONC has been pursuing efforts to advance nationwide health information exchange for a very long time, stretching back to around 2004 when the agency was launched under the administration of President George W. Bush
"It has been a long time in coming, dating back to ONC's earliest efforts to establish nationwide governance, which began before the 21st Cures Act was enacted - to today, with ONC releasing final documents regarding the TEFCA infrastructure," says privacy attorney Deven McGraw, chief regulatory officer of Ciitizen, a consumer health technology firm.
"I am pleased to see individual access services given equal priority to sharing of data for treatment purposes. Individual access has always been prioritized in the TEFCA, from the very early drafts - but to see it valued as one of the two initial required use cases speaks volumes about how much ONC and The Sequoia Project value the needs of individuals to access their health information," says McGraw, who is former deputy director of health information privacy at HHS' Office for Civil Rights and acting chief privacy officer of the ONC.
Privacy attorney Lucia Savage, the chief privacy and regulatory officer at Omada Health and former chief privacy officer at ONC, says she is pleased with TEFCA's use of the concept of "permitted uses" for exchange.
"This could be especially beneficial for nontraditional, virtual-first providers like Omada because although the delivery modality may be novel - virtual first - we do fit squarely within the regulatory definitions of provider, and we will want to use FHIR-based transactions to exchange data for treatment with providers in brick-and-mortar settings."
Savage says that certain security provisions in the Common Agreement addressing non-HIPAA-covered organizations are potentially helpful, including some beneficial security baselines required for signatories. "This means that to the extent that a non-HIPAA entity becomes a subdelegate, they will have to meet some minimum-security standards, which is a good thing."
But some other Common Agreement provisions, such as one related to patient access to their health information, are disappointing, she says.
"QHIN and/or its subdelegates does not have to do exchange for a patient's right of access. I know this limitation is legal because an access request is a right only against a HIPAA-covered entity. A patient does not have a right to force a business associate to give the patient their own data," she says.
"But it was disheartening nonetheless, because it means if patient access is not adopted by the QHIN, then a patient has to make a separate request to each upstream covered entity where their data is.
"Even if legal, this continues to place a significant burden on patients to figure out which covered entities have their data."
The final version of the QHIN Technical Framework retained many features that the DirectTrust community does not support, says Scott Stuewe, CEO of DirectTrust, which is best known for creating and maintaining trust frameworks for secure email messaging in healthcare.
Stuewe says the requirement for QHINs to use the XCDR standard for push messaging from QHIN to QHIN remained intact, despite the fact that Direct Secure Messaging is already enabled for push messaging at virtually every health system and practice in the country.
He says that in the public comments on the Sequoia website that answered the question posed on the use of XCDR, less than one-third of respondents said it should be required, while more than half said Direct Secure Messaging should be considered as an alternative.
"Unlike the federal rule-making or standards development process, there was no specific attempt to reconcile the public comments. This leaves the industry wondering if their concerns were heard in the process," Stuewe says.