Trusted Exchange Framework: What's Lacking?HIMSS, CHIME, AMIA Make Recommendations on Security, Privacy Provisions
What do healthcare industry stakeholders think of the Trusted Exchange Framework that the Department of Health and Human Services proposes to promote secure, interoperable nationwide health data exchange? Some say the framework, while a good starting point, lacks clarity on certain security and privacy issues. And they caution against moving too quickly to implement a framework without first test-driving it.
HHS' Office of the National Coordinator for Health IT's draft Trusted Exchange Framework and Common Agreement, unveiled in January, aims to help fulfill a call for increased health data exchange in the 21st Century Cures Act that was signed into law in 2016 (see Analysis: Security Elements of 'Trusted Exchange Framework').
That law is aimed at accelerating medical innovation, including easing the exchange of data among various health information networks to support timely, appropriate treatment decisions.
Stricter Than HIPAA?
The Trusted Exchange Framework draft that was released in January addresses governance and principles for secure exchange of patient data among "qualified health information network" participants.
Some security components being proposed for the framework are more specific than what's required by HIPAA, with the draft document acknowledging that not all of the participants in networks that adopt the framework will necessarily be HIPAA-covered entities or business associates.
Those components include, for example, tougher breach notification requirements as well as detailed authentication requirements that go beyond what's specified under HIPAA.
HIMSS Weighs In
The Healthcare Information and Management Systems Society, which is hosting its annual conference next week in Las Vegas, writes in its comments that the framework needs more work.
"HIMSS supports the TEFCA principle focused on the secure exchange of electronic health information and in a manner that promotes patient safety and ensures data integrity," HIMSS writes in its comments. "Qualified health information networks also need to ensure the confidentiality and availability of electronic health information - in addition to the integrity of such information."
In calling for clarifications, HIMSS writes: "It is important to emphasize that integrity goes beyond just patient matching and making sure that the patient data is up to date prior to exchange; from an information assurance perspective, integrity means that the data is not tampered with, nor modified, without authorization. For example, data may be tampered or modified without authorization by an insider threat actor - out of negligence or intentionally doing so - by an external threat actor, or by a combination of both insider threat and external threat actors. Data may also be destroyed or corrupted without authorization."
Because the proposed framework focuses on the availability of electronic health information for sharing, "ONC should consider clarifying what it means for data to be 'available'," HIMSS writes. "Such information could potentially be unavailable to the network in the event of a denial-of-service attack against a vulnerable application or resource. Such information may be unavailable to the extent that a resource and/or application is not working properly or undergoing maintenance," HIMSS writes.
HIMSS also asks ONC for clarification on the appropriate standards to ensure providers and organizations participating in data exchange have confidence the appropriate consent or written authorization was captured prior to the exchange of electronic health information. "As ONC discusses in the draft guidance, the HIPAA rules do not have a consent requirement. There could be other state and federal laws that apply and require patient consent. To move toward nationwide exchange, we need more clarity in TEFCA around how ONC expects ... QHINs [qualified health information networks] to ensure consent was captured."
Not All Organizations Ready?
The College of Healthcare Information Management Executives - an association that represents CIOs and CISOs - says not all healthcare organizations are prepared to implement the stricter proposed standards.
"The draft framework starts aligning organizations to share data in a manner which is secure and validated. Specifically, we support the need for strong authentication and validated identity proofing prior to access and disclosure of data and CHIME is an avid supporter of the NIST Cybersecurity Framework," CHIME writes.
CHIME also supports the minimum standards called for in the framework, "particularly a minimum floor of IAL2 [identity assurance level 2] being set for end user identity proofing. We also support the NIST 800-63-3, in which addresses identity proofing, identity authentication, and the strength of assertion in a federated environment."
CHIME notes, however, "We worry that the requirements may be hard for smaller providers to meet and we urge ONC to take this into consideration. The two-factor authentication requirements may simply be too onerous and expensive for smaller providers."
CHIME also notes that the privacy and security requirements proposed in the draft "represent an expansion of the Drug Enforcement Agency requirements for identity proofing and provisioning for e-prescribing of controlled substances."
Moving Too Fast?
CHIME was among several organizations noting in their comments that it is concerned about ONC moving too quickly with the proposed framework and its elements. After analyzing the public comments, ONC plans to release a final version of the proposal before the end of this year.
Also concerned about the timeline is the American Medical Informatics Association, which says in a statement that the group recognizes "the lack of harmonization among current networks, causing clinicians to rely on point-to-point exchange that is a marginal improvement over fax machines."
At a national level, AMIA says, "the health system simply cannot optimize nationwide investments in health IT based on push-only exchange and contractual relationships that must be created anew for each step in the referral chain."
But moving to a new paradigm of health IT infrastructure and data exchange "will take research, experience and a thoughtful approach," AMIA says, recommending that ONC develop a roadmap for a three-year implementation plan and the creation of pilots to test the plan.
AMIA also recommends that under the framework, a patient should be able to request a digital copy of their data maintained by all stakeholders who participate. "We strongly recommended that the TEFCA be leveraged to improve access for patients' data. A core use case this framework could be demonstration is the patient's right to access provided by HIPAA."
Don't Forget 'Push'
DirectTrust, the nonprofit organization that governs the secure "Direct" healthcare email protocol, says it's critical that the proposed framework acknowledge the importance of "push" exchange - even as its focus is on query-based "pull" data sharing.
"The omission from the documents of the importance of the Direct interoperable 'push' model implies that 'query' for a patient's medical information is all that is needed to achieve the interoperability goals of the 21st Century Cures Act. In reality, both are needed," writes DirectTrust founding president and CEO David Kibbe, M.D. He plans to step down from the organization at the end of the year.
"Pull or 'query' is important. But a real-time 'push' model such as that accomplished by Direct interoperability supported by the DirectTrust trust framework is also critical to meeting the Cures Act HIT provisions, and to the achievement of best practice patient care," Kibbe contends.