In January 2022, the Office of the National Coordinator for Health Information Technology (ONC) published the Trusted Exchange Framework and Common Agreement (TEFCA). This marked an important milestone in the journey to establish the United States’ first national health information sharing network.
What is TEFCA?
The Trusted Exchange Framework and Common Agreement establishes guidelines and contractual conditions to facilitate the safe transfer of electronic health information nationally. TEFCA aims to provide stakeholders such as health professionals, health plans, individuals, government agencies, public health agencies, hospitals and HINs with improved yet secure access to health information.
TEFCA’s primary goals are to:
- Increase access to secure health data;
- Create a core set of data to be available for treatment, access, benefit determination and other related purposes through HINs that follow the Common Agreement;
- Reduce excess costs and inefficiencies that occur when joining multiple HINs with different protocols and agreements;
- Establish consistent privacy and security guidelines for HINs to follow when securing patient data.
While some regional networks already exchange health information, existing networks have limited reach and interoperability, prompting the need for a nationwide, standardized system.
Participants and Procedures: How TEFCA Works
TEFCA has two components:
- The Trusted Exchange Framework (TEF) is a set of foundational, non-binding principles and standards designed to exchange health information effectively.
- The Common Agreement (CA) establishes the technical infrastructure and governance required to standardize the quality, security and authentication protocols for transferring and accessing patient data. It advances TEF principles to govern data sharing among networks.
The ONC appointed the Sequoia Project as the Recognized Coordinating Entity (RCE) administering the adoption and enforcement of the CA. The RCE oversees qualified healthcare information networks (QHINs), which are approved healthcare information networks that agree to comply with TEFCA. QHINs connect directly to facilitate the consistent and safe exchange of health data across the network. In addition to monitoring QHINs, the RCE keeps the technical framework followed by QHINs updated for changes in technology, procedures and policy.
Once multiple QHINs have joined, providers, patients, insurers and eligible agencies can use the standardized network to access electronic health information. The data will help diagnose and treat patients, improve care and public health outcomes and permit patients to access their private records.
Apply to be a Qualified Health Information Network
Starting in 2022, HINs may apply to the RCE to become QHINs. Before submission, HINs need to evaluate their internal processes to determine if they can meet the terms of the CA. During this stage, they should notify the RCE of their intent to apply and conduct preliminary testing of their systems.
The application process is broken down into five phases:
- Application Submission: HINs submit an online application, a signed CA and a completed questionnaire for the RCE to review. The RCE evaluates the application to determine if it’s complete.
- Application Review: The RCE verifies the information provided and either accepts, denies or notifies the HIN of discrepancies within the application. Failure to rectify issues within 10 business days results in the automatic withdrawal of the application. Denied applicants may reapply after six months.
- Pre-production Testing: Once the application is approved, the HIN conducts a series of pre-production tests to verify that its systems conform with other QHINs within the system. This phase is performed using test data.
- Designation and Post-production Testing: QHINs receive provisional status and access to the production directory. QHINs have 30 days to initiate a Production Connectivity Validation test.
- Production QHIN Exchange: QHINs that have completed all application, onboarding and testing steps enter the Production QHIN Exchange.
Required Third-Party Certification
To comply with the CA, QHINs must receive and maintain a third-party certification to an industry-recognized cybersecurity framework. Certifying bodies ensure that each QHIN’s cybersecurity framework maintains compliance with the CA’s security controls. The RCE is responsible for selecting eligible certifying bodies. Currently, HITRUST is the only RCE-designated certification body.
Frazier & Deeter’s dedicated HITRUST practitioners expertly guide organizations through the assessment journey. Learn more today!