X
X

Find Your Specialist

X

Contact Us

Error: Contact form not found.

Go Back

Your Guide to TEFCA

In January 2022, the Office of the National Coordinator for Health Information Technology (ONC) published the Trusted Exchange Framework and Common Agreement (TEFCA). This marked an important milestone in the journey to establish the United States’ first national health information sharing network.

What is TEFCA?

The Trusted Exchange Framework and Common Agreement establishes guidelines and contractual conditions to facilitate the safe transfer of electronic health information nationally. TEFCA aims to provide stakeholders such as health professionals, health plans, individuals, government agencies, public health agencies, hospitals and HINs with improved yet secure access to health information.

TEFCA’s primary goals are to:

  • Increase access to secure health data;
  • Create a core set of data to be available for treatment, access, benefit determination and other related purposes through HINs that follow the Common Agreement;
  • Reduce excess costs and inefficiencies that occur when joining multiple HINs with different protocols and agreements;
  • Establish consistent privacy and security guidelines for HINs to follow when securing patient data.

While some regional networks already exchange health information, existing networks have limited reach and interoperability, prompting the need for a nationwide, standardized system.

Participants and Procedures: How TEFCA Works

Under TEFCA, ONC hopes to accelerate the adoption of Fast Healthcare Interoperability Resources (FHIR) nationwide.

TEFCA has two components:

  1. The Trusted Exchange Framework (TEF) is a set of foundational, non-binding principles and standards designed to exchange health information effectively.
  2. The Common Agreement (CA) establishes the technical infrastructure and governance required to standardize the quality, security and authentication protocols for transferring and accessing patient data. It advances TEF principles to govern data sharing among networks.

The ONC appointed the Sequoia Project as the Recognized Coordinating Entity (RCE) administering the adoption and enforcement of the CA. The RCE oversees qualified healthcare information networks (QHINs), which are approved healthcare information networks that agree to comply with TEFCA. QHINs connect directly to facilitate the consistent and safe exchange of health data across the network. In addition to monitoring QHINs, the RCE keeps the technical framework followed by QHINs updated for changes in technology, procedures and policy.

Once multiple QHINs have joined, providers, patients, insurers and eligible agencies can use the standardized network to access electronic health information. The data will help diagnose and treat patients, improve care and public health outcomes and permit patients to access their private records.

Apply to be a Qualified Health Information Network

Starting in 2022, HINs may apply to the RCE to become QHINs. Before submission, HINs need to evaluate their internal processes to determine if they can meet the terms of the CA. During this stage, they should notify the RCE of their intent to apply and conduct preliminary testing of their systems.

The application process is broken down into five phases:

  1.  Application Submission: HINs submit an online application, a signed CA and a completed questionnaire for the RCE to review. The RCE evaluates the application to determine if it’s complete.
  2. Application Review: The RCE verifies the information provided and either accepts, denies or notifies the HIN of discrepancies within the application. Failure to rectify issues within 10 business days results in the automatic withdrawal of the application. Denied applicants may reapply after six months.
  3. Pre-production Testing: Once the application is approved, the HIN conducts a series of pre-production tests to verify that its systems conform with other QHINs within the system. This phase is performed using test data.
  4. Designation and Post-production Testing: QHINs receive provisional status and access to the production directory. QHINs have 30 days to initiate a Production Connectivity Validation test.
  5. Production QHIN Exchange: QHINs that have completed all application, onboarding and testing steps enter the Production QHIN Exchange.

Required Third-Party Certification

To comply with the CA, QHINs must receive and maintain a third-party certification to an industry-recognized cybersecurity framework. Certifying bodies ensure that each QHIN’s cybersecurity framework maintains compliance with the CA’s security controls. The RCE is responsible for selecting eligible certifying bodies. Currently, HITRUST is the only RCE-designated certification body.

 

Frazier & Deeter’s dedicated HITRUST practitioners expertly guide organizations through the assessment journey. Learn more today!

 

Related Articles

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.
Always Enabled
Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.
Functionality cookies are cookies that support features of the Site, such as remembering your preferences.
These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.
From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.