By Michael Parisi, Vice President of Adoption, HITRUST
Sharing Health Information Improves Patient Care and Health Outcomes
Innovative information exchange technologies offer abundant opportunities to improve healthcare by creating better insights for patients, their caregivers, and the overall medical community. Accelerating appropriate access to care not only strengthens relationships and the trust between patients and their care team, but also, it improves service. The ability to share information provides rich possibilities for integrating and correlating data to improve care delivery, prevent illness, manage disease, and boost personal well-being.
Without efficient information exchange, if a patient is in a place where their health records are not available, it is more difficult for them to get appropriate treatment. The time needed to assess or confirm a patient’s status introduces delays in triage and initial care delivery with the potential for adverse health outcomes and inefficiency for staff in providing care to other patients who require treatment at the same time.
As an example: If someone who is taking blood thinners is unconscious after an accident and their care team do not have access to their health information, they will wonder why they can’t stop the bleeding using usual procedures. By knowing about the blood thinners, the care providers can save precious time and proceed to other options.
In other situations, medications are contraindicated. The time needed to collect and evaluate stat labs to reduce adverse interactions may slow down intervention.
Exchanging Accurate, Up-to-date Information is Vital for Healthcare Efficiency and Success
Today, there is not a consistent and widely available way to share patient care information openly across all providers and stakeholders in the health industry. Much of the collaboration and communication that does occur is done through closed health information networks that restrict portability and cause islands of information.
TEFCA is designed to help address this critical challenge. The Department of Health and Human Services (HHS) established the Office of the National Coordinator for Health Information (ONC) as the standards organization responsible for building out interoperability across healthcare networks – connecting stand-alone information and ensuring the sharing and portability of information.
Does this mean we’re looking at a national health records exchange network for everyone that is meant to be available, trusted, and secure at any time and any place? Essentially, YES!
The way the ONC will monitor and manage collection and sharing of health information records is by using the specific guidelines set forth in the Trusted Exchange Framework and Common Agreement (TEFCA).
The TEFCA Recognized Coordinating Entity (RCE) has selected HITRUST as the first certifying body and the r2 Certification for organizations to prove they comply with the TEFCA Qualified Health Information Network (QHIN) security requirements designation.
TEFCA: An Exchange and Interoperability Initiative Connecting Healthcare Information Networks
TEFCA is intended to facilitate information exchange to improve health outcomes for patients without regard to the system(s) that hold their health information, the applications they may be using to monitor and manage their wellness or diseases, and whether the patient, the care team, or the entities paying for their care all need access to their health information. TEFCA outlines a common set of principles, terms, and conditions that bring together public and private stakeholders to develop and support an exchange framework of trust policies and practices, as well as a common agreement for data exchange between Health Information Networks.
In the TEFCA structure, the TEF is the Trusted Exchange Framework, and the CA is the Common Agreement.
The Trusted Exchange Framework establishes the standards needed to ensure that information exchanged between entities is trusted and consistent in formatting, types of data, data elements, and more.
The Common Agreement includes the requirements that organizations participating within the interoperability network must agree to, execute, and follow to be part of the Trusted Exchange Framework and share information.
What Is a Qualified Health Information Network (QHIN)?
QHINs are the Health Information Networks and Health Information Exchanges that meet the standards for collecting and sharing healthcare data across multiple entities as set forth by the Recognized Coordinating Entity (RCE) – facilitated by The Sequoia Project. The RCE is the enforcement agency that assists with QHIN Application, Onboarding, and Designation Processes, as well as ongoing monitoring. The RCE evaluates and approves organizations joining the network or can remove entities that are not following the rules. Organizations can voluntarily apply to become a QHIN, but they must meet Qualifying requirements to earn a QHIN designation.
Security Requirements and Trust are Essential to Becoming a QHIN
When considering electronic health information, the first thing that pops into mind for most people is: “How are they going to be sure that my health information stays secure and private?”
TEFCA specifies strong security safeguards for the protection of TEFCA Information (TI) in the Common Agreement (§12.1.2), flow-down provisions, and Standard Operating Procedures (SOP) including the requirement that QHINs “shall achieve and maintain third-party certification to an industry-recognized cybersecurity framework demonstrating compliance with all relevant security controls.”
HITRUST is Actively Certifying Potential Qualified QHINs
The requirements for QHINs include a series of data security requirements for QHINs that include:
- Obtaining a Security Certification,
- Using an Industry-Recognized Framework,
- That, at a minimum, provides coverage over the HIPAA Security Rule and NIST 800-171.
The TEFCA Recognized Coordinating Entity (RCE) – The Sequoia Project – has selected HITRUST and the HITRUST r2 Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements to earn Qualified Health Information Network (QHIN) designation. A properly tailored and scoped HITRUST Risk-based, 2-year (r2) Validated Assessment + Certification using the HITRUST CSF framework is currently the only industry certification selected to meet these requirements.
Requirements for Participants and Subparticipants
Participants are organizations that connect to a QHIN to either send or receive healthcare data. Examples include hospitals, practices for physicians/dental/eye care/etc., labs, pharmacies, payers and health plans, other insurers such as auto, long-term/short-term disability and workers comp, cloud hosting organizations, researchers, and more.
Subparticipants are one level down as entities that connect to a Participant and provide data or consume data from the Participant.
Not only are QHINs expected to meet the standards of the Common Agreement, but also, there are TEFCA data security flow-down provisions that all QHINs must follow to ensure that Participants and their Subparticipants meet the requirements of the Common Agreement relevant to them. At a minimum, all Participants and Subparticipants, including non-HIPAA entities classified as Participants or Subparticipants, must meet the requirements of the HIPAA Security Rule and may have to provide additional assurances over other security requirements in the future. The QHIN is obligated to support those entities and measure their adherence to the TEFCA Security Requirements.
NOTE TO PARTICIPANTS AND SUBPARTICIPANTS: As additional requirements emerge, it is expected that Participants may need an information security assurance mechanism to satisfy QHIN contractual obligations and Subparticipants may need a similar security assurance to satisfy Participants. HITRUST can help your organization become fully compliant with whatever level of assessment and assurance may be required under Common Agreement standards.
To find out more about how HITRUST can assist you as a TEFCA resource, we invite you to call: 855-448-7878 or email: email@example.com.
About the Author
Michael Parisi, Vice President of Adoption, HITRUST
Michael Parisi has led over 500 controls-related engagements and has extensive experience with third-party assurance reporting including HITRUST readiness, HITRUST certification, SOC 1, SOC 2, SOC 3, Agreed Upon Procedure, and customized AT-101 engagements. Michael is deeply involved with helping customers leverage the advantages of the HITRUST Assessment XChange for third parties. He has extensive knowledge of financial reporting and regulatory standards through his external audit and consulting experience, including Sarbanes Oxley, HIPAA, NIST, CMS, and state-specific standards. He is an active member of ISACA and IAPP.