HITRUST’s Role in the New Trusted Exchange Framework and Connected Agreement (TEFCA)

By Anne Kimbol, Chief Privacy Officer, HITRUST

The federal government took a significant step last month to streamline the exchange of information that helps provide critical healthcare to many Americans.

The step involves a nationwide network of health information networks – the organizations that move clinical information electronically among different healthcare information systems.

On April 19^th, the Office of the National Coordinator for Health Information Technology (ONC) released the second draft of the Trusted Exchange Framework (TEF) and the Minimum Required Terms and Conditions for Trusted Exchange (MRTCs). The ONC also released the first draft of the Qualified Health Information Technical Framework (QTF) and the Notice of Funding Opportunity (NOFO) for the Recognized Coordinating Entity (RCE). This furthers ONC’s work from the first draft of the TEF by seeking a non-profit organization to step forward to help create and maintain this new “network of networks” to share health information.

For anyone not familiar with TEFCA, it stems from the 21^st Century Cures Act passed in December 2016. Congress wanted to ensure that nationwide health information exchange is happening in an efficient and effective way and asked for a framework from ONC to help. In the current health information exchange space, many providers, particularly large health systems and health insurers, find themselves connecting with five or more health information networks in order to get and give the information they need. This flow of information results in substantial administrative and technical costs.

The ONC released its initial draft of the TEF and MRTCs in January 2018 and received a tremendous amount of feedback. This is reflected in the time lag between the two drafts and the amount of work ONC had to do to prepare the second draft. The initial draft of the TEF introduced the concept of a Qualified Health Information Network (QHIN) and clarified that the goal of the TEF is to have a single on-ramp to nationwide interoperability.

ONC will also name the RCE, a private non-profit organization that will oversee the day-to-day administration of the QHIN system and work with ONC on the ‘Connected Agreement’ that QHINs will need to adhere to protect health care information. ONC announced during a May 15^th webinar that they intend to select the RCE in the August timeframe.

It is important to note that the “trusted” in the TEFCA name can only be achieved with strong privacy and security protections. QHINs, their participants, and end users must all be storing and sharing information in a safe, secure, and appropriate manner. Without proper privacy and security requirements and monitoring of the implementation, the system will fail. ONC’s documents reflect the need for the RCE to monitor the QHINs’ compliance, the ability of QHINs to monitor their participants, and participants to monitor their participant members in turn.

HITRUST has been closely monitoring the TEFCA process from the beginning. The new system will impact medical providers, health insurance companies, social services systems, service providers for these businesses, and all other entities interested in being able to exchange health data through the new TEFCA system – a “network of networks.” While a lot is unknown, including the final requirements and whether the TEFCA system will become widely adopted, the potential impact on US businesses should not be underestimated.

HITRUST has garnered years of experience in supporting health information exchanges and has been actively involved with many of the nation’s health information networks (HIEs) through various national and state initiatives. Based on the latest release of TEFCA, HITRUST is positioned to support the RCE, QHINs, participants, and participant members’ need to show their compliance with the privacy and security requirements in the TEF and the MRTCs. To make the process more streamlined, HITRUST will be implementing a scorecard based on the ONC Security Risk Assessment tool as well as adding an authoritative source on TEFCA and simplify how organizations demonstrate their compliance with other TEFCA data protection requirements. The HITRUST Approach of “Assess Once, Report Many” applies to QHINs and their participants as it does for other businesses.

Many QHINs and participants will have responsibilities beyond the TEFCA system on data protection. HITRUST allows them to use the same assessment for TEFCA and for their overall information risk and compliance status. Some of the advantages of the HITRUST Approach include that it is scalable, risk-based, and is updated on a regular basis to ensure that as entities and requirements evolve, so does the HITRUST CSF and its Certification Program.

The HITRUST Assessment XChange™, which provides a means for electronically exchanging HITRUST CSF® Assessment information, could also help the RCE as well as QHINs and their participants by streamlining the process of ensuring that entities have completed their HITRUST CSF Certification.

HITRUST looks forward to continued updates on the TEFCA program and assisting current and future customers in demonstrating their compliance with its requirements. HITRUST maintains its commitment to help entities worldwide assess and document their data protection programs and how well they are implemented now and in the future.