Organizations seeking Qualified Health Information Network status can meet TEFCA security certification using HITRUST r2 Certification
August 22, 2022 – Frisco, Texas – HITRUST is supporting the security requirements of the Trusted Exchange Framework and Common Agreement (TEFCA) program. The TEFCA Recognized Coordinating Entity (RCE) – The Sequoia Project – has selected HITRUST and the HITRUST Risk-based, 2-year (r2) Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements for their Qualified Health Information Network (QHIN) designation. HITRUST is also available to support TEFCA Participants and Subparticipants in the security of TEFCA Information (TI) under the Framework Agreements.
TEFCA, born from the 21st Century Cures Act, was approved for national-level healthcare interoperability by the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC). TEFCA brings together public and private stakeholders to develop and support an exchange framework for trust policies and practices, as well as a common agreement for data exchange between Health Information Networks. TEFCA specifies strong security safeguards for the protection of TI in the Common Agreement (§12.1.2), flow-down provisions, and Standard Operating Procedures (SOP), including the requirement that QHINs “shall achieve and maintain third-party certification to an industry-recognized cybersecurity framework demonstrating compliance with all relevant security controls.” HITRUST is actively certifying potential QHINs.
The HITRUST r2 Certification is the only assessment recognized by the RCE for meeting the Common Agreement criteria for cybersecurity. This recognition further demonstrates the comprehensiveness and Rely-Ability™ of the r2 Certification, while further extending the value that assessed entities receive from their HITRUST r2 Certification. In addition, HITRUST is actively evaluating the information security and assurance reporting needs of QHIN Participants and Subparticipants to ensure its portfolio of assessments aligns with the broad needs of all constituents when sharing digital health information through a QHIN.
“Appropriate access to actionable patient data requires the secure and trusted exchange of health information,” said Steve Yaskin, CEO & Co-founder of Health Gorilla. “Health Gorilla is working toward HITRUST r2 Certification and becoming one of the first designated QHINs under TEFCA. HITRUST’s rigorous approach to evaluation and depth of review not only meet the requirements of the ONC, but also support our goal of proving our qualification to protect and exchange digital health information where it is needed.”
TEFCA is an important advancement in health information security because:
- The COVID pandemic underscored the need to simplify health data exchange for patient care and public health purposes.
- Healthcare organizations are currently burdened with too many costly, inefficient – and possibly inaccurate and insecure – interfaces between organizations.
- TEFCA will reduce expensive, complex, and duplicative information interfaces to streamline sharing across needs and platforms.
The QHIN is the entity with the technical capabilities and organizational attributes to connect Health Information Networks on a national scale, so it’s critical that they are held to elevated security standards. The QHIN supports Participants, also important in the security chain, which includes providers, payers, health IT systems, and other entities that control data. And from the Participants, flow Subparticipants with their own data responsibilities.
“HITRUST is uniquely poised to help ensure those requiring access to the health data from across the ecosystem are trusted,” said Mike Parisi, Vice President of Adoption and Business Development for HITRUST. “As one of the most prominent initiatives in healthcare since Meaningful Use, we will be engaging organizations proactively to help them get ahead of TEFCA and its security requirements.”
HITRUST will be distributing educational material to help organizations comply with the TEFCA security requirements. Existing adopters can reach out to their HITRUST representative, and others can go to HITRUST Central to access the TEFCA discussion forum. Visit the HITRUST TEFCA initiative section of our website here: https://hitrustalliance.net/tefca/