TEFCA pages banner image

Assuring the Trust in TEFCA Interoperability

HITRUST is supporting the security requirements of the Trusted Exchange Framework and Common Agreement (TEFCA) program. The TEFCA Recognized Coordinating Entity (RCE) – The Sequoia Project – has selected HITRUST and the HITRUST r2 Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements for their Qualified Health Information Network (QHIN) designation.

TEFCA, born from the 21st Century Cures Act, was approved by the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) for the U.S. Department of Health and Human Services for national-level healthcare interoperability. TEFCA brings together public and private stakeholders to develop and support an exchange framework for trust policies and practices, as well as a common agreement for data exchange between Health Information Networks.

HITRUST is Actively Certifying Potential Qualified Health Information Networks (QHINs)

TEFCA specifies strong security safeguards for the protection of TEFCA Information (TI) in the Common Agreement (§12.1.2), flow-down provisions, and Standard Operating Procedures (SOP) including the requirement that QHINs “shall achieve and maintain third-party certification to an industry-recognized cybersecurity framework demonstrating compliance with all relevant security controls.” HITRUST is the only certifying body currently recognized by the RCE for meeting the Common Agreement criteria for cybersecurity. Organizations seeking Qualified Health Information Network status can meet TEFCA security requirements using the HITRUST r2 Certification. HITRUST is actively certifying potential QHINs.

Learn More

HITRUST Selected for TEFCA Security Certification

The HITRUST r2 Certification provides Health Information Networks with the third-party certification required by the RCE to achieve qualification as a Qualified Health Information Network (QHIN) under the Common Agreement for Nationwide Information Interoperability and associated flow-down provisions.

Health Information Networks Aligning with TEFCA

Health Information Networks preparing for certification using the HITRUST Assurance Program may be assured that the control requirements, depth of quality review, and consistency of oversight afforded by the HITRUST r2 Validated Assessment + Certification meets the requirements for participation in the Trusted Exchange Framework.

Trust for Participants and Subparticipants

QHINs are responsible to ensure that Participants and Subparticipants that connect to them within the trusted exchange implement and maintain appropriate security controls commensurate with risks to the confidentiality, integrity, and availability of TEFCA Information. Participants and Subparticipants will also be required to adhere to forthcoming security requirements that may be published as Standard Operating Procedures for Participants and Subparticipants.

Because over 80% of hospitals, health plans, and top cloud service providers use the HITRUST CSF framework, HITRUST is well-positioned to support QHINs and provide resources to them, their Participants, and Subparticipants in support of implementing and maintaining appropriate security controls.

HITRUST Approach Provides End-to-end Programs, Solutions, and Methodologies that Meet TEFCA Certification Requirements

  • HITRUST CSF provides the foundation of HITRUST Assessments and Certifications by integrating and harmonizing appropriate security and privacy controls and more than 40 authoritative sources — including HIPAA.
  • HITRUST MyCSF offers an efficient and cost-effective platform for assessing and reporting information risk and compliance including TEFCA requirements.
  • HITRUST r2 Validated Assessment + Certification meets security control compliance requirements for participation in the Trusted Exchange Framework.
  • HITRUST Assurance Program provides the highest quality and consistency standards to ensure that all HITRUST Assessments and Certifications deliver accuracy and Rely-Ability.
  • HITRUST Inheritance delivers efficiencies which allow QHINs that facilitate or offer healthcare applications and services on the Trusted Exchange Framework to enable Participants to reduce assessment time and complexity by inheriting security controls from their HITRUST r2 Certification, as well as define and document shared responsibilities.
  • HITRUST Results Distribution System (RDS) is an online toolkit that provides QHINs with the appropriate dashboards to document and report the results of their certification to the Recognized Coordinating Entity, as well as helping to successfully manage the third-party risk of Participants and Subparticipants that are leveraging the HITRUST CSF and have achieved validation or certification.
  • HITRUST Assessment XChange is an extension of your organization’s third-party risk management program to assess and track the inherent risk of third-party vendors and determine what level of assurance/type of certification that business partners need to satisfy TEFCA requirements.


For More Information about How HITRUST Can Be a Valuable Resource to Help Your Organization Meet TEFCA Information Security Certification Requirements:

Call: 855-448-7878 or Email: sales@hitrustalliance.net

Chat Now

This is where you can start a live chat with a member of our team