What is TEFCA?
TEFCA was designed to be used by a wide range of organizations and public health institutions that are designated as QHINs (Quality Health Information Networks).
This allows a variety of network providers to meet their obligations without having to work on a request-by-request basis.
The Trusted Exchange Framework and Common Agreement (TEFCA) was released by the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology to improve the digital transfer of health information between provider networks. Though this new data streamlining method goes beyond the scope of health information networks.
The Office of the National Coordinator hopes that in time TEFCA will be able to reduce the need for duplicative networks which tend to be cost-prohibitive, as well as complex to create and maintain.
If successful TEFCA will evolve into a new more cost-efficient way to transfer information throughout the medical and mental healthcare industries.
Though some contractual requirements need to be met in order for a health information network to be considered “Qualified.”
However, participation in TEFCA comes with a price. Organizations that connect to QHINs, either directly or indirectly, will likely need to agree to new contractual requirements that flow down from QHINs.
How to Become a Qualified Health Information Network
Currently, participation in TEFCA is voluntary and any HIN that is hoping to become qualified as a system user needs to:
Agree to a contract that incorporates binding Standard Operating Procedures known as “The Common Agreement.”
Adhere to the technical interoperability elements known as the “QHIN Technical Framework.”
The Office of the National Coordinator utilizes a non-profit advocate known as the Sequoia Project as the Registered Coordinating Entity (RCE). They directly oversee TEFCA and play a crucial role in ensuring that all HINs that seek certification agree to and adhere to all qualification requirements.
This includes making sure that the QHINs actively submit to ongoing oversight from the Sequoia Project. They also publish and maintain the User’s Guide to TEFCA with in-depth information on the Common Agreement, QHIN Technical Framework qualifications, and the Trusted Exchange Framework.
What Is the Trusted Exchange Framework?
TEFCA’s backbone is a “Trusted Exchange Framework” that’s designed to boost the seamless interoperability among QHINs to optimize sharing priorities across different systems as well as efficient storage of health information. This includes storing Electronic Health Records and Qualified Clinical Data.
TEFCA’s Common Agreement Flow-Down Pertains to Participants & Sub-Participants
Within TEFCA’s framework, QHINS can be broken down into Qualified Participants and Sub-Participants. Each is still required to execute the Common Agreement’s flow-down provisions, which have the same security and privacy obligations as HIPAA. This includes provisions for network-to-network data transfer as well as mobile information transfers to devices.
The common agreement includes flow-down covenants, that both participants and sub-participants must contractually agree to:
Respond promptly to inquiries about exchanges of health information.
Collaborate with QHINs and the Registered Coordinating Entity when addressing interpretations.
Notifying about any connectivity failures and then cooperating to help correct them.
Provide ongoing information to help mitigate and contain any data security incident to maintain privacy and confidentiality standards.
Abstain from any exclusivity provisions in contracts connected to health information sharing.
Limit the use and prevent the unauthorized disclosure of confidential information.
Limit the use and prevent the unauthorized disclosure of health information received from a QHIN.
Respond to requests for health information received by a QHIN
Participants and sub-participants in TEFCA might also need to agree to additional contractual obligations for Individual Access Services which requires them to:
Publish detailed privacy and security notices.
Obtain the necessary consent before requesting health information directly or indirectly.
Making sure they receive consent before allowing access to any health information.
Grant direct user rights to delete or export data.
Implement best-practices data security measures for encryption of the data in transit or when it is archived.
How TEFCA Affects the Exchange of Health Information
The Common Agreement specifically requires health information exchange between QHINs to address six facets known as “Exchange Purposes.”
Patient treatment
Patient access services
Payment
Healthcare operations
Public health
Government benefits determination.
In the future, other Exchange Purposes might also be added as TEFCA evolves to meet the needs of QHINs. This will likely include increased availability of health information to healthcare providers and other organizations.
The underlying goal is for TEFCA to help reduce friction that results when organizations need to manage connections and data flow between multiple HINs. As the Common Agreement streamlines complex technical planning and contractual negotiations.
The Importance of Interoperability Compliance
Interoperability compliance plays a key role in helping TEFCA participants when responding to requests for health information. Before TEFCA’s inception, a lot of healthcare organizations struggled to respond to the wide range of information requests they received.
Though under the Information Blocking Rule, many of these organizations have access to reasonable alternatives to new interfaces, integrations, or methods for transferring relevant data.
TEFCA’s Cybersecurity Requirements
The cybersecurity requirements of TEFCA via the Trusted Exchange Framework and the Common Agreement are outlined in the Standard Operating Procedure document. This is a series of TEFCA cybersecurity mandates that ensure all participants adhere to the following criteria:
Third-Party Certification
All qualified HINs must maintain HITRUST r2 certification. Though they can attain it from any certifying body so long as they adhere to the requirements listed in the SOP.
Consenting to Annual Technical Audits
All TEFCA participants must consent to periodic Security Risk Assessments and must obtain a third-party security assessment with a technical audit at least once per year. TEFCA participants also need to provide evidence of compliance and are required to respond to the findings of the security assessment within 30 days.
Engaging in Penetration Testing
All participating TEFCA organizations must engage in a comprehensive internet-facing penetration test at least once per year.
Maintain a Designated Chief Information Security Officer
All TEFCA participating organizations must assign a dedicated CISO to serve as the signatory for the QHIN-to-QHIN exchange.
Perform an Internal Network Vulnerability Assessment
An internal network vulnerability assessment must be performed and include a review of the results of vulnerability scans along with a review of patch and vulnerability management records.
Cybersecurity Council Membership
As the Recognized Coordinating Entity the Sequoia Project will establish a Cybersecurity Council which includes members from QHIN CISOs. They routinely report the cybersecurity status of their programs to the council.
Confidentiality of Information
The Sequoia Project along with all QHINs is required to maintain the confidentiality of any security-related information shared as part of the Cybersecurity Council and related data.
The Use of Encryption
All participating TEFCA organizations are required to encrypt all individually identifiable information both in transit and in their archives.
Security Incident Notifications & Disclosure
Any TEFCA security incident must be notified and disclosed to all parties within 5 calendar days of an occurrence. The CISO signatory will provide notification to the Sequoia project as well as all QHINs that may have been impacted.
Maintaining Subcontractor Security
TEFCA participants must ensure that all subcontractors and third-party agents meet the necessary security requirements outlined in the CA and the associated SOP.
Cybersecurity Insurance Coverage
A TEFCA-participating organization must maintain a variety of cyber insurance coverages. This includes:
A policy or policies of insurance for cyber risk
Insurance coverage for technology errors and omissions
Sufficient internal financial reserves to self-insure against a cyber incident
Questions, ideas or concerns about TEFCA? Contact us today and we are available to help your organization.