The U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) released earlier this year the Trusted Exchange Framework and Common Agreement (TEFCA), which is intended to improve electronic interoperability among health information networks (HINs) and facilitate the exchange of health information among connected organizations. 

Importantly, TEFCA is not just about HINs.  Under TEFCA, any organization that connects to a HIN designated as a Qualified HIN (QHIN) may be able to meet many interoperability and information sharing obligations without implementing technology integrations on a request-by-request basis.  ONC believes that TEFCA will “reduce the need for duplicative network connectivity interfaces, which are costly, complex to create and maintain, and an inefficient use of provider and health IT developer resources.” ONC stated that connected organizations “will be able to share information with all other connected entities regardless of which QHIN they choose.” 

However, participation in TEFCA comes with a price.  Organizations that connect to QHINs, either directly or indirectly, will likely need to agree to new contractual requirements that flow-down from QHINs.

What is TEFCA?

The TEFCA fulfills a 21st Century Cures Act mandate for ONC to “develop or support a trusted exchange framework for trust policies and practices” and to create “a common agreement for exchange between health information networks.” The new framework imposes data-sharing requirements on QHINs, as well as QHIN-connected organizations (Participants) and organizations who connect to a QHIN indirectly through an intermediary (Subparticipants).  

TEFCA is consistent with other healthcare technology regulations and rules we have previously covered on this blog. ONC expects information sharing among QHINs and downstream organizations will improve access to health information where the patient needs and wants it, continuing government efforts to improve individual access to health information. Interoperability improvements enabled by QHINs can also simplify and expedite health information sharing, in line with proposed patient-friendly modifications to the HIPAA Privacy Rule and ONC’s Interoperability and Information Blocking Rules. 

Qualified Health Information Networks

TEFCA begins with HINs. HINs can voluntarily apply to become a QHIN if the HIN (1) agrees to execute a contract that incorporates binding Standard Operating Procedures (SOPs) required of each QHIN (called the “Common Agreement”), and (2) adheres to the technical interoperability elements (the “QHIN Technical Framework”).  

ONC has designated the Sequoia Project, a non-profit advocate for nationwide health information exchange, as the Registered Coordinating Entity (RCE) to oversee TEFCA. HINs that seek certification as QHIN must receive approval from the RCE. After certification, QHINs must submit to ongoing oversight by and collaboration with the RCE, as specified by the Common Agreement and QHIN Technical Framework.

Trusted Exchange Framework

ONC also published a set of non-binding strategic priorities (the “Trusted Exchange Framework”) to help increase interoperability among HINs. These principles attempt to align information sharing priorities across systems that use or store health information, including QHINs, Health Information Exchanges (HIEs), Qualified Clinical Data Registries (QCDRs), networked Electronic Health Records (EHRs), and other types of HIN in general. The Sequoia Project’s “User’s Guide to TEFCA” provides additional detail about the Common Agreement, QHIN Technical Framework, and Trusted Exchange Framework.

Perhaps most relevant to organizations considering participation are the new contractual requirements imposed by QHINs under provisions of the Common Agreement.

Common Agreement Flow-Downs: TEFCA’s Impacts on Participants and Subparticipants 

Participants and Subparticipants in QHINs will be required to execute an agreement that includes the Common Agreement’s “flow-down” provisions. Some of the flow-down provisions are similar to obligations in HIPAA business associate agreements (e.g., privacy and security safeguards). However, the flow-down obligations may be entirely new to organizations not currently subject to HIPAA (including many mobile app developers) that want to facilitate patient access to health information via a QHIN.  For this reason, the anticipated scope of TEFCA goes beyond current rules and regulations (e.g., ONC’s Interoperability and Information Blocking Rules) in protecting health information while promoting its availability across platforms. 

The flow-down requirements applicable to Participants and Subparticipants include, for example: 

  • Responding in a timely manner to inquiries about exchanges of health information; 
  • Collaborating in discussions with the RCE and QHINs to address interpretations of the Common Agreement and flow-down requirements; 
  • Notifying of persistent and widespread connectivity failures and cooperating to address them; 
  • Providing information to help understand, contain, and mitigate a data security incident, subject to assertions of privilege and confidentiality obligations; 
  • Not including any exclusivity provisions in contracts connected to health information sharing; 
  • Not impeding the permitted or required exchange of health information or limiting interoperability in a discriminatory manner; 
  • Limiting the use and disclosure of confidential information; 
  • Limiting the use and disclosure of health information received from a QHIN; 
  • Responding to certain requests for health information received by a QHIN. 

Additionally, providers of Individual Access Services (i.e., services used by patients to access, inspect, or obtain their health information directly or indirectly from the QHIN network) may have additional contractual flow-down obligations under TEFCA.  Developers of Individual Access Services who agree to these contract terms may then connect to the QHIN network through a single QHIN connection. These contractual requirements include:  

  • Publishing detailed privacy and security notices; 
  • Obtaining consent before requesting and receiving any health information directly or indirectly from QHINs; 
  • Granting user rights to delete or export data; 
  • Implementing certain data security measures including encryption of the data in transit and at rest.  

Impact on the Exchange of Health Information

ONC has stated that the Common Agreement will require health information exchange among QHINs for six purposes (the “Exchange Purposes”). Initially, the Common Agreement requires health information exchange among QHINs for the Exchange Purposes of (i) treatment and (ii) patient access services. In the future, health information exchange by QHINs will encompass the Exchange Purposes of (iiia) payment, (iv) health care operations, (vc) public health, and (vid) government benefits determination. Other Exchange Purposes may also be added.  These requirements are intended to promote the sharing of health information for a variety of purposes, in addition to the more familiar Treatment, Payment, and Operations functions specified by HIPAA.

In addition to promoting the exchange of health information among QHINs, TEFCA may increase the availability of health information to health care providers and other organizations. ONC released TEFCA to reduce friction that results when organizations must manage connections with multiple HINs to access relevant information (given that any single connection may entail complex technical planning and contractual negotiation). Once TEFCA is fully operational, ONC posits, an organization can connect to one QHIN that will then provide access to the health information accessible from all the (a) organizations that connect to that QHIN, (b) other QHINs, and (c) organizations that connect to those other QHINs. If QHINs can achieve sufficient scale, there would be little or no need to build connections and contract with multiple HINs.

One important consideration is that organizations required to comply with the Interoperability and Information Blocking Rules may have a new tool in their toolbox for responding to requests for health information. Currently, many organizations may struggle to respond to various requests in accordance with the Information Blocking Rule. These organizations are searching for reasonable alternatives to new interfaces, integrations, or various other solutions for providing relevant data.

If TEFCA has the impact ONC plans, these organizations could meet certain of their obligations under the Interoperability and Information Blocking Rules by making the data available to a QHIN, which in turn is required to make the health information available to requestors in compliance with TEFCA’s consistent standards.

The Sequoia project is scheduled to begin approving QHINs in late 2022, so the ultimate impact of TEFCA remains to be seen. One major EHR vendor has already announced its intention to become a QHIN, and others may soon follow.

Even after QHINs are designated, TEFCA will continue to evolve over time, including with updates to the Common Agreement, new Technical Standards, and more SOPs for Participants and Subparticipants to implement. Organizations with a critical need for health data might benefit from a connection, but many details remain unsettled—including the cost of connection and the extent of participation by various stakeholders in the health system.

In the meantime, similar state-based efforts may provide insight into future possibilities under TEFCA. For example, California’s Data Exchange Framework (mandating information sharing among medical providers and state social services agencies) may inform pending TEFCA SOPs regarding the exchange of medical information to address social determinants of health and to support public health in general.

Reed Smith will continue to track developments related to TEFCA as QHINs are certified and this new framework becomes operational. Please reach out to the health care attorneys at Reed Smith if you have any questions about how this and other interoperability initiatives might affect your organization.