1

Demystifying TEFCA: Ins and Outs of the Exchange Framework

Session 182, February 13, 2019

Johnathan Coleman CISSP

Principal, Security Risk Solutions, Inc.

2

Johnathan Coleman, CISSP, is a contractor for the Office of the National Coordinator for Health IT (ONC) and the Defense Health Agency (DHA).

All views expressed in this presentation are my own and do not reflect any official Government policy or position.

All content in this presentation is based on public information. No confidential information was used in the development or content of this presentation.

Conflict of Interest

3

• Learning Objectives

• What is TEFCA?

• Who are the stakeholders?

• What is the US Core Data for Interoperability (USCDI)?

• Resources

Agenda

4

• Describe the key elements of TEFCA-the ONC's Trusted Exchange Framework and Common Agreement.

• Discuss and define the roles and requirements for key participants in TEFCA, including the Recognized Coordinating Entity (RCE), qualified health information networks (QHINs), participants (provider organizations) and end-users.

• Explain requirements for standards and common capabilities.

Learning Objectives

5

Section 4003 of the 21st Century Cures Act directs ONC to “develop

or support a Trusted Exchange Framework, including a Common

Agreement among health information networks nationally,” which

may include:

• A common set of rules for trusted exchange

• A common method for authenticating trusted health information

network participants

• Organizational and operational policies to enable the exchange of

health information among networks, including minimum conditions

for such exchange to occur

• A process for filing and adjudicating noncompliance with the terms

of the common agreement

What is TEFCA?

6

https://www.healthit.gov/sites/default/files/draft-guide.pdf

7

https://www.healthit.gov/sites/default/files/draft-guide.pdf

8

• Notable Part B components include:

– The requirement for Qualified Health Information Networks (QHINs), to implement identity proofing of users at a minimum of IAL2 (with exceptions).

– Compliance with HIPAA Privacy/Security-Breach Notification requirements, also report breaches to the TEFCA Recognized Coordinating Entity within 15 days (note this is more stringent than the HIPAA Breach Notification Rule).

– Open question on how to comply with CUI requirements, which include compliance with NIST SP 800-171.

Part B

9

• Users:

– Health Information Networks (HINs)

– Federal Agencies

– Public Health Organizations

– Payers

– Technology Developers

– Providers

– Individuals

Stakeholders

10

• Recognized Coordinating Entity (RCE)

• Qualified Health Information Network (QHIN)

• Participant

• End User

TEFCA Stakeholder Definitions

11

• The RCE is the entity to be selected by ONC that will enter into agreements with HINs that qualify and elect to become Qualified HINs

• The RCE will act as a governance body that will operationalize the Trusted Exchange Framework by incorporating it into a single, all-encompassing Common Agreement to which Qualified HINs will agree to abide.

• The RCE will work with stakeholders from across the industry to update the TEFCA over time to account for new technologies, policies, and use cases.

Recognized Coordinating Entity (RCE)

12

• A QHIN is a network of organizations working together to share data.

• QHINs will connect directly to each other to ensure interoperability between the networks they represent.

• QHINs will act as Connectivity Brokers –providing the following functions with respect to all Permitted Purposes: Master Patient Index; Record Locator Service; Broadcast and Directed Queries, and EHI return to an authorized requesting Qualified HIN.

Qualified Health Information Network (QHIN)

13

• A Participant is a person or entity that participates in the QHIN.

• Participants connect to each other through the QHIN, and access organizations not included in their QHIN through QHIN-to-QHIN connectivity.

• Participants can be HINs, EHR vendors, and other types of organizations.

Participant

14

• An End User is an individual or organization using the services of a Participant to send and/or receive electronic health info.

End User

15

• The USCDI identifies the data set to be available for exchange and standards for the content and format of that data.

– The draft USCDI used the Common Clinical Data Set (CCDS), as defined by the 2015 Certification Criteria Edition, but has since been proposed as a standard (2/1/2019)

• USCDI is designed to be expanded in an iterative and predictable way over time.

US Core Data for Interoperability (USCDI)

16

• As part of the Notice of Proposed Rulemaking (NPRM) to Improve the Interoperability of Health Information, published 2/11/2019, ONC proposes to remove the CCDS definition and its references from the 2015 Edition and replace it with the USCDI as a standard. This will:

– Increase the minimum baseline of data classes that must be commonly available for interoperable exchange, and

– Facilitate the adoption of new data classes as USCDI expands.

US Core Data for Interoperability (USCDI)

17

https://www.healthit.gov/sites/default/files/nprm/ONCCuresNPRMUSCDI.pdf

18

https://www.healthit.gov/sites/default/files/nprm/ONCCuresNPRMUSCDI.pdf

19

TEFCA – Resources (1)

https://www.healthit.gov/sites/default/files/nprm/ONCCuresNPRMImplementation.pdf

20

TEFCA – Resources (1)

• ONC proposes that interoperability means, with respect to health IT, such health IT that: (1) enables the secure exchange of electronic health information (EHI) with, and use of EHI from, other health IT without special effort on the part of the user; (2) allows for complete access, exchange, and use of all electronically accessible health information for authorized use under applicable state or federal law; and (3) does not constitute information blocking.

• The proposed definition is consistent with the Cures Act interoperability definition.

https://www.healthit.gov/sites/default/files/nprm/ONCCuresNPRMImplementation.pdf

21

TEFCA – Resources (1)

ONC proposes to promote policies that would ensure a patient’s EHI is accessible to that patient and the patient’s designees, in a manner that facilitates communication with the patient’s health care providers and other individuals, including researchers, consistent with such patient’s consent through the following proposals:

USCDI standard; “EHI export” criterion; “standardized API for patient and population services” criterion, “data segmentation for privacy (DS4P)” criteria, “consent management for APIs” criterion; API Condition of Certification; and information blocking requirements, which include providing patients access to their EHI at no cost to them.

https://www.healthit.gov/sites/default/files/nprm/ONCCuresNPRMImplementation.pdf

22

ONC Main TEFCA Page: https://www.healthit.gov/topic/interoperability/trusted-exchange-framework-and-common-agreement

Draft Trusted Exchange Framework [PDF]https://www.healthit.gov/sites/default/files/draft-trusted-exchange-framework.pdf

Draft U.S. Core Data for Interoperability (USCDI) and Proposed Expansion Process [PDF]https://www.healthit.gov/sites/default/files/draft-uscdi.pdf

Notice of Proposed Rulemaking to Improve the Interoperability of Health Information https://www.healthit.gov/topic/laws-regulation-and-policy/notice-proposed-rulemaking-improve-interoperability-health

TEFCA – Resources (1)

23

A User’s Guide to Understanding the Trusted Exchange Framework [PDF]

https://www.healthit.gov/sites/default/files/draft-guide.pdf

Structure of a Qualified Health Information Network [PDF]

https://www.healthit.gov/sites/default/files/tefca_qa_webinar_1.19.pdf

Public Comment received by ONC on Draft TEFCA [XLSX]

https://beta.healthit.gov/sites/default/files/page/2018-02/Copy%20of%20tefca%20draft_public_comments%20final.xlsx

TEFCA – Resources (2)

24

Johnathan Coleman, CISSP

Principal, Security Risk Solutions, Inc.

Mt. Pleasant, SC 29464

(843) 442 9104

jc@securityrs.com

www.securityrisksolutions.com

Please complete the online session evaluation. Thanks!

Questions?