In the 2018 Marvel film Black Panther, genius inventor Princess Shuri quips that “just because something works does not mean it cannot be improved.” It’s a message the healthcare industry has taken to heart, as it has continuously searched for ways to improve the patient experience.
Still, one area that continues to place a tremendous burden on patients is when they need to receive medical care outside of their normal environment—while traveling, or when they relocate across the country and they need a new healthcare provider, for example—there’s a lack of healthcare provider interoperability that leads to inefficient care. What would help is if healthcare providers could more easily receive the patient’s health information from their primary provider so that the current provider would have all they need to effectively treat the patient with minimal patient effort.
Good news—this is the goal of the Trusted Exchange Framework and Common Agreement (TEFCA). As HIPAA assessors, we understand the many complexities healthcare organizations face—not just in pleasing patients with the best experience possible, but also with compliance. TEFCA will make the former easier, but in this article, we’re going to explain more about this new development and how affects HIPAA compliance.
What is a TEFCA Qualified Health Information Network?
At the core of the TEFCA are Qualified Health Information Networks (QHINs), which are interconnected entities—healthcare information exchanges—that allow for a more productive information-sharing environment, but also:
- Must follow a specific set of conditions to share electronic protected health information (ePHI); and
- Be designated by the Recognized Coordinating Entity (RCE).
The establishment and use of QHINS should help ease the friction for patients when they lack access to their records upon switching providers or seeking treatment from a different provider in an emergency, and the wheels are already in motion to get to easier secure sharing.
Epic—one of the nation’s largest electronic health records companies—announced in June of 2022 that it would be applying to be designated as a QHIN to help forge future interoperability. Once they meet the requirements and achieve status as a QHIN, Epic’s Participants will have access to the healthcare information from other QHINs.
Breaking Down QHIN Structure
But to get to that point, Epic and other health information exchanges will need to qualify and be designated as a QHIN, and that means meeting the aforementioned specific set of security conditions. Before we get into those, we should first establish how QHINs are organized, and it all starts with the aforementioned RCE.
Right now, that’s The Sequoia Project—a non-profit focused on the secure, interoperable exchange of health information nationwide. Designated by the Office of the National Coordinator for Health Information Technology (ONC), the RCE will provide oversight on QHINs that will each contain Participants and Subparticipants:
- Participants, upon choosing a QHIN to partner with, enter a contract with that QHIN and are then able to exchange their information with other QHINs.
- Examples of Participants: Providers, health information exchanges, and electronic health records systems, among others.
- Subparticipants enter into agreements with Participants to use the services provided by the Participant.
- Examples of Subparticipants include—among others—individual users who use a healthcare application. In that case, the application would be the Participant, sharing information through its QHIN and the user would be a Subparticipant who would be required to enter into an agreement with the developers of the application to use the service.
Altogether, those within the QHIN work together to meet and uphold the Common Agreement, which contains the required technical infrastructure model and governing approach for secure sharing.
What are the HIPAA Requirements for QHINs?
Now, all of these entities that join a QHIN will be required to meet certain security requirements. While maintaining security has always been a significant concern any time there is sensitive patient information being exchanged, TEFCA implements specific mandates to ensure that any information that is exchanged between QHINs is secure.
These include:
- Sign the Common Agreement (CA) with the RCE, a contract that includes language stating that the health information network looking to be designated as a QHIN must comply with the HIPAA Privacy Rule and the HIPAA Security Rule.
- Implement and follow QHIN standard operating procedures (SOPs), which include the QHIN Security Requirements for the Protection of TEFCA Information that states QHINs must not only follow the HIPAA Security Rule but the Rule must also be followed even if the QHIN is not a covered entity or business associate.
- Demonstrate compliance with a nationally recognized security framework as part of those SOPs, which can be done by completing a third-party cybersecurity certification process conducted by a certifying body that is approved by the RCE.
- QHINs are required to obtain a HIPAA security analysis which is reviewed as a part of the certification process.
- In addition, QHINs must conduct annual third-party audits of in-scope systems which includes requirements regarding the HIPAA Security Rule.
Though QHINs are intended to facilitate the easier transfer of patient information, TEFCA also ensures that QHINs have adequate and proven security parameters in place.
Their Participants and Subparticipants also must be appropriately secure, and that includes becoming HIPAA compliant. In the CA that QHINs sign with the RCE, many requirements are listed as Required Flow-Down, which means that, when Participants and Subparticipants sign contracts with them, QHINs become responsible for ensuring that they follow the designated requirements.
Among those listed Required Flow-Down provisions are Section 11 and Section 12, which include the HIPAA Privacy Rule and HIPAA Security Rule—any Participants participating in a TEFCA QHIN must follow these rules if they are to receive any information.
Next Steps for TEFCA and HIPAA - HITRUST r2 Certification
TEFCA is the latest attempted improvement to the patient experience, and as the healthcare industry progresses further toward its requirements, it’ll be essential for healthcare technology providers to ensure that the correct security choices are made to comply with QHIN standards—a large part of which includes the HIPAA requirements that also apply to QHIN Participants and Subparticipants.
But it won’t be enough to just follow the HIPAA Security and Privacy Rules—right now, the HITRUST CSF is currently the only framework accepted to demonstrate compliance with TEFCA standards. Recall that the aforementioned requirements described necessary compliance with a nationally recognized security framework through a third-party certification—as the result of a third-party HIPAA audit is an attestation rather than a certification, merely meeting HIPAA requirements and passing that audit does not fulfill that requirement.
Instead, prospective QHINs can demonstrate compliance with TEFCA security measures via a HITRUST r2 Certification. The HITRUST CSF combines multiple frameworks and regulatory factors into a comprehensive assessment that includes HIPAA—to learn more about it, check our content on how to get started there:
And if you find you have more questions regarding these new developments in the healthcare compliance sphere, we’re here for you as one of the most prolific HITRUST external assessors. Please feel free to connect with us so that our team can address both your concerns and your compliance needs.