Long-Awaited Second Draft of TEFCA Responds to Stakeholder Concerns

April 19, 2019
HHS also seeks four-year deal with nonprofit Recognized Coordinating Entity to manage the network of networks

After receiving more than 200 comments on the first draft of its Trusted Exchange Framework and Common Agreement (TEFCA) for connecting health information networks, the U.S. Department of Health and Human Services (HHS) has released the long-awaited second draft and a four-year funding announcement for a nonprofit Recognized Coordinating Entity (RCE) to manage the network of networks.

In a blog post on the ONC website, Don Rucker, M.D., national coordinator for health IT, admitted that setting up the framework is not a simple undertaking. “By releasing today’s draft for a second round of public comment, we are working to get it right.”

Indeed, many of the key changes between the first and second drafts come in direct response to issues raised by health information exchange stakeholders and ONC’s own Health Information Technology Advisory Committee. Comments on the second draft are due on June 17, 2019, and then a final TEFCA rule will be written.

In brief, here are some of the key differences between Drafts 1 and 2 of TEFCA, including an alphabet soup of acronyms to remember:

• The definition of who can be a Qualified Health Information Network (QHIN) has been broadened from the first draft. “In response to comments that the definition of QHIN was too restrictive, we expanded the definition to allow for more types of stakeholders to apply, Rucker said. In order to apply for QHIN Designation, a HIN must meet certain prerequisites, including already operating a network that provides the ability to locate and transmit EHI between multiple persons or entities electronically, with existing persons or entities exchanging EHI in a live clinical environment; and providing the RCE with a written plan of how it will achieve all of the requirements of the Common Agreement within a specified time period. “We also updated the application process to allow for a provisional period where QHINs will onboard to the Common Agreement and undergo testing and surveillance to ensure they are in compliance before actively exchanging data on the network,” Rucker wrote.

• In Draft 1, the standards were included in the Trusted Exchange Framework (TEF) itself. Draft 2 adds the Qualified Health Information Network (QHIN) Technical Framework (QTF), which details technical and functional components for exchange among QHINs. As Rucker explained in his blog post, commenters suggested specifying standards through implementation guides rather than in the Common Agreement itself. “Thus in the second draft, we included most standards requirements in the draft QHIN Technical Framework, which will be incorporated into the Common Agreement by reference, and with appropriate notice and compliance provisions for implementation of any updated technical requirements.”

• Originally, QHINs were to have 12 months to update agreements and technical requirements. That timeframe has been extended to 18 months.

• In the list of exchange modalities, draft 1 had suggested that in addition to Targeted Query and Broadcast Query, QHINs should support Population-Level Data Exchange. Because commenters expressed concern regarding the relative maturity of Population-Level Data Exchange, that use case was removed.

• Also, push message delivery (such as Direct messaging, which leverages e-mail protocols to securely send health information to a known Direct address) has been added to query. (This had seemed to many stakeholders like an obvious oversight in the first draft, since ONC did so much to promote Direct early on.)

• Draft 2 narrows the exchange purposes required to be offered initially. Draft 1 included Treatment, Payment, Health Care Operations, Public Health, Individual Access, and Benefits Determination, as required “Exchange Purposes.”  However, many stakeholders told HHS that requiring the full Payment and Health Care Operations purposes would be too burdensome to implement immediately. So Draft 2 requires exchange for only a subset of activities in Payment (Utilization Review) and Health Care Operations (Quality Assessment and Improvement, and Business Planning and Development) as defined in the HIPAA Privacy Rule. The requirements to exchange for purposes of Treatment, Public Health, and Benefits Determination will remain the same. Individual Access as defined in TEF Draft 1 has been modified to Individual Access Services, which includes the HIPAA Privacy Rule right for an individual to view or obtain a copy of his or her Protected Health Information from Covered Entities. The Individual Access Services Exchange Purpose now includes a corresponding requirement for non-HIPAA entities that elect to participate in the Common Agreement. HHS is requesting more comment on the scope of these Exchange Purposes. 

• Under the Fees section, Draft 2 notes that QHINs may not charge another QHIN any amount to exchange EHI for Individual Access Services and may not impose any other fee on the use or further disclosure of the EHR once it is accessed by another QHIN.

One sticking point for HIEs and other networks may be that the Common Agreement will include the responsibility of a QHIN to ensure that participants abide by certain mandatory minimum obligations, such as privacy and security requirements. To implement these obligations, data-sharing agreements between QHINs and participants will need to incorporate these mandatory minimum obligations. The draft TEFCA document says that “ONC recognizes that this overall approach may necessitate modifications to existing data-sharing agreements and trust frameworks. Such changes are necessary to meet Congress’ objectives under the Cures Act and will enable more robust exchange of EHI.” Some HIE executives have noted that those data-sharing agreements took a long time to develop and put in place. Re-writing them all will be a challenge.

The Role of the Recognized Coordinating Entity

The funding announcement for the Recognized Coordinating Entity (RCE) details the role HHS envisions it playing and notes that it must take steps to avoid conflict of interest. The program will be funded for the first year at $900,000, with funding in additional years contingent upon availability of funds and satisfactory completion of milestones.

 Once an applicant is awarded to be the RCE it may not be affiliated with a QHIN as long as it is the RCE. Additionally, the RCE will employ organizational policies that prevent conflicts of interest. its responsibilities will include:

• Develop a Common Agreement that includes the Minimum Required Terms & Conditions Draft 2 (MRTCs Draft 2) and Additional Required Terms & Conditions developed by the RCE (ARTCs) and approved by ONC. The Common Agreement will be published on HealthIT.gov and in the Federal Register.

• Virtually convene public listening sessions that will allow industry stakeholders to provide objective and transparent feedback to the RCE.

• Identify and monitor QHINs that voluntarily agree to sign and adopt the Common Agreement.

• Implement an ONC-approved process to adjudicate QHIN noncompliance with the Common Agreement, up to and including removal from ONC’s public directory on HealthIT.gov.

• Implement a process to update the Common Agreement, as needed, for ONC final approval and publication on HealthIT.gov and in the Federal Register.

• Modify and update the QHIN Technical Framework (QHIN Technical Framework Draft 1) for approval by ONC. The QHIN Technical Framework is designed to detail proposed technical components for exchange between QHINs as required by the latest version of the MRTCs.

• Propose strategies that an RCE could employ to sustain the Common Agreement at a national level after the expiration of the term of the Cooperative Agreement.

Entities interested in applying for the RCE Cooperative Agreement must submit their application by June 17, 2019.

Healthcare Innovation will have more reporting on the new TEFCA draft as stakeholders have time to digest it and prepare their responses.

Sponsored Recommendations

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...

Spotlight on Artificial Intelligence

Unlock the potential of AI in our latest series. Discover how AI is revolutionizing clinical decision support, improving workflow efficiency, and transforming medical documentation...

Beyond the VPN: Zero Trust Access for a Healthcare Hybrid Work Environment

This whitepaper explores how a cloud-enabled zero trust architecture ensures secure, least privileged access to applications, meeting regulatory requirements and enhancing user...

Enhancing Remote Radiology: How Zero Trust Access Revolutionizes Healthcare Connectivity

This content details how a cloud-enabled zero trust architecture ensures high performance, compliance, and scalability, overcoming the limitations of traditional VPN solutions...