Governance, Risk and Compliance, Data Security, Risk Assessments/Management

ONC unveils TEFCA: Does it address privacy, patient-matching concerns?

HHS OCR (Sarah Stierch/CC BY 4.0).

The Department of Health and Human Services Office of the National Coordinator released its long-awaited Trusted Exchange Framework and Common Agreement, establishing legal and technical baseline requirements to support information sharing between healthcare entities.

The release completes a critical 21st Century Cures Act requirement. ONC officials say the TEFCA release marks the start of the implementation phase. The agency intends to hold public forums to provide the sector with further details into the framework and common agreement.

The framework is designed to create a “universal floor of interoperability” in the healthcare sector, a major focus for HHS for the last several years. TEFCA will connect various nationwide, trusted health information networks, aiming to simplify nationwide connectivity in healthcare.

“Simplified nationwide connectivity for providers, health plans, individuals, and public health is finally within reach,” said ONC Chief Micky Tripathi, Ph.D., in a statement. “We are excited to help the industry reap the benefits of TEFCA as soon as they are able.”

The common agreement supports a range of healthcare providers, from government agencies to payers, aiming to support multiple exchange purposes to improve care coordination and care outcomes. TEFCA is also designed to improve individuals’ access to their own health data.

Along with the TEFCA release, ONC also shared its HL7 Fast Healthcare Interoperability Resource (FHIR) Roadmap (TEFCA FHIR Roadmap), detailing the ways in which TEFCA will accelerate the adoption of FHIR-based data exchange in healthcare.

In short, officials say TEFCA should “significantly reduce the number of connections individuals and healthcare providers need to make to get the health information they seek for treatment and individual accesses services, while broadening its exchange purposes over time to include payment, operations, public health, and government benefits determinations.”

Stakeholders have long-shared privacy, security concerns

HHS announced the planned framework go-live in July, resurfacing a number of privacy and security concerns previously shared by industry stakeholder groups.

A key issue for The College of Healthcare Information Management Executives, Premier, and the Association for Executives in Healthcare Information Technology is about how TEFCA will align with the Health Insurance Portability and Accountability Act, particularly around the potential for unintended conflicts for where the rules overlap.

Other concerns include the proposal to extend HIPAA to all TEFCA participants, such as those not considered covered entities or business associates under the rule, and whether TEFCA can address the complexity of patient data and health information that falls outside of HIPAA regulation.

During the recent SCHealth eConference, Impact Advisors Principal Dan Golder stressed that healthcare entities need to become familiar with TEFCA as it’s “a significant gamechanger.” TEFCA creates a different scope, meant for sharing both healthcare and non-healthcare data.

For one, the rule creates new definitions for particular information, not considered health data, but shared between providers. The shift is to support “benefits determination” to be used for government use to determine benefits, such as disability or Social Security.

TEFCA is far more centralized than the current, federated exchange methodologies currently in use by health information exchanges (HIEs), where the “data stays at the hospital or the health systems” and shipped between the parties as requests are made.

TEFCA creates more “centralized databases of information.” In doing so, it comes with “quite a bit of security obligations to manage that server farm and all of the information from a security standpoint.”

As such, all healthcare entities must understand the risks of leveraging TEFCA for data exchange. 

“Data server farms are not only technically hard to maintain and hard from a security standpoint and intrusion detection, they're expensive. So where will the money come from?” Golder mused.

Even with TEFCA, there are a number of challenges that exist with HIEs, including patient consent and who is responsible for managing consent prior to data sharing. Golder noted that it’s still unclear. Further challenges include patient authentication and identity resolution, and knowing that “John Smith is John Smith when he's looking to access TEFCA?”

For First Health Advisory CEO Carter Groome, patient matching is a huge issue, not just in identifying the patient but for what happens when data is sent to the wrong individual. That information can’t be recalled or mitigated. There are also concerns that payers may receive information through the new framework and use it for other activities.

The framework also doesn’t provide “a good way to segment data, especially sensitive data.” Golder’s concerns center around behavioral healthcare records and the possible challenges of segmentation.

“For example, if you're in group therapy, and there's five people in the group, very often a practitioner will make a single note for all five people,” said Golder. “Well, that can't really be shared because if it is shared, you're exposing five people's PHI when you share that note,” which creates challenges with how to properly segment data during exchange.

At the time, Golder urged healthcare entities to join HHS calls around TEFCA to give their opinion and to better understand the rule, as “it’s so important for how the overall landscape of information sharing will be focused on in the future.”

“Continue your own education and awareness around this,” said Groome. “Bring it to every stakeholder in the organization and make them aware of the amount of work that needs to be done.”

The Sequoia Project is the Recognized Coordinating Entity of the TEFCA, tasked with the development, implementation, and maintenance of common agreement and framework. As with anything in healthcare, privacy and security risks are par for the course. Despite any concerns, TEFCA has begun its implementation phase, after “thoughtful feedback of public and private stakeholders throughout the process.”

“We look forward to supporting everyone as they review the Common Agreement and identify their role in this new public-private paradigm advancing health information exchange nationwide,” said Mariann Yeager, CEO of The Sequoia Project, in a statement.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.