Governance, Risk and Compliance, Compliance Management

Sequoia Project unveils elements for healthcare interoperability, amid stakeholder concerns

The now defunct Eastern Ozarks Regional Health System is facing a lawsuit filed by the Arkansas attorney general, which alleges the provider abandoned thousands of patient files after closing its business operations. (Photo by John Moore/Getty Images)

The Sequoia Project, in partnership with The Office for the National Coordinator, released the Trusted Exchange Framework and Common Agreement (TEFCA) elements. Designed to support interoperability across the healthcare sector, the nationwide framework is set to go-live in early 2022. The Sequoia Project leads the TEFCA development and implementation.

ONC and Sequoia Project are seeking industry feedback on the 13 TEFCA elements and hosting webinars to support the ongoing discussions. The announcement came as multiple stakeholder groups reported potential issues posed by planned definitions for electronic health information (EHI) and designated record set (DRS).

TEFCA will be a legal agreement between the Sequoia Project and Qualified Health Information Networks (QHINs) and intends to establish the industry standard for data exchange between QHINs, including a QHIN framework for which ONC released a draft in July.

Sequoia’s role as the recognized coordinating entity “is the ability to bring together stakeholders from across the healthcare and health IT landscape to shape the final Common Agreement and realize our goal to begin sharing in 2022,” ONC Chief Micky Tripathi, said in a statement. “The overall goal of [TEFCA] is to establish a floor of universal interoperability across the country.”

As part of the 21st Century Cures Act, ONC was tasked with developing a trusted framework that defines baseline legal and technical requirements for secure information sharing across the U.S.

The Department of Health and Human Services and related departments have been working to stop information blocking and increase data exchange through interoperable systems in recent years, with an increased focus on ensuring patients have access to their medical records.

As part of those efforts, The Centers for Medicare and Medicaid Services began the enforcement of its Interoperability and Patient Access final rule on July 1, which supports data sharing between providers and a patient’s right to access their protected health information. 

TEFCA is another crucial piece to the interoperability puzzle and includes privacy and security requirements that enable users from different health networks to securely share clinical data with other qualified parties for designated purposes.

The goal is to “create simplified connectivity for use by Individuals, healthcare providers, health plans, public health agencies, as well as other stakeholders,” while providing a governance approach to connect and scale QHINs.

The latest update from the Sequoia Project outlines the 13 proposed elements of TEFCA, which will continue to be developed through industry feedback and ongoing conversations.

The elements include exchange purposes for QHIN requests and data sharing, such as treatments, payments, public health, access services, and other related purposes. Specifically, TEFCA “would specify the requests, uses, disclosures, and responses that would be permitted, prohibited, and required.”

The proposed framework also establishes the participants, required information, and de-identified data not covered by The Health Insurance Portability and Accountability Act, among other key terminologies. Other notable elements include the governance approach, QHIN eligibility criteria, special requirements, and privacy and security measures.

Previous TEFCA proposals have been met with privacy and security concerns of leading industry stakeholders, centering around HIPAA alignment, data not covered by HIPAA, and the planned use of APIs to fuel data exchange.

Under the proposed framework, entities that fall outside of HIPAA regulations would be required to protect individually identifiable data in the same manner as HIPAA entities protect protected health information. In short, all involved parties will be required to comply with the HIPAA Security Rule and its provisions.

Further, QHINs will be required to meet and maintain third-party certification from a recognized cybersecurity framework and undergo annual security assessments. TEFCA will also outline expectations for security incident notifications for all data exchange and will be designed to avoid potential conflicts with existing regulations and laws.

Sequoia Project will “actively facilitate information security activities, with the support of a Cybersecurity Council drawn from participating QHINs.”

Stakeholder groups take issue with definitions

The added TEFCA elements also include definitions for key interoperability and exchange terminology. As noted, The American Health Information Management Association, the American Medical Informatics Association, and the Electronic Health Record Association have raised some concerns related to EHI and DRS definitions.

AHIMA, AMIA, and EHRA established a task force in 2020 to generate recommendations for a consensus-based approach to operationalizing the EHI definition to support providers with complying with the Cures Act and setting the expectations for what data is considered EHI.

The EHI definition is grounded in the DRS explanation outlined in HIPAA. For the groups, the success of compliance will come down to the manner in which these definitions are operationalized by providers and developers.

The subsequent report released Sept. 20 demonstrated substantial challenges providers face when it comes to EHI. Joseph Kannry, MD, chair of AMIA’s Public Policy Committee explained “It was clear from the outset that the fluid nature of the scope of EHI presents a unique informatics challenge.”

Specifically, the success of these rules will be supported by standardized clinician and developer expectations around the definition of EHI. The findings “demonstrate the complexity associated with defining EHI for multipurpose use, such as in ONC’s certification program and compliance with information blocking.”

The report identified key considerations TEFCA will need to take into account when interpreting EHI. For one, certain data classes may not be considered EHI depending on its status, such as data not being used for decision-making (and thus not considered EHI).

“Whether a data class is considered EHI may depend on certain status conditions or characteristics. Other data classes might merit special consideration, such as behavioral health information,” according to the report.

“Further discussion on how to differentiate those types of data classes will be important,” according to the report. “There is an inherent challenge in that use of a particular data class in decision-making is a key factor in the definition of EHI but not necessarily easy to track programmatically in an HIT system, leading to actors either casting a wide net as to what is considered EHI or relying on manual identification.” 

The stakeholder groups propose that more granular distinctions could better support the EHI definitions. For Lauren Riplinger, AHIMA’s vice president of policy and government affairs, the report demonstrates the substantial challenges the providers will face when operationalizing EHI.

The task force is seeking further input on the preliminary findings outlined in the report until Oct. 6, 2022, when the sector is expected to comply with the full scope of EHI and the info blocking provisions of the Cures Act.

Meanwhile, Sequoia Project is seeking input on its proposed TEFCA elements through Oct. 21, 2021 and is planning to work with ONC to finalize version one of the framework during the estimated implementation in early 2022.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.