Industry Regulations, Governance, Risk and Compliance, Privacy

Privacy and security considerations emerge as HHS fuels interoperability push

A medical technologist processes test samples for the coronavirus at the AdventHealth Tampa labs on June 25, 2020, in Tampa, Fla. (Octavio Jones/Getty Images)

The Department of Health and Human Services Office for the National Coordinator recently announced that the Trusted Exchange Framework and Common Agreement (TEFCA) will go live in 2022. The new nationwide framework is being designed to fuel and support interoperability in the health care sector, a key HHS initiative.

The health care sector has made steady improvements in medical records exchange between providers for the last few years, dovetailing from a national effort began in 2004 to ensure the majority of providers were leveraging electronic health records.

“However, some significant gaps remain,” said ONC Chief Micky Tripathi and Mariann Yeager, CEO of the Sequoia Project that leads development and implementation of TEFCA.

SC Media examined both the progress and the obstacles facing health care organizations in compliance with the framework, and where providers must go from here.

Gradual progress

TEFCA was outlined in the 21st Century Cures Act and led by the Sequoia Project, which contracted with ONC in August 2019 to develop and implement TEFCA. Chartered in 2012, the Sequoia Project is a non-profit entity focused on the implementation of secure, interoperable health information exchange in the U.S. The Sequoia Project has served as the recognized coordinating entity since 2019, supporting ONC in gathering insights from industry stakeholders on the best approach to better support data exchange.

“Nationwide networks currently facilitate the secure exchange of millions of clinical documents on a daily basis and state/regional health information exchanges (HIEs) provide localized interoperability services in many parts of the country,” Yeager and Tripathi said in a statement that accompanied the announcement.

That said, most health care networks are not seamlessly connected, despite industry improvements. And most HIEs only serve their local regions, while others aren’t connected to any other networks at all. The lack of interoperability presents barriers to care, increases health care system costs, and negatively impacts the patient and provider experiences.

TEFCA is designed to address these issues, by fueling data exchange in a secure fashion through the use of HL7 and FHIR protocols.

ONC plans to launch the final TEFCA during the first quarter of 2022. To achieve that goal, HHS is continuing to gather industry-wide input on the draft guidance for HIEs, including recommended privacy and security considerations.

“If you’re not already involved in monitoring all of the initiatives occurring regarding interoperability, now is the time to get engaged,” said Lee Barrett, CEO and executive director of the Electronic Healthcare Network Accreditation Commission (EHNAC), who’s also a Sequoia Project Board member. Each framework iteration sought to provide additional context and clarification. “Don’t wait until you have to implement: you have an opportunity to provide input into the process and the issues being discussed now.”

Possible privacy and security concerns

HHS has made patient access to protected health information, interoperability, and data sharing a key initiative for the health care sector for several years. The agency is currently working to implement changes to HIPAA to better support these means, while CMS recently enacted its Interoperability and Patient access final rule.

But how will greater data access in health care and a reliance on APIs impact the privacy and security of health care providers, many of which are already struggling to keep pace with the current threat landscape? During the initial comment period for the proposed TEFCA, The College of Healthcare Information Management Executives, Premier, and the Association for Executives in Healthcare Information Technology raised concerns with how the interoperability framework would align with the Health Insurance Portability and Accountability Act.

“Any policies which supplant HIPAA or create unintended conflicts must be carefully examined,” CHIME and AEHIT noted in comments about previous TEFCA drafts. “At the very least, ONC should create a crosswalk that clearly depicts where there is overlap and where new policies will be required.”

All of the groups were also concerned with how ONC would address the complexities of patient access to data, particularly data that falls outside of HIPAA regulations like those gathered and exchanged by health apps. Further, as TEFCA proposes extending HIPAA to all TEFCA participants, including those not considered covered entities or business associates, the groups warned that ONC would need to explain how it would be operationalized, and the framework must take into account the patchwork of state privacy and security laws and data access regulations.

CHIME and AEHIT also expressed concern with TEFCA’s definition of electronic health information. Previous TEFCA drafts too broadly defined electronic health information and could require providers to create new policies beyond HIPAA to offer patients meaningful opportunity to consent, thus adding to administrative burdens and complexity for providers.

“Providers are already very accustomed to working with HIPAA requirements and this wording creates a confusing and separate set of rules,” CHIME and AEHIT previously explained. “Rather than creating new policies, a better approach would be to have providers leverage any opportunity under HIPAA (i.e., check in) when seeking consent.”

How HHS can continue addressing privacy concerns

Previous TEFCA releases did not include a lot of details that could address all stakeholder concerns and issues, as these were drafts and not final regulations, explained Barrett. With the ONC recently providing a clear TEFCA roadmap, the sector may finally receive answers to these questions and concerns.

To ensure ONC and HHS aren’t creating additional risks with these interoperability and data sharing initiatives, Barrett stressed that the agencies will need to continue engaging the healthcare ecosystem to identify patient risks and the needed mitigation strategies to address them. The agencies will also need to continue collaborating with healthcare ecosystem organizations, like the eHI Sequoia Leadership Council, provider, health plan and other stakeholder and industry consortiums to encourage participation and gain feedback on issues, while working together to address and promote these initiatives.

Further, HHS could “increase interagency coordination. For example, recent HIPAA changes from the Office for Civil Rights (OCR) impact individual rights. Likewise, some of the changes under interoperability also impact the same issues. This contributes to industry interpretation confusion,” Barrett explained.

Needed planning, participation from health care providers 

Any entity that will be impacted by the TEFCA go-live in 2022, such as providers, payers, and other health care stakeholders, will need to ensure that privacy and security are paramount in the implementation, said Barrett.

"Nearly all health care stakeholders will be impacted, including patients,” he said. “EHR clinical and significant data sources will be exchanging data through this interoperability network.

“The benefits to patients and others are significant,” he continued. “What this means therefore is that we need to assure a significant level of ability to address privacy and security standards, best practices etc.” 

Third-party accreditation will be critical in ensuring health care stakeholders are ready to meet TEFCA requirements, long before they begin exchanging data. Barrett noted that EHNAC and HITRUST partnered to address third-party accreditation issues and to provide certification.

The groups also created a trusted network accreditation program (TNAP) and HITRUST has a program for privacy and security of QHINS and participants, which Barrett explained will help assure the readiness and preparedness of organizations to participate in the interoperability implementation.

The Sequoia Project has already established workgroups focused on interoperability measures, which will help inform ongoing guidance and provide feedback to ONC, the Workgroup for Electronic Data Interchange (WEDI), eHI, and other stakeholder groups. The effort is designed to support participants with education, guidance and input.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.