Currently, getting the information required to provide coordinated patient care typically requires healthcare providers and entities with BAs to sign up for different networks. With the new TEFCA, however, they will be able to join a single web-based database that is qualified by and participates in the network established by the Common Agreement. The TEFCA will facilitate the transmission and exchange of information from a variety of sources. 

What is the TEFCA Program? 

TEFCA stands for the Trusted Exchange Framework and Common Agreement. It’s a relatively new law that was developed as part of the 21st Century Cures Act, with the intent of increasing interoperability in the healthcare field. It has been approved for national-level healthcare interoperability by the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC). 

“The overall goal of the Trusted Exchange Framework and Common Agreement (TEFCA) is to establish a universal floor for interoperability across the country. The Common Agreement will establish the infrastructure model and governing approach for users in different networks to securely share basic clinical information with each other—all under commonly agreed-to expectations and rules, and regardless of which network they happen to be in.” 


At its core, TEFCA lays the foundation for a single “on-ramp” for electronic health information exchange (HIE). With the implementation of TEFCA, healthcare providers, hospitals, and other healthcare entities will be able to access and collaborate in a nationwide exchange of health data. The framework will help ensure security, accessibility when and where a particular patient’s data is needed, and the use of a scalable health information network (HIN) infrastructure.    

TEFCA is a significant development in the security of patient data because it: 

  1. Streamlines the exchange of data in support of efficient patient care. 
  1. Alleviates some of the compliance burden placed on healthcare organizations. 
  1. Replaces complicated, outdated, costly, redundant, and sometimes conflicting cybersecurity standards. 
  1. Clarifies the cybersecurity compliance process across platforms. 

 Is TEFCA required? 

Not yet. In July 2021, the ONC announced that TEFCA would go live in 2022, but at this point, experts anticipate that it will go into effect in early 2023. When it does go live, compliance with the new framework will be voluntary, in general, but required for any HIN entity that wants to become a QHIN and access the healthcare data within the trusted exchange. Once published, entities will have 18 months, instead of 12, to implement updates. 

Those that choose to apply must agree to execute the strict SOPs and will need to demonstrate compliance with the technical interoperability framework. Additionally, to maintain compliance, QHINs will have ongoing oversight by and collaboration with the RCE. 

What is the significance of TEFCA compliance? 

Ultimately, TEFCA compliance will allow participants to start sharing data. It outlines strong security measures and policies designed to protect the information exchanged on qualified HINs (QHIN). With verified TEFCA compliance, in the form of QHIN cybersecurity certification issued by the RCE, healthcare organizations can work together on a unified, secure, nationwide network. 

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


How does HITRUST Support these initiatives? 

With this unprecedented access, it’s essential that QHINs be held to higher security standards. The TEFCA RCE has selected HITRUST and the HITRUST Risk-based, 2-year (r2) Certification as the first certifying body. Organizations will be able to rely on HITRUST to show compliance with TEFCA and achieve QHIN status. HITRUST will support TEFCA participants in implementing the security of TEFCA Information (TI) under the Framework Agreements. 

“TEFCA specifies strong security safeguards for the protection of TI in the Common Agreement (§12.1.2), flow-down provisions, and Standard Operating Procedures (SOP), including the requirement that QHINs “shall achieve and maintain third-party certification to an industry-recognized cybersecurity framework demonstrating compliance with all relevant security controls.” HITRUST is actively certifying potential QHINs.”

HITRUST Press Release, August 22, 2022 

To date, the HITRUST r2 is the only assessment that has been specifically acknowledged by the RCE for cybersecurity compliance. As the new framework goes into effect, HITRUST will also provide more information to help organizations understand TEFCA security requirements and achieve QHIN cybersecurity certification. 

When can we start the QHIN cybersecurity certification process? 

According to the QHIN Onboarding guide, prospective QHINs can begin the designation process now. Currently, they can take the first step and notify the RCE of their intent to apply. The RCE is set to open the portal for official applications on October 3, 2022

In order to be ready for this digital revolution, healthcare organizations will need to implement robust IT systems that enable secure, universal access to patient data and PHI. Examples of measures that should be in place:  

  • Identity proofing to verify the identification of individuals. The Common Agreement will adhere to Identity Assurance Level (IAL2 minimum) as specified in NIST SP 800-63A
  • User authentication to check user identity using NIST draft SP 800-63B, to a minimal standard of Authenticator Assurance Level (AAL2) and Federation Assurance Level (FAL2) for federated environments. 
  • Breach notification policies are required for QHINs and participants in accordance with HIPAA requirements. 
  • Meaningful choice options must allow individuals to opt-out and prevent their EHI from being used or disclosed. 
  • Written privacy notification making privacy practices regarding the access, exchange, use, and disclosure of EHI publicly known. 

Related article: Critical Protections and Cybersecurity Measures for Sensitive Data. 

Get TEFCA Certified with HITRUST and I.S. Partners 

We can help you gain access to tomorrow’s healthcare tools. Contact I.S. Partners to get more information on QHIN cybersecurity certification and TEFCA compliance.  

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top