HITRUST is providing exclusive information to I.S. Partners’ followers on how your organization can get started on the road to becoming a TEFCA participant.

The arrival of the ONC Trusted Exchange Framework and Common Agreement is a huge milestone for national healthcare interoperability initiatives. With the goal of creating one, unified technical framework for organizations to access and share patient data. The electronic health information exchange (HIE) is making it possible for healthcare providers, medical facilities, and related organizations to collaborate across borders, nationwide seamlessly—for the first time. And TEFCA will be put in place to ensure that patient data remains secure and confidential. 

Significance of the HIE and TEFCA 

HIE has been the most significant initiative in healthcare since Meaningful Use. It’s really moved the healthcare industry forward from using manual hard copies of medical records into the digital world. It is designed to improve speed, quality, safety and the cost of patient care; providers will be able to get access to records much more quickly.  

TEFCA is going to fill in the gaps in current interoperability within the U.S. healthcare system. As we know, there are lots of interoperability initiatives currently in place, and have been in place for years, but they’ve been mostly regional. For example, states have set up their own information exchanges and health information networks. But there’s never been anything like this at the national level. That’s where TEFCA comes in. 

This infrastructure conceived in the 21st Century Cures Act is finally coming to fruition. The ONC has been charged with getting TEFCA up off the ground and the RCE is overseeing the initiative.   

How Will This Help Patients and Improve Care? 

Let’s look at an example to understand the impact of these changes on the end patients. If a Florida resident travels to Texas and needs medical care, providers in Texas have no information about that patient’s medical history. They don’t have access to records about preexisting conditions, medications, allergies, etc.  

When providers enter the TEFCA system as participants, they will have immediate, secure access to those records. This makes treating that patient in the best way, with the lowest possible risk of exacerbating preexisting conditions, causing negative drug interactions, or triggering an allergic reaction, possible. Healthcare professionals can quickly get the information they need to deliver accurate treatments. 

Now, a provider in Oklahoma can provide records to a provider in California. HIE anywhere in the country can enter the TEFCA infrastructure and request or provide data and patient records. It makes the accessibility of those records easier in support of quality patient care. 

Who Must Comply with TEFCA? 

Right now, TEFCA is completely voluntary. Entities are not required to become a QHIN; they’re not required to become certified participants or sub-participants. It’s purely up to each organization whether they want to join the Common Agreement infrastructure, or not. I would argue that there are a lot of benefits to join TEFCA, but it’s also true that it’s not necessary for every entity to become a qualified health information network (QHIN). 

Qualified Health Information Networks (QHINs) 

What Types of Organizations Will Become QHINs? 

At present, there are less than 10 organizations that have announced their intention to be QHIN applicants, Epic EHR is one example. The types of entities that are expected to complete the QHIN application are the keepers of health data and those able to exchange it, but in healthcare those entities really run the gambit in terms of their current role.  

Yet, the RCE currently recommends that organizations be deliberate and intentional in decision-making to figure out where your organization fits into the TEFCA infrastructure. There is no federal funding attached to becoming a QHIN or serving participants; everyone is entering for their own reasons. One reason may be that the entity is already serving a large number of customers who expect access to TEFCA and they want to provide those data services. Another reason may be that the entity is already operating in data exchange, so TEFCA compliance would enable them to do that at a national level. Others may want to build services based on analytics that QHIN status would grant them. 

When Will TEFCA Data Become Available? When Will QHINs Be Operational? 

At this point, I think we are still 6 months away from getting the first designated QHINs on the grid. 

What Requirements Must QHINs Meet? 

One of the Common Agreement requirements is that QHINs must attain an industry-recognized cybersecurity certification. As I understand it, several cybersecurity frameworks or certifications were submitted for approval, but HITRUST was the only one that met the TEFCA standards. That doesn’t mean that other recognized industry certifications may be approved in the future. For now, the HITRUST Risk-based, 2-year (“r2”) Validated assessment is required to meet the TEFCA cybersecurity certification requirement. 

As TEFCA becomes a reality, HITRUST is really passionate about our role right now. We’re doing a lot of work with the current candidates to make sure their assessments meet the requirements, so they can become designated QHINs when the time comes. This includes holding biweekly office hours for anyone who is considering becoming a QHIN candidate. Candidates are encouraged to ask questions so that we can provide the information that’s needed. We’ll answer their questions and hold breakouts with individual organizations to make sure that the scope of their assessment is appropriate. 

Read more about How HITRUST Supports the TEFCA Program and QHIN Applications. 

Compliance questions? Get answers!

Book a free 30-minute consultation with a specialist to find your path to compliance. Secure your spot today.


TEFCA Participants and Sub-Participants 

How Are TEFCA Participants and Sub-Participants Involved? 

From an organizational structure perspective, the QHINs would be at the top of the pyramid. They’re like the conduit, providing the technical framework for data exchange. Participants will be the organizations connected to the QHINs which either receive or send data points or records.  

What we’re seeing is that a lot of the QHIN applicants already have communities in which they are operating. These established networks will likely become participants automatically once that QHIN application is approved. Even in this case, it’s important to note that participation is 100% voluntary for now. 

What Types of Organizations Will Become TEFCA Participants and Sub-Participants? 

We don’t know yet. The organizations that do decide to become participants and sub-participants in the TEFCA infrastructure will depend on the priorities of each individual healthcare entity. Hospitals, for example, are likely to become participants; they are going to want access to data whether it’s for research purposes or for developing treatment plans for their patients.  

It’s also likely that research institutions in the life sciences, health technology vendors, EMR platforms, and organizations looking for analytics on patient information for development purposes will all make efforts to enter TEFCA.  

What Should We Do Today to Prepare for TEFCA? 

In the healthcare industry, being on the cutting edge is a big priority. So, as the release of QHIN applications approaches, organizations should be asking themselves, a few questions: 

  • Do we want to be a qualified participant in TEFCA? 
  • Do we already have an existing relationship with a QHIN candidate? 
  • What are the requirements for working with our data model? 
  • What are potential QHINs offering? 
  • What are the incentives of connecting as a participant to one QHIN over another? 

If your organization is interested in becoming a participant in TEFCA, there are some things that you can be doing now, today in order to prepare for this. 

  1. Brush up HIPAA Compliance – The HIPAA Security Rule is the foundation for TEFCA compliance, so now is a good time to assess your organization’s adherence to these standards and address any gaps. Get information on HIPAA Risk Assessment and Compliance Services. 
  2. Check HIPAA business associate agreement obligations – Some of the Common Agreement “flow down” provisions from QHINs to participants and sub-participants will be similar to BAAs. 
  3. Understand the ONC 2020 Cures Act Final Rule – Specifically, your team should familiarize itself with the Interoperability and Information Blocking Rules.  
  4. Review the Common Agreement – Your team should understand the TEFCA requirements and start working to meet those. 

It’s important for organizations to do this now. You don’t want to wait six months to look at your backup system or put new controls in place if we know those are going to be requirements.  

Should We Consider HITRUST Certification as TEFCA Approaches? 

Maybe. I call the HITRUST r2 a significant emotional event. It is not easy, but it will make your organization better. It will push you to put effective controls in place and build resiliency into your existing processes. The “rely-ability” that comes from the HITRUST Assurance Program and the HITRUST CSF helps ensure that if there is an issue that you’re able to deal with it, recover from it, and hopefully fix it.  

Although participants are not required to get HITRUST certified, adopting HITRUST is setting the bar. The way I see it, if you reach the bar, whenever the QHINs release their “flow down” requirements for participants and decide what standards they will hold you to, you will already be above the bar. And you can start working on that now; there’s no reason to wait if you know that you plan to become a TEFCA participant.  

Why not get started now, so that when the infrastructure is in place, your organization will be ready to access that data. 

What’s on the Horizon for TEFCA? 

In the healthcare sector, TEFCA is all that anyone is talking about because it directly impacts so many players. This initiative has really only gotten off the ground this year, in early 2022, but it’s now constantly evolving and there’s more information coming out about it daily, it seems. I think that in the next 9-12 months, we are going to learn so much more. There’s a lot of information that is still in draft, that hasn’t even been published yet, so there’s still a lot of unanswered questions. As the ONC and RCE continue to refine standards and release information, it will have an impact on other industries as well. 

Your Partner for HITRUST Certification

In today’s environment, organizations rely on a solid and agile security posture. I.S. Partners has years of experience assisting companies just like yours in preparing for and performing HITRUST assessments. Whether it’s the first time or your certification has expired, our team of auditing experts will help you every step of the way.

About The Author

Get started

Get a quote today!

Fill out the form to schedule a free, 30-minute consultation with a senior-level compliance expert today!

Analysis of your compliance needs
Timeline, cost, and pricing breakdown
A strategy to keep pace with evolving regulations

Great companies think alike.

Join hundreds of other companies that trust I.S. Partners for their compliance, attestation and security needs.

Scroll to Top