HITRUST and preparing for the Trusted Exchange Framework and Common Agreement

The fact that HINs aren’t universally connected is both costly and time-consuming. As a stopgap solution, healthcare providers and patients are utilizing various types of data exchanges to treat a single patient. Surveys indicate that most hospitals use at least three methods to exchange data, while 30 percent must use five or more methods.

As a solution, the 21st Century Cures Act, passed by Congress in 2016, defined a common set of data standards to safely and easily share healthcare information. A key piece of the Cures Act was the creation of the Trusted Exchange Framework and Common Agreement (TEFCA), which enables the exchange of electronic health information on a national scale. TEFCA went live in early 2022.

How TEFCA works

TEFCA is essentially a “network of networks” with multiple points of entry for many types of participants and stakeholders. TEFCA participants may include:

• Health information networks
• Health information exchanges
• Healthcare providers 
• Public health providers 
• Government/federal agencies
• Health plans
• Health IT developers 
• Individual users (this may include someone who’s the subject of electronic health information, such as a patient, their representative or a health plan member)

TEFCA implementation is governed by the Office of the Coordinator for Health Information Technology (ONC), a federal entity responsible for coordinating efforts to implement and oversee the electronic exchange of health information, and a chosen recognized coordinating entity (RCE). In 2019, the ONC contracted the Sequoia Project to serve as RCE to administer and implement TEFCA.

Sequoia will select various HINs to become qualified health information networks (QHINs). A QHIN is a network of organizations that cooperate with each other to share data. To qualify, QHINs must have the technical capacity to connect participants nationwide and meet certain standards and requirements.

They include:

• Obtaining a security certification
• Using an industry-recognized framework

At a minimum, that provides coverage under the HIPAA Security Rule and NIST 800-171.

The Sequoia Project has selected HITRUST and the HITRUST r2 Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements, in order to earn QHIN designation. An adequately tailored and scoped HITRUST risk-based, two-year (r2) Validated Assessment + Certification using the HITRUST CSF framework is currently the only industry certification selected to meet these requirements.

How healthcare organizations can prepare for TEFCA

Healthcare organizations should take steps now to prepare for the national HIN.

Seeking out inconsistencies in how data is captured, identified and stored is an important step toward interoperability. Healthcare organizations should review their current health information exchange capabilities, with a focus on data identification and data integrity. Healthcare organizations need to evaluate which tools, applications and systems are in place to gather and retain necessary data points securely.

To align with TEFCA standards, healthcare providers must establish a secure application programming interface, also known as software, that safely allows access to electronic health records. Adopting an interoperability platform that offers seamless connectivity will help smooth the transition. Becoming HITRUST certified will help ensure the data is unlikely to be breached.

Contact our Mazars healthcare team today to discuss becoming HITRUST certified.

The information provided here is for general guidance only, and does not constitute the provision of tax advice, accounting services, investment advice, legal advice, or professional consulting of any kind. The information provided herein should not be used as a substitute for consultation with professional tax, accounting, legal or other competent advisers.