HITRUST CSF compliance services
Safeguarding PHI and PPI, reducing risk, and meeting compliance
HITRUST and the Trusted Exchange Framework
The fact that HINs aren’t universally connected is both costly and time-consuming. As a stopgap solution, healthcare providers and patients are utilizing various types of data exchanges to treat a single patient. Surveys indicate that most hospitals use at least three methods to exchange data, while 30 percent must use five or more methods.
As a solution, the 21st Century Cures Act, passed by Congress in 2016, defined a common set of data standards to safely and easily share healthcare information. A key piece of the Cures Act was the creation of the Trusted Exchange Framework and Common Agreement (TEFCA), which enables the exchange of electronic health information on a national scale. TEFCA went live in early 2022.
TEFCA is essentially a “network of networks” with multiple points of entry for many types of participants and stakeholders. TEFCA participants may include:
TEFCA implementation is governed by the Office of the Coordinator for Health Information Technology (ONC), a federal entity responsible for coordinating efforts to implement and oversee the electronic exchange of health information, and a chosen recognized coordinating entity (RCE). In 2019, the ONC contracted the Sequoia Project to serve as RCE to administer and implement TEFCA.
Sequoia will select various HINs to become qualified health information networks (QHINs). A QHIN is a network of organizations that cooperate with each other to share data. To qualify, QHINs must have the technical capacity to connect participants nationwide and meet certain standards and requirements.
At a minimum, that provides coverage under the HIPAA Security Rule and NIST 800-171.
The Sequoia Project has selected HITRUST and the HITRUST r2 Certification as the first certifying body and certification for organizations to prove they comply with the TEFCA security requirements, in order to earn QHIN designation. An adequately tailored and scoped HITRUST risk-based, two-year (r2) Validated Assessment + Certification using the HITRUST CSF framework is currently the only industry certification selected to meet these requirements.
Healthcare organizations should take steps now to prepare for the national HIN.
Seeking out inconsistencies in how data is captured, identified and stored is an important step toward interoperability. Healthcare organizations should review their current health information exchange capabilities, with a focus on data identification and data integrity. Healthcare organizations need to evaluate which tools, applications and systems are in place to gather and retain necessary data points securely.
To align with TEFCA standards, healthcare providers must establish a secure application programming interface, also known as software, that safely allows access to electronic health records. Adopting an interoperability platform that offers seamless connectivity will help smooth the transition. Becoming HITRUST certified will help ensure the data is unlikely to be breached.
Contact our Mazars healthcare team today to discuss becoming HITRUST certified.
Some of these cookies are necessary, while others help us analyse our traffic, serve advertising and deliver customised experiences for you.
This website cannot function properly without these cookies.
Analytical cookies help us enhance our website by collecting information on its usage.
We use marketing cookies to increase the relevancy of our advertising campaigns.