TEFCA and the healthy exchange of health information

The Office of the National Coordinator for Health Information Technology (ONC) first published the Trusted Exchange Framework and Common Agreement (TEFCA) in January 2022. The idea behind the framework and agreement was to improve the flow of health information and, ultimately, patient care. Since the initial release, several organizations have applied for and been designated as Qualified Health Information Networks (QHINs).

These QHINs can connect to each other to enable the healthy exchange of health information across the United States.

Learn about: What is the Office of the National Coordinator for Health Information Technology (ONC)?

Health data exchange before TEFCA

ONC advances the adoption and use of strong health IT infrastructures and promotes the nationwide exchange of healthcare. Its mandate was solidified with the HITECH Act of 2009, which incentivized the meaningful use of electronic health records (EHRs) and strengthened HIPAA. Since then, ONC’s search for establishing expectations and standards for data sharing has been ongoing.

One such endeavor is the Nationwide Health Information Network (NwHIN). NwHIN was a set of standards, services, and policies used to secure the exchange of sensitive health information. The idea was to improve the quality and efficiency of healthcare and better connect providers, patients, and other health-related organizations.

In 2012, ONC decided “not to continue with the formal rulemaking process [of NwHIN]” to focus on “an approach that provides a means for defining and implementing nationwide trusted exchange.” The idea behind healthy data exchange is still strong with the same goal: to protect patients while providing more access to health information. TEFCA is ONC’s latest initiative.

Rolling out TEFCA

The 21st Century Cures Act called for the development of a trusted exchange framework and common agreement to define the standards of interoperability. With interoperability, health providers can better work together to improve health conditions, patient engagement, and healthcare. ONC designed TEFCA to help providers easily access and exchange EHRs. TEFCA was first released in January 2018 (then in April 2019) for public comment before its final draft was published in 2022.

The trusted exchange framework (TEF) is a set of nonbinding but foundational principles for the healthy exchange of health information. It enables the sharing of health information to:

• Increase secure and appropriate access to data
• Ensure that a core set of data is available among networks
• Decrease costs and improve efficiency
• Provide health information networks and health IT developers with a common set of privacy and security requirements

The common agreement (CA) is a contract that lets QHINs put the framework into use. TEFCA benefits health entities by supporting and encouraging the exchange of information. It also supports individuals (i.e., patients) by making it easier for them to seek access to their records and support their health journeys.

TEFCA today

TEFCA established the technical infrastructure and framework for QHINs and their users to properly and securely share health data. The seven principles of ONC’s trusted exchange framework are:

1. Standardization
2. Openness and transparency
3. Cooperation and nondiscrimination
4. Privacy, security, and safety
5. Access
6. Equity
7. Public health

The common agreement enables the network-to-network sharing of health data through QHINs. In April 2024 an updated version of the trusted exchanged framework and common agreement was released. The updated common agreement includes technical and definition clarifications. All who become QHINs and sign the contract agree to the expectations established.

One year after being published, five organizations had become QHINs. As of today, seven exist under TEFCA.

Health information exchange and HIPAA

According to ONC, a proper health information exchange helps organizations:

• Improve healthcare quality
• Make care more efficient
• Streamline administrative tasks
• Support community health

At the same time, the increase in technological innovations in healthcare pushed for the security of EHRs. The U.S. Health and Human Services (HHS) created HIPAA to improve healthcare standards and combat protected health information (PHI) fraud and abuse. Given the need to access and transfer PHI, the exchange of health information must follow HIPAA’s privacy and security standards.

That means using technical, physical, and administrative safeguards to protect electronic PHI (ePHI). Strong measures to consider include:

• Comprehensive risk assessment and management
• Data encryption in transit and at rest
• Identity and access management (e.g., password policies)
• Virus and malware protection
• Device usage rules
• Proper disposal of devices and data
• Patient consent and authorization
• Breach response plan

Relying on the healthy and secure exchange of information encourages both better patient engagement and patient outcomes.

See also: HIPAA compliant email: The definitive guide

FAQs

Who must comply with HIPAA?

HIPAA compliance is required for:

• Covered entities: These include healthcare providers, health plans, and healthcare clearinghouses.
• Business associates: These are individuals or entities that perform certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI.

What is protected health information (PHI)?

PHI is any information held by a covered entity or business associate that concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual. This includes a wide range of identifiers that could be used to identify the individual.

How does HIPAA impact EHRs?

HIPAA mandates that EHRs must be secured to protect patient information. This involves implementing access controls, encryption, audit controls, and transmission security measures.

What are the penalties for noncompliance with HIPAA?

Penalties for noncompliance can range from monetary fines to criminal charges, depending on the severity and circumstances of the violation. The Office for Civil Rights (OCR) can impose penalties, which can range from $1307 to $68,928 per violation, with a maximum annual penalty of $2,067,813.