A qualified health information network (QHIN) is a group of organizations working together to share data and ensure interoperability. QHINs connect directly to each other and also connect the providers within their network to exchange information without restriction. Organizations become QHINs through the Office of the National Coordinator for Health Information Technology’s (ONC) Trusted Exchange Framework and Common Agreement (TEFCA).
Learn about: What is the Office of the National Coordinator for Health Information Technology (ONC)?
TEFCA and health information exchange
ONC designed TEFCA to help providers easily access and exchange electronic health records (EHRs). TEFCA benefits health entities by supporting and encouraging health information exchange. Additionally, it benefits individuals (i.e., patients) by making it easier for them to access their records and support their personal health journeys.
The trusted exchange framework is a set of nonbinding but foundational principles for the healthy exchange of health information. It enables the sharing of health information to:
- Increase secure data access
- Ensure that a core set of data is available to networks
- Decrease costs and improve efficiency
- Provide networks with a common set of privacy and security requirements
With such interoperability, health providers can work together to improve health conditions, patient engagement, and healthcare. The common agreement (a contract) enables the network-to-network sharing of health data and includes technical and definition clarifications. All who become QHINs and sign the common agreement agree to the expectations established in the trusted exchange framework.
What is a QHIN and what does it do?
QHINs are networks of organizations associated with healthcare such as:
- Hospitals and providers
- Health information networks
- Health systems
- EHR vendors
- Health IT vendors
The networks enable the safe and easy sharing of health information within them and with other QHINs. QHIN organizations serve as connective networks, offering providers and patients greater access to health information. According to the U.S. Health and Human Services (HHS), QHINs were created “to securely route queries, responses, and messages across networks for health care stakeholders including patients, providers, hospitals, health systems, payers, and public health agencies.”
Ultimately, the use of QHINs improves patient care, giving patients access to a broader range of organizations and increasing their care teams and specialists. For the organizations themselves, QHINs facilitate interoperability and patient care while decreasing their own costs.
Current QHINs
One year after TEFCA was published in 2022, five organizations had become QHINs. As of today, seven exist; applications remain open.
CommonWell Health Alliance: a not-for-profit trade association with a network of 35,000 clinical sites and about 194 million registered patients
eHealth Exchange: an exchange company that connects federal agencies and nonfederal healthcare organizations; it was the government’s original Nationwide Health Information Network (NwHIN)
Epic Nexus: a subsidiary of Epic Providers, a healthcare records software, that includes 498 hospitals
Health Gorilla: a data-sharing platform that supports the secure exchange of patient-centric data
Kno2: an interoperability platform that connects stakeholders via an app interface, including 1.2 million providers and 4,500 home systems and hospitals
KONZA: a nationwide information exchange and analytics company offering a suite of products and services
MedAllies: a health company that facilitates the adoption of health technologies and serves over 800 hospitals, 5,000 organizations, and 125,000 providers and partners
According to Paul Wilder, executive director of CommonWell, "QHINs are going to compete, and that competition is there to keep us honest and make sure we're providing better services every day. There's enough growth for everybody . . ."
Health information exchange and HIPAA
According to ONC, a proper health information exchange helps organizations improve healthcare quality, make care more efficient, streamline administrative tasks, and support community health. At the same time, the increase in technological innovations also means an increase in the security of EHRs and protected health information (PHI).
HHS created HIPAA to improve healthcare standards and combat PHI fraud and abuse. The exchange of health information must follow HIPAA’s privacy and security standards. That means using technical, physical, and administrative safeguards to protect electronic PHI (ePHI). Strong cybersecurity measures that should be considered include:
- Risk assessment and management
- Data encryption in transit and at rest
- Identity and access management (e.g., password policies)
- Virus and malware protection
- Device usage rules
- Proper disposal of devices and data
- Patient consent and authorization
- Breach response plan
By promoting the adoption of secure health IT practices, ONC builds trust among patients and healthcare providers. Relying on the healthy and secure exchange of information encourages both better patient engagement and patient outcomes.
See also: HIPAA compliant email: The definitive guide
FAQs
Who must comply with HIPAA?
HIPAA compliance is required for:
- Covered entities: These include healthcare providers, health plans, and healthcare clearinghouses.
- Business associates: These are individuals or entities that perform certain functions or activities on behalf of a covered entity that involve the use or disclosure of PHI.
What is protected health information (PHI)?
PHI is any information held by a covered entity or business associate that concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual. This includes a wide range of identifiers that could be used to identify the individual.
How does HIPAA impact EHRs?
HIPAA mandates that EHRs must be secured to protect patient information. This involves implementing access controls, encryption, audit controls, and transmission security measures.
What are the penalties for noncompliance with HIPAA?
Penalties for noncompliance can range from monetary fines to criminal charges, depending on the severity and circumstances of the violation. The Office for Civil Rights (OCR) can impose penalties, which can range from $1307 to $68,928 per violation, with a maximum annual penalty of $2,067,813.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.