More than a year after the first draft of the Trusted Exchange Framework and Common Agreement (TEFCA) was published, the Office of the National Coordinator (ONC) for Health Information Technology (HIT) is back with a second draft. Consequently, ONC is again seeking public comment on the draft.
So what’s changed? A few things stand out.
First, the initial scope of the Trusted Exchange Framework (TEF) has been narrowed. The first draft included all HIPAA Payment and Health Care Operations purposes; the second draft includes only Utilization Review for the Payment purpose. For the Health Care Operations purpose, now only “Quality Assessment and Improvement” and “Business Planning and Development” are included as use cases which all Qualified Health Information Networks (QHINs) are required to support.
Essentially, ONC has narrowed the scope for the first version of the TEF to what they consider the minimum viable product. They’re trying to get the project off the ground, so they removed the use cases they considered more complicated, for now. It’s highly likely that the removed use cases will be added back into a future version.
The second draft further clarifies the expectations surrounding an individual’s right to get a copy of their protected health information from those who may be storing it. HIPAA requires that Covered Entities provide this information upon request. The second draft explicitly expands this requirement to all participants in TEF. This is a laudable change and addresses a concern I wrote about in my previous blog post “TEFCA leaves privacy questions unanswered.”
Additionally, the latest draft clarifies that individuals must be able to exercise “meaningful choice” to decide how their data is exchanged. Currently, participants in the TEF are required to provide a mechanism, free of charge, where individuals can opt-out. The participants are then required to share this opt-out with other participants in the TEF, and all participants are required to honor it. This change is of critical importance—individuals who do not want to participate in sharing their private, personal information must never be forced to do so. However, in the future, I would like to see this requirement expanded to a more granular set of permissions than an opt-in or opt-out; ideally, an individual would be able to prevent certain types of sensitive data (think HIV status) from being shared, or otherwise narrow the scope of allowable uses for their data, without having to remove themselves from the system entirely. The inclusion of security labels in the new draft indicates that the ONC is already working toward this kind of capability, though it is clearly still in an early stage.
A “push” capability for messages has also been added to the system requirements. This means that updates to a patient’s medical record can be sent out to other participants in the TEF, instead of waiting for participants to send out a request asking for updates. This is similar to modern email and text message systems. The ONC notes that this capability will help support public health reporting use cases and “deliver critical information about patient care.”
Finally, the requirements an entity will have to meet to become a QHIN have been more fully specified. The process for applying to become a QHIN is included in the second draft, and a new “QHIN Technical Framework” has been released. Essentially, the ONC has stepped in to issue more granular specifications for how QHINs will operate, instead of leaving this entirely to the yet-to-be-selected Recognized Coordinating Entity (RCE). Also of note: The latest draft specifies that, in the future, when updates are made to the TEF, QHINs will have 18 months to comply with changes instead of 12. It seems that by offering greater specificity and flexibility, the ONC is working to make it easier for organizations to become QHINs.
Public comments on the latest draft must be submitted by June 17th, and applications for the role of RCE are due at the same time. It is heartening to see progress being made on the TEF, and we look forward to the final draft of the TEFCA.