Healthcare Information Security

HIPAA and Compliance News

Secure Data Exchange Part of ONC Trusted Exchange Framework Draft

ONC released an updated draft of its Trusted Exchange Framework and Common Agreement, including a secure data exchange section.

secure data exchange ONC trusted exchange

Source: Thinkstock

By Elizabeth Snell

- ONC issued a Trusted Exchange Framework and Common Agreement draft last week, which is part of the requirements under the 21st Century Cures Act. Ensuring secure data exchange is a key aspect to nationwide interoperability, along with building and maintaining trust, ONC explained.

“The draft Trusted Exchange Framework we issued today reflects the successes and challenges already existing in the exchange of health information and is designed to help guide the nation on its path to interoperability for all,” National Coordinator for Health Information Technology Don Rucker, MD, said in a statement. “The principles and direction we released today, combined with the support of providers, existing health information networks, health IT developers, and federal agencies, are designed to help improve patient care, care coordination, and the overall health of the nation.”

Patients must be able to access their own health information electronically, there should be population-level data exchange, and there must be open and accessible application programming interfaces (APIs), according to ONC.

“The vision we seek to achieve is a system where individuals are at the center of their care and where providers have the ability to securely access and use health information from different sources,” ONC explained in the draft overview. “A system where an individual’s health information is not limited to what is stored in electronic health records (EHRs), but includes information from many different sources (including technologies that individuals use every day) and provides a longitudinal picture of their health.”

ONC will also collaborate with a single Recognized Coordinating Entity (RCE) “to advance the single on-ramp to interoperability,” the agency stated. The RCE will then use the Trusted Exchange Framework to develop a single Common Agreement that Qualified Health Information Networks (Qualified HINs) and their participants can choose to adopt.

READ MORE: Data Security Considerations in Healthcare Interoperability

There will be a 45-day comment period on the Trusted Exchange Framework draft, after which a final draft will be released.

The draft specifically addressed how the Exchange Framework aligns with HIPAA regulations. HIPAA requires covered entities and business associate to remain HIPAA compliant even when conducting electronic transactions, such as electronic billing and fund transfers.

ONC maintained that it had worked with OCR to ensure that the Exchange Framework does not contradict federal rules.

“Health Information Networks (HINs) typically operate as Business Associates and currently have Business Associate agreements, otherwise known as participation agreements, in place with their Participants,” the draft said. “These agreements facilitate the exchange of Electronic Health Information since they perform functions or activities on behalf of, or provide certain services for Covered Entities such as determining and administering policies or agreements that define business, operational, technical, or other conditions or requirements for enabling or facilitating access, exchange, or use of health information between or among two or more Covered Entities.”

Along with adhering to HIPAA regulations, the Exchange Framework “specifies terms and conditions to enable broader exchange of health information.” Most HINs also have participation agreements that have broader terms to ensure that covered entities and non-covered entities are able to use the networks.

READ MORE: Benefits, Challenges of Secure Healthcare Data Sharing

Privacy, security, and safety was also one of the specific principles discussed in the Exchange Framework draft. Electronic health data must be exchanged “in a manner that promotes patient safety, including consistently and accurately matching Electronic Health Information to an individual,” according to ONC.

The Exchange Framework must also “ensure providers and organizations participating in exchange have confidence that the appropriate consent or written authorization was captured, if and when it is needed, prior to the exchange of Electronic Health Information.”

HIPAA does not have a consent requirement for ePHI exchange but patient authorization is required for sharing ePHI “for Health Care Operations purposes with another Covered Entity that does not have a relationship with the patient,” ONC noted.

State law can also differ from the federal requirements on data exchange. For example, there are more stringent state laws with regard to certain health conditions (i.e., HIV, mental health, genetic testing). ONC added that 42 C.F.R. Part 2 has certain exceptions. Federally assisted “Part 2 programs” must “obtain consent to disclose or re-disclose health information related to substance use disorder information, such as treatment for addiction.”

“When required by federal or state law, a Qualified HIN’s ability to appropriately and electronically capture a patients’ permission to exchange or use their Electronic Health Information will engender trust amongst other Qualified HINs seeking to exchange with that network,” the draft explained. “For this reason, we have included this requirement in Part B.”   

READ MORE: ONC, OCR Fact Sheet Discusses HIPAA Health Data Exchange

The comment period on the Exchange Framework draft closes on February 18, 2018. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...