- ONC must further clarify secure data exchange aspects in its Trusted Exchange Framework and Common Agreement (TEFCA) draft, and also explain how HIPAA regulations will apply, according to industry stakeholders.
One of the TEFCA principles discusses the secure exchange of electronic health information, HIMSS noted in its response to ONC. Data confidentiality and availability should also be ensured, along with data integrity.
ONC should also clarify how electronic health information data is available for data sharing, HIMSS wrote.
“Such information could potentially be unavailable to the network in the event of a denial of service attack against a vulnerable application or resource,” the letter stated. “Such information may be unavailable to the extent that a resource and/or application is not working properly or undergoing maintenance.”
Even though ONC discussed HIPAA rules with regard to consent requirements, HIMSS suggested that the agency shed more light on “appropriate standards that modified [qualified health information network] entities should use” for gaining proper consent.
“As ONC discusses in the draft guidance, the HIPAA Rules do not have a consent requirement: there could be other state and federal laws that apply, and require patient consent,” HIMSS said. “To move towards nationwide exchange, we need more clarity in TEFCA around how ONC expects modified QHIN entities to ensure consent was captured.”
DirectTrust also urged ONC to clarify privacy policies discussed in TEFCA. For example, QHINs may have difficulties to protect their members’ privacy and security because of TEFCA not having a limit on exchanges.
“The ‘imperative to share’ would require that the QHIN be assessed against privacy and security standards of, for example, a large payer participant, as well as other covered entities that participate,” DirectTrust wrote. “It would also require that each participant be responsible for investigating privacy breaches that occur to its members PHI in the Trusted Exchange Framework – though the members’ data could be disclosed by multiple entities.”
HIPAA regulations allow for secure data exchange but only in certain permitted circumstanced, DirectTrust added. Providers decide when it is appropriate for data to be exchanged, and ensure that security and privacy controls are in place.
Comparatively, TEFCA mandates data exchange. This would remove patient data control from providers and put an extra burden onto QHINs, according to DirectTrust.
There is also concern over TEFCA’s permitted uses, as this may also place additional burdens onto QHINs, DirectTrust continued. The HIPAA minimum necessary requirement ensures that covered entities participating in HIEs “verify the authority of the entity requesting electronic health information.”
“It is not clear how participants, or HIE or QHINs on their behalf, will be able to operationalize these permitted uses and meet these legal requirements,” DirectTrust stated. “How would the purpose of a request, e.g. for public health or research, be made manifest to the queried parties?”
DirectTrust suggested that ONC implement one or two priority purposes at first, and narrow down the uses cases for sharing data. More can be added as QHINs show that they are successful with the first permitted purposes.
The American Medical Informatics Association (AMIA) also recommended that ONC review how certain HIPAA regulations overlap with TEFCA. HIPAA’s Right of Access is potentially the most important aspect of the draft, AMIA said in its response letter.
“While the capabilities of clinical systems must improve and evolve to give clinicians the right information on the right patient at the right time individual access empowers patients to be stewards of their own health, and has the potential for far reaching, systemic improvements,” AMIA wrote. “The TEFCA should dramatically improve the availability of data for patient care, but the individual access use case will dramatically alter the fundamentals of our national healthcare system by making patients first order participants in their care.”
AMIA recommended the following for TEFCA clarifications and the right of access:
- Understand how current technology and functionalities could meet the HIPAA Right of Access use case within a single institution or care setting, including through application programming interfaces (APIs)
- Understand how an individual could leverage their HIPAA Right to Access to aggregate data from across treating clinician settings
- Understand how an individual could use a third-party application to access data from across treating clinician settings through a single access point
- Understand how an individual could access their data from payers and other business associates
- Evaluate how demonstration of the HIPAA Right to Access is impacting care delivery (e.g. workflows, data use, etc.) and look for ways to mitigate unintended consequences.
Additionally, any gaps in current standards, implementation guides, technology, functionality, and process should be reviewed in the previously listed areas.
The Electronic Health Record Association (EHRA) also raised concerns with HIPAA compliance. The association explained that TEFCA aligns with EHRA’s position on nationwide interoperability and the secure exchange of PHI.
The suggested timeframe is aggressive, EHRA pointed out. Health Information Networks (HINs) may have privacy and security issues if they are pushing to meet the implementation deadline.
“We request clarity regarding some of the permitted purposes,” EHRA wrote. “Specifically, what is encompassed in ‘Benefits Determination,’ as there are some benefits determination scenarios that may not be under Treatment, Payment, and Operations (TPO) under HIPAA?”
Further clarification is needed on the breach notification process, patient consent with data sharing, patient matching, and data integrity.
EHRA added that it agrees with TEFCAs requirements on utilizing the NIST Cybersecurity Framework and that it is urging its own members to implement a framework around the NIST CSF.
Identity proofing must also be discussed because the current proposal in TEFCA “may create a barrier to the adoption of this program.” Participants need to be able to vouch for their members, and there must be “a reasonable effort to identity proof an end-user or an individual,” the letter read.
“When accessing the system, for some TEFCA stakeholders, there are care implications that must be considered with authentication,” EHRA said. “Authentication for a user in a healthcare setting is a multifaceted approach with a combination of physical security, trusted devices, etc. We need to be flexible and be careful not to introduce undue burden to the user.”