The Agency for Statewide Technological Planning (ASTP) Final Rule is a pivotal regulatory measure that codifies the requirements for TEFCA-Qualified Health Information Networks (QHINs). Emerging from the 21st Century Cures Act of 2016, TEFCA (Trusted Exchange Framework and Common Agreement) aims to enhance health information exchange across the United States by creating a network of health information networks (HINs) that adhere to TEFCA standards. This article explores how TEFCA regulations shape QHIN health data exchange, ensuring secure, efficient, and accountable health data sharing.
Understanding TEFCA and Its Purpose
The Genesis of TEFCA
TEFCA was conceived to foster seamless, secure, and efficient health data exchange nationwide. Stipulated by the 21st Century Cures Act, ASTP was tasked with forming public-private and public-public partnerships to develop a trusted exchange framework alongside a common agreement among HINs. Importantly, the Cures Act clarified that no HIN is mandated to adopt or participate in TEFCA, making it a voluntary initiative unless future legislation states otherwise.
Entities recognized as QHINs by ASTP can engage in TEFCA exchange. Participants are those that contract with QHINs to access this exchange, while subparticipants are entities connected to the network through participants. This hierarchical structure forms what is known as a QHIN’s designated network. ASTP may delegate oversight responsibilities to Recognized Coordinating Entities (RCEs), with The Sequoia Project currently being the selected RCE.
Key Elements of TEFCA
TEFCA’s framework comprises several critical documents. The Trusted Exchange Framework outlines foundational principles and practices for data sharing, while the Common Agreement provides the infrastructure and governance mechanism for secure data sharing among users in different HINs. This agreement is legally binding once signed by a QHIN and the RCE. Standard Operating Procedures (SOPs) issued by the RCE detail the governance, privacy, security protocols, directory services, and application processes for QHINs. The QHIN Technical Framework (QTF) sets forth technical specifications and requirements for QHINs to facilitate information exchange.
Under TEFCA, six exchange purposes are recognized: treatment, payment, healthcare operations, public health, government benefits determinations, and individual access services. QHINs must support exchanges for any of these purposes but are only required to respond to requests made under treatment or individual access services at present. ASTP plans to expand mandatory response requirements to encompass all exchange purposes eventually.
TEFCA Regulations in the Final Rule
Qualifications for QHIN Designation
QHIN designation qualifications are segmented into three categories:
Ownership Requirements
To qualify as a QHIN, entities must meet stringent ownership requirements designed to ensure data security and accountability within the United States. QHINs must be U.S. entities, free from foreign control. No significant stakeholders (5% ownership or more) should appear on the U.S. Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or the HHS Office of the Inspector General’s List of Excluded Individuals/Entities. These measures are in place to safeguard health data from high-risk actors and ensure accountability under U.S. law.
Exchange Requirements
To facilitate a robust and secure data exchange environment, QHINs must enable data exchange between unaffiliated parties and handle electronic health information pertinent to any required exchange purpose. This capability ensures that QHINs can efficiently process transactions from other QHINs for all exchange purposes. Additionally, QHINs are responsible for supporting participants and subparticipants in transactions they facilitate. This requirement ensures that a diverse range of entities can effectively engage in the health information exchange network and promotes interoperability across the healthcare ecosystem, enhancing the overall efficiency of health data exchange.
Designated Network Services Requirements
Operational stability and security form the cornerstone of designated network services requirements. QHINs must uphold operational, legal, and governance authority over their networks, establishing participatory groups for governance processes and ensuring efficient dispute resolution. This includes the establishment of written policies on network oversight, control, security, privacy, and data breach responses. Furthermore, QHINs must demonstrate high transaction volume capacities, secure connectivity, and adequate financial resources. A specific requirement for QHINs facilitating individual access services is to obtain express individual consent and handle identifiable information per specified standards, thereby ensuring data protection and compliance with privacy regulations.
The QHIN Designation and Onboarding Process
Application Submission and Review
Applying to become a QHIN includes providing detailed information to ASTP or the RCE, initiating a rigorous review process. Applications must contain specific details and undergo a review by ASTP or the RCE within 60 days, though this period can be extended by written notice if necessary. This process ensures that only qualified entities are designated as QHINs, maintaining the integrity and security of the health information exchange network. The thorough review contributes to the establishment of a trusted and reliable network of QHINs capable of facilitating smooth health data exchanges.
Onboarding Process
Approved applicants embark on a comprehensive onboarding process designed to ensure operational readiness. They have 12 months, extendable by another 12 months, to complete this phase. During onboarding, regular check-ins with ASTP or the RCE are mandated. This period allows QHINs to establish the necessary infrastructure and processes required to support secure and efficient data exchange. The structured timeline and oversight provide a solid foundation for QHINs, enabling them to integrate seamlessly into the TEFCA exchange network and fulfill their roles effectively.
Designation
Upon satisfactory completion of onboarding requirements, QHINs receive a provisional designation. This status becomes final once successful data transaction proof with other in-production QHINs is provided. This two-step designation process ensures that QHINs are fully capable of participating in the TEFCA exchange network before receiving final designation. By verifying operational readiness through actual data transactions, ASTP and the RCE maintain the reliability and efficiency of the health information exchange ecosystem, fostering trust among stakeholders.
Conclusion
The Agency for Statewide Technological Planning (ASTP) Final Rule is a pivotal regulatory measure essential for codifying the requirements of TEFCA-Qualified Health Information Networks (QHINs). Arising from the 21st Century Cures Act of 2016, TEFCA, or Trusted Exchange Framework and Common Agreement, aims to significantly improve health information exchange across the United States. This is accomplished by creating a cohesive system of health information networks (HINs) that comply with TEFCA standards.
TEFCA’s regulations are designed to ensure secure, efficient, and accountable health data sharing among various networks. By adhering to TEFCA standards, these QHINs can facilitate smoother and more reliable data exchanges, which is crucial in the rapidly evolving healthcare landscape. As the healthcare system becomes increasingly reliant on digital information, the importance of standardized and secure data exchange cannot be overstated.
The ASTP Final Rule outlines the criteria and operational procedures that QHINs must follow to maintain consistency and integrity in health information exchange. These regulations offer a framework to protect patient data while promoting broader interoperability among different healthcare providers and systems.
Overall, TEFCA, with its stringent guidelines and framework, plays a critical role in transforming national health information exchange, ensuring that health data is shared in a way that is not only efficient but also secure and accountable. This transformation is key to advancing healthcare delivery and improving patient outcomes across the United States.
