By Lee Barrett, CEO and executive director of EHNAC, Member of
Executive Steering Committee for the ONC’s Payer + FAST FHIR Task Force and the HHS Cybersecurity Task Force
Twitter: @EHNAC
Last week, the Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology (ONC), issued draft 2 of the Trusted Exchange Framework as well as a public comment period through June 17, 2019. As a member of both the Executive Steering Committee for the ONC’s Payer + FAST FHIR Task Force and the HHS Cybersecurity Task Force (405d), and convener of the National Trust Network Data Sharing and Cybersecurity Task Group, here are my perspectives.
EHNAC commends ONC for streamlining this document and providing the companion document entitled “TEFCA2 Draft User Guide” containing user-friendly charts, basic explanations and multiple practical data exchange examples. The form and content of this User Guide distills the complexity of interoperability into a form and process which is easily understandable.
TEFCA Draft 2 further embraces the Office for Civil Rights concept of each participant of the Health Information Network (HIN) being accountable for the Electronic Health Information (EHI) it creates, receives, maintains and transmits. EHNAC has embedded this requirement for Protected Health Information (PHI) into its 18 accreditation programs and believes strongly that understanding what data is handled, and how and where it is created, received, maintained and transmitted is foundational to safeguarding information.
The MRTCs (Minimum Required Terms and Conditions) Draft 2 requires that Qualified Health Information Networks (QHINs) comply with HIPAA Privacy and Security Rules as it pertains to EHI. This includes complying with NIST Special Publication 800-171 (Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations) as well as ongoing compliance with the current HIPAA Security Rule cross-walked to the NIST Cybersecurity Framework. Additionally, TEFCA Draft 2 also discusses the “Trusted Exchange Framework” (TEF) provided in Appendix 1 and the “QHIN Technical Framework” provided in Appendix 3. These components of the Rule (per TEFCA Draft 1) have been reviewed in detail and the Trusted Network Accreditation Program (TNAP) industry collaborative initiative has addressed them.
Whether a covered entity or business associate, participants and participant members must take reasonable steps to promote the confidentiality, integrity and availability (CIA) of EHI, including maintaining reasonable and appropriate administrative, technical and physical safeguards; to protect against reasonably anticipated impermissible Uses and Disclosures; to identify and protect against reasonably anticipated threats to the security/integrity of EHI; and monitor workforce compliance. EHNAC confirms that all organizations holding current EHNAC accreditation can be assured the requirements of NIST 800-171; the HIPAA Security Rule; the NIST Cybersecurity Framework and more industry accepted standards and best practices are already included as part of their accreditation review framework.
For organizations interested in accreditation programs for Interoperability, EHNAC has created the Trusted Network Accreditation Program (TNAP). In July 2018, EHNAC and 30 other healthcare organizations began an industry collaboration to develop this program which aligns the principles of 21st Century Cures Act/TEFCA Draft 1 including interoperability and security/privacy of healthcare data exchange using the “digital highway.” Emerging technologies such as blockchain, enhanced identity verification/authentication and many industry-led best practices and standards are included. Requirements from HITRUST; NIST 800-171, 800-63A, 800-63B; and HIPAA 45CFR 164. 400-414 and others are embedded. Within the next month (May 2019), this industry-led coalition will launch a comprehensive website devoted to this important issue. In the meantime, call EHNAC at 860.408.1620 if you are interested in participating in this program that is currently in BETA phase.
The Trusted Exchange Framework is an initiative to facilitate interoperability in health IT, as required by the 21st Century Cures Act of 2016, and “advances Congress’ intent that building and maintaining trust is an important core element in ensuring that health information is available where and when it is needed to manage patient health and care”. In January 2019, ONC issued its first draft of the Trusted Exchange Framework.
The period to comment on draft 2 of the Trusted Exchange Framework in addition to MRTCs, and QHIN Technical Framework closes on June 17, 2019. Comments can be submitted at exchangeframework@hhs.gov.