Why security and privacy efforts must extend to support TEFCA
Applying a standardized security framework can create alignment across the entire TEFCA infrastructure to better maintain trust with consistency and transparency.
Trusted Exchange Framework and Common Agreement is a much-needed and extremely powerful initiative to improve patient outcomes and advance the movement towards true value-based care, but it must be built comprehensively.
A cohesive approach that covers elements of the common agreement, like security and privacy, is imperative so that TEFCA doesn’t face the same challenges that HIPAA laws has faced with breaches.
The Office of the National Coordinator for Health Information Technology and the Sequoia Project as the recognized coordinating entity have done an amazing job of outlining the guidelines, standards, and mechanisms for exchanging data via the TEFCA infrastructure. Qualified health information networks (QHINs) know specifically how they must configure their systems and by what standards, including security and privacy requirements. However, at this time, these prescriptive guidelines and standards stop with the QHINs.
A need for clarity
There is a lack of clarity and standards for the thousands of potential participants and sub-participants that will connect to the TEFCA infrastructure and share sensitive data. A recent State of Interoperability study by Health Gorilla, Flexpa and TheAcademy found that 58 percent of CIOs surveyed support TEFCA, but believe more guardrails and protections are needed for TEFCA to be successful.
Additionally, 31 percent of CIOs surveyed asserted that data security and privacy is their top concern with TEFCA. The study also found that 60 percent of diagnostic labs won’t share data because they want to ensure data protection or have concerns about security and privacy. This poses a significant challenge to the success of TEFCA when potential participants and sub-participants are hesitant to share data because of security and privacy worries.
The need for a standardized approach to security and privacy is paramount to TEFCA gaining nationwide adoption and enabling seamless interoperability. Standardization eliminates the need to build and manage a proprietary process, program, control set or security questionnaires. QHINs and participants can focus on the real mission of TEFCA – the seamless, secure transfer and sharing of data.
Establishing, maintaining trust
Further, applying a standardized security framework creates alignment across the entire TEFCA infrastructure so all parties can establish and maintain trust with consistency and transparency. Each entity can be assured that their TEFCA partners are holding themselves and their other partners to the same security and privacy rigor.
Moreover, this alignment guarantees security and privacy maturity, and compliance with the Common Agreement. If there is an incident within the infrastructure, entities can be confident that they have a defensible position that is widely adopted within the TEFCA ecosystem.
This standardized approach must be adopted with the first wave of QHIN designees. It will be too difficult to institute an appropriate mechanism after the first QHINs have established individual processes.
Ryan Patrick is vice president of adoption and business development for HITRUST.