The Trusted Exchange Framework and Common Agreement (TEFCA) establishes a floor of universal interoperability across the country through a network of networks. To establish nationwide exchange of health information, TEFCA creates common rules of the road to ensure trust and create efficiency. Therefore, the Common Agreement, which is signed by the Recognized Coordinating Entity (RCE) and each Qualified Health Information Network (QHIN), provides certain Required Flow-Down provisions that the QHINs will be required to include in their Framework Agreements with their Participants and that those Participants will be required to include in their Framework Agreements with their Subparticipants. All Participants and Subparticipants will be required to sign a Framework Agreement that includes these Required Flow-Down provisions before engaging in TEFCA exchange activities. Participants and Subparticipants will also be required to adhere to additional requirements, such as those concerning security.
The Common Agreement incorporates technical standards and processes that are described in the QHIN Technical Framework (QTF). As with the Common Agreement, the QTF outlines requirements for Participants and Subparticipants to facilitate secure and efficient data exchange. Additional requirements are included in applicable Standard Operating Procedures (SOPs).
To provide a snapshot of the obligations for Participants and Subparticipants, both the Required Flow-Down provisions in the Common Agreement and other rights and obligations specified in the QTF are summarized in general terms below. Stakeholders should refer to the Common Agreement, the QTF, and the applicable SOPs for the specific provisions and related definitions that apply. QHINs and Participants are obligated to ensure that their Participants and Subparticipants, respectively, agree to comply and incorporate the Required Flow-Down provisions into their respective Framework Agreements.1 Each topic below provides a reference to the related provisions of the Common Agreement. Defined terms from Section 1 of the Common Agreement are capitalized in this summary.
Participants and Subparticipants will need to review their Frameworks Agreement(s) carefully and should consult with their connection points (e.g., QHIN, Participant, or Upstream Subparticipant) about how these obligations will be operationalized.)
Cooperation and Non-Discrimination (Section 6 of the Common Agreement). Participants and Subparticipants will be expected to participate in various activities to collaboratively identify and resolve any security or other issues that arise with respect to TEFCA exchange activities. Participants and Subparticipants will also be expected to treat all other parties to exchange fairly and in a non- discriminatory manner.
Confidentiality and Accountability (Section 7 of the Common Agreement). Participants and Subparticipants generally will be restricted in their use and disclosure of any Confidential Information received under their Framework Agreement(s) and any applicable SOPs. Confidentiality requirements also apply to use of Confidential Information by employees, subcontractors, and agents of a Participant or Subparticipant.
Utilization of the RCE Directory (Section 8 of the Common Agreement). The RCE Directory contains standardized connectivity information about all of the QHINs, Participants and Subparticipants. It will be used to establish and maintain operational connectivity under the Common Agreement and other Framework Agreements. Information contained in the RCE Directory Service may only be used and/or disclosed for those purposes or as required by law.
TEFCA Exchange Activities (Section 9 of the Common Agreement). The Flow-Down Provisions specify the allowed Uses and Disclosures of TEFCA Information, as well as the expectations of QHINs, Participants and Subparticipants to Respond to a Request for information.
Individual Access Services (Section 10 of the Common Agreement). IAS support an Individual in gathering his or her health information from all entities connected via QHIN-to-QHIN exchange. Participants and Subparticipants may elect to offer IAS, but are not required to do so. Participants and Subparticipants that offer IAS will be required to obtain an Individual’s express consent, and may implement secure electronic means (e.g., secure e-mail, secure web portal) by which an Individual may submit such written consent. IAS providers must develop and make publicly available a written privacy and security notice (the “Privacy and Security Notice”) that adheres to the requirements in Section 10.3 of the Common Agreement.
Privacy (Section 11 of the Common Agreement). Most Participants and Subparticipants are likely to be HIPAA Covered Entities or Business Associates, which means they will generally protect TEFCA Information as Protected Health Information under HIPAA. To maintain a common approach to privacy, Section 11.1 of the Common Agreement identifies a set of HIPAA Privacy Rule provisions that Non-HIPAA Entity Participants or Subparticipants will be required to follow with respect to all Individually Identifiable information that they reasonably believe is TEFCA Information. However, this requirement does not extend to Non-HIPAA Entities acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health Authority, or a Government Health Care Entity.
Section 11.2 specifies that Participants and Subparticipants must develop, implement, make publicly available, and act in accordance with a written privacy policy describing its privacy practices with respect to Individually Identifiable information that is Used or Disclosed pursuant to their Framework Agreements. The written privacy policy requirement can be satisfied by including applicable content consistent with the HIPAA Rules into an existing privacy policy, except with respect to IAS Providers. IAS Providers must meet the Privacy and Security Notice requirements in Section 10.3 of the Common Agreement.
Security (Section 12 of the Common Agreement). Participants and Subparticipants will be required to implement and maintain appropriate security controls for TEFCA Information that are commensurate with risks to the confidentiality, integrity, and availability of the TEFCA Information as part of their Framework Agreements. If any Participant or Subparticipant is a Non-HIPAA Entity, it will be required to comply with the HIPAA Security Rule provisions with respect to all Individually Identifiable information that the Participant or Subparticipant reasonably believes is TEFCA Information as if such information were Protected Health Information and the Participant or Subparticipant were a Covered Entity or Business Associate. Participants and Subparticipants will also be required to implement and maintain any additional security requirements that may be set forth in an SOP applicable to Participants and Subparticipants as part of their Framework Agreements.
Additionally, Section 12 imposes specific conditions upon the Use of TEFCA Information outside the United States and/or the Disclosure of TEFCA Information to a person or entity outside of the United States. Participants and Subparticipants would only be permitted to Use and/or Disclose TEFCA Information outside the United States as permitted or required by Applicable Law. Participants and Subparticipants that Use and/or Disclose TEFCA Information outside of the United States would also be required to ensure such Use or Disclosure conforms with the HIPAA Security Rule, regardless of whether the Participant or Subparticipant is a Covered Entity or Business Associate. To meet the foregoing requirement, Participants and Subparticipants would be required to conduct a risk assessment to evaluate the risks of any such extraterritorial Uses and/or Disclosures of Individually Identifiable information that is reasonably believed to be TEFCA Information. The risk assessment required under Section 12.2 would be required on an annual basis and prior to any new or substantially different type of non-U.S. Use(s) or Disclosure(s).
Section 12 also requires Participants and Subparticipants to report TEFCA Security Incidents to certain other organizations with which the affected Participant or Subparticipant is connected pursuant to a Framework Agreement. Section 12.3 describes this notification structure, as well as the time period for providing the notification and the minimum information that must be included in the notification.
General Obligations (Section 13 of the Common Agreement). Participants and Subparticipants are expected to comply with all Applicable Law and any provision required by their Framework Agreements, including all applicable SOPs and provisions of the QTF. The Common Agreement specifies the obligations of QHINs and Participants to take reasonable steps to confirm that all Participants and Subparticipants, respectively, are abiding by the Required Flow-Downs and all applicable SOPs and take steps to correct any deficiencies. This includes a grant of authority to the RCE to suspend a Participant’s or Subparticipant’s right to engage in any QHIN-to-QHIN exchange activities in specific circumstances, such as a threat to the security of TEFCA Information or to the infrastructure of a QHIN, or in the case of a threat to National Security. Section 13 also outlines the parts of a Framework Agreement that would survive after an Agreement is terminated, with related timeframes.
The QTF principally describes the standards and processes for technical connectivity among QHINs and is incorporated into the Common Agreement in Section 14. Therefore, the requirements that apply to Participants and Subparticipants generally focus on functional requirements by Participants and Subparticipants necessary to complete an exchange. The requirements below reference specific elements of the QTF Version 1.
To facilitate TEFCA exchange, Participants and Subparticipants:
1 Sections 14.1 through 14.4 in the Common Agreement are not “Required Flow-Downs.” However, Section 14.2, Compliance with Standard Operating Procedures, states that a QHIN shall require that its Participants and their Subparticipants agree in writing to comply with all applicable SOPs. Further, Section 14.3, Incorporation of Required Flow-Downs in Framework Agreements, requires that (1) each of a QHIN’s Participants be responsible for incorporating the Required Flow-Downs into all Participant-Subparticipant Agreements; and (2) each of a QHIN’s Participants be responsible for requiring that each of their Subparticipants incorporate the Required Flow-Downs into all Downstream Subparticipant Agreements, if any.
2 This list includes summaries of all provisions in the Common Agreement that are “Required Flow-Down” provisions. It also includes summaries of certain provisions that are applicable only to QHINs, but that have notable impact on Participants and Subparticipants. All aspects of the Common Agreement have at least indirect impacts on Participants and Subparticipants and therefore are not all summarized here. Please review the Common Agreement in its entirety for a complete description of “Required Flow-Down” provisions and of other requirements in the Common Agreement.
3 QHINs are prohibited from engaging in QHIN-to-QHIN exchange for any purpose other than an Exchange Purpose under the Common Agreement. However, QHINs, Participants, and Subparticipants may participate in other networks, as well as non-network information exchange. This Common Agreement does not affect the reasons for which Participants and Subparticipants may request and exchange information within other networks and/or under other agreements.
4 Whether a Participant or Subparticipant elects to offer IAS does not affect that Participant’s or Subparticipant’s obligations to Respond to IAS Requests under the Required Flow-Down provisions of Section 9 of the Common Agreement.