Summary of Required Flow-Down Provisions and Highlights of Rights and Obligations That Impact Participants and Subparticipants in the Common Agreement Version 1 and QHIN Technical Framework Version 1

Background

The Trusted Exchange Framework and Common Agreement (TEFCA) establishes a floor of universal interoperability across the country through a network of networks. To establish nationwide exchange of health information, TEFCA creates common rules of the road to ensure trust and create efficiency. Therefore, the Common Agreement, which  is signed by the Recognized Coordinating Entity (RCE) and each Qualified Health Information Network (QHIN), provides certain Required Flow-Down provisions that the QHINs will be required to include in their Framework Agreements with their Participants and that those Participants will be required to include in their Framework Agreements with their Subparticipants. All Participants and Subparticipants will be required to sign a Framework Agreement that includes these Required Flow-Down provisions before engaging in TEFCA exchange activities. Participants and Subparticipants will also be required to adhere to additional requirements, such as those concerning security.

The Common Agreement incorporates technical standards and processes that are described in the QHIN Technical Framework (QTF). As with the Common Agreement, the QTF outlines  requirements for Participants and Subparticipants to facilitate secure and efficient data exchange. Additional requirements are included in applicable Standard Operating Procedures (SOPs).

To provide a snapshot of the obligations for Participants and Subparticipants, both the Required Flow-Down provisions in the Common Agreement and other rights and obligations specified in the QTF are summarized in general terms below. Stakeholders should refer to the Common Agreement, the QTF, and the applicable SOPs for the specific provisions and related definitions that apply. QHINs and Participants are obligated to ensure that their Participants and Subparticipants, respectively, agree to comply and incorporate the Required Flow-Down provisions into their respective Framework Agreements.1 Each topic below provides a

reference to the related provisions of the Common Agreement. Defined terms from Section 1 of the Common Agreement are capitalized in this summary.

Participants and Subparticipants will need to review their Frameworks Agreement(s) carefully and should consult with their connection points (e.g., QHIN, Participant, or Upstream Subparticipant) about how these obligations will be operationalized.

Summarized “Required Flow-Down” Provisions and Select2 Rights and Obligations That Impact Participants and Subparticipants (Listed by Common Agreement Section)

Cooperation and Non-Discrimination (Section 6 of the Common Agreement). Participants and Subparticipants will be expected to participate in various activities to collaboratively identify and resolve any security or other issues that arise with respect to TEFCA exchange activities. Participants and Subparticipants will also be expected to treat all other parties to exchange fairly and in a non- discriminatory manner.

Confidentiality and Accountability (Section 7 of the Common Agreement). Participants and Subparticipants generally will be restricted in their use and disclosure of any Confidential Information received under their Framework Agreement(s) and any applicable SOPs. Confidentiality requirements also apply to use of Confidential Information by employees, subcontractors, and agents of a Participant or Subparticipant.  

Utilization of the RCE Directory (Section 8 of the Common Agreement). The RCE Directory contains standardized connectivity information about all of the QHINs, Participants and Subparticipants. It will be used to establish and maintain operational connectivity under the Common Agreement and other Framework Agreements. Information contained in the RCE Directory Service may only be used and/or disclosed for those purposes or as required by law.

TEFCA Exchange Activities (Section 9 of the Common Agreement). The Flow-Down Provisions specify the allowed Uses and Disclosures of TEFCA Information, as well as the expectations of QHINs, Participants and Subparticipants to Respond to a Request for information.

  • Request. A Participant or Subparticipant may only Request information under a Framework Agreement for a specific Exchange Purpose if the Participant or Subparticipant is the type of person or entity that is described in the definition of the applicable Exchange Purpose. For example, only a Health Care Provider as described in the definition of Treatment (or a Business Associate, agent, or contractor acting on that Health Care Provider’s behalf) may Request TEFCA Information for the Exchange Purpose of Treatment.3
  • Uses and/or Disclosures. Participants and Subparticipants may Use and/or Disclose TEFCA Information in any manner that: (1) is not prohibited by Applicable Law; (2) is consistent with Signatory’s Privacy and Security Notice, if applicable; and (3) is in accordance with the Privacy (Section 11) and Security (Section 12) provisions of the Common Agreement.
  • Responses. QHINs must support all Exchange Purposes. Participants and Subparticipants are permitted to Respond to all Exchange Purposes but are only required to Respond to those designated as “required” in the Exchange Purposes SOP. The initial required Exchange Purposes will be Treatment and Individual Access Services (IAS). In Response to a Request, Participants and Subparticipants must provide all relevant Required Information (as may be further specified in an implementation SOP for the applicable Exchange Purpose). However, a Response is not required if providing the Required Information is prohibited by Applicable Law or the Common Agreement or if not providing the Required Information is consistent with all Applicable Law and the Common Agreement.
  • Exceptions. There are additional circumstances under which Participants and Subparticipants would be permitted, but not required to Respond to a Request. These include:
    • There are additional circumstances under which Participants and Subparticipants would be permitted, but not required to Respond to a Request. These include:
    • If the Participant or Subparticipant is a Public Health Authority;
    • If the Participant or Subparticipant is a benefits-determining governmental agency;
    • If the reason asserted for the Request is IAS and the information would not be required to be provided to an Individual pursuant to the HIPAA Right of Access (45 CFR § 164.524(a)(2));
    • If the Requested information is not Required Information, provided such Response would not otherwise violate the terms of the Common Agreement;
    • If the Participant or Subparticipant is a federal agency, to the extent that the Requested Disclosure of Required Information is not permitted under Applicable Law (e.g., it is Controlled Unclassified Information as defined at 32 CFR Part 2002, and the party requesting it does not comply with the applicable policies and controls that the federal agency adopted to satisfy its requirements); or
    • If the Exchange Purpose is authorized but not required at the time of the Request, either under the Common Agreement or the Exchange Purposes SOP.
  • Other Applicable Law. The Framework Agreements will require Participants and Subparticipants to comply with Applicable Law that requires an Individual either to consent to, approve, or provide an authorization for the Use or Disclosure of that Individual’s information. For example, a Participant or Subparticipant must comply with a state law relating to sensitive health information that is more stringent than HIPAA and/or the privacy provisions of the Common Agreement if the Participant or Subparticipant is subject to that state law. The QHIN Technical Framework describes how copies of any needed consent, approval, or authorization shall be maintained and transmitted by whichever party is required to obtain it under Applicable Law. Participants and Subparticipants that are IAS Providers must also comply with specific consent requirements laid out in Section 10 of the Common Agreement.

Individual Access Services (Section 10 of the Common Agreement). IAS support an Individual in gathering his or her health information from all entities connected via QHIN-to-QHIN exchange. Participants and Subparticipants may elect to offer IAS, but are not required to do so. Participants and Subparticipants that offer IAS will be required to obtain an Individual’s express consent, and may implement secure electronic means (e.g., secure e-mail, secure web portal) by which an Individual may submit such written consent. IAS providers must develop and make publicly available a written privacy and security notice (the “Privacy and Security Notice”) that adheres to the requirements in Section 10.3 of the Common Agreement.

  • Individual Rights. Individuals have, and must be clearly informed of, the right to require that all of their Individually Identifiable information maintained by an IAS Provider be deleted, unless such deletion is prohibited by Applicable Law and with the exception of Individually Identifiable information contained in audit logs. Individuals also have the right to an export of their Individually Identifiable information in a computable format, including the means to interpret such information as set forth in Section 10.4.
  • Security. Participants and Subparticipants that offer IAS will be subject to both the security requirements set forth in Section 12, as well as additional requirements in Section 10.5 related to encryption of all Individually Identifiable information and providing a TEFCA Security Incident Notification to Individuals.
  • Survival (i.e., ongoing obligations). In the event a Participant or Subparticipant that offers IAS terminates its Framework Agreement, that Participant or Subparticipant will nonetheless be required to continue to comply with certain provisions of Section 10 for a specified period of time following such termination. These surviving IAS provisions and time periods are set forth in Section 10.6 of the Common Agreement.
  • Subcontractors and Agents. Section 10.7 of the Common Agreement also identifies provisions with which Participants and Subparticipants that offer IAS must require compliance by any subcontractors and/or agents the Participant or Subparticipant engages in the furnishing of IAS.

Privacy (Section 11 of the Common Agreement). Most Participants and Subparticipants are likely to be HIPAA Covered Entities or Business Associates, which means they will generally protect TEFCA Information as Protected Health Information under HIPAA. To maintain a common approach to privacy, Section 11.1 of the Common Agreement identifies a set of HIPAA Privacy Rule provisions that Non-HIPAA Entity Participants or Subparticipants will be required to follow with respect to all Individually Identifiable information that they reasonably believe is TEFCA Information. However, this requirement does not extend to Non-HIPAA Entities acting as an entity entitled to make a Government Benefits Determination under Applicable Law, a Public Health Authority, or a Government Health Care Entity.

Section 11.2 specifies that Participants and Subparticipants must develop, implement, make publicly available, and act in accordance with a written privacy policy describing its privacy practices with respect to Individually Identifiable information that is Used or Disclosed pursuant to their Framework Agreements.  The written privacy policy requirement can be satisfied by including applicable content consistent with the HIPAA Rules into an existing privacy policy, except with respect to IAS Providers.  IAS Providers must meet the Privacy and Security Notice requirements in Section 10.3 of the Common Agreement.     

Security (Section 12 of the Common Agreement). Participants and Subparticipants will be required to implement and maintain appropriate security controls for TEFCA Information that are commensurate with risks to the confidentiality, integrity, and availability of the TEFCA Information as part of their Framework Agreements. If any Participant or Subparticipant is a Non-HIPAA Entity, it will be required to comply with the HIPAA Security Rule provisions with respect to all Individually Identifiable information that the Participant or Subparticipant reasonably believes is TEFCA Information as if such information were Protected Health Information and the Participant or Subparticipant were a Covered Entity or Business Associate. Participants and Subparticipants will also be required to implement and maintain any additional security requirements that may be set forth in an SOP applicable to Participants and Subparticipants as part of their Framework Agreements.

Additionally, Section 12 imposes specific conditions upon the Use of TEFCA Information outside the United States and/or the Disclosure of TEFCA Information to a person or entity outside of the United States. Participants and Subparticipants would only be permitted to Use and/or Disclose TEFCA Information outside the United States as permitted or required by Applicable Law.  Participants and Subparticipants that Use and/or Disclose TEFCA Information outside of the United States would also be required to ensure such Use or Disclosure conforms with the HIPAA Security Rule, regardless of whether the Participant or Subparticipant is a Covered Entity or Business Associate.  To meet the foregoing requirement, Participants and Subparticipants would be required to conduct a risk assessment to evaluate the risks of any such extraterritorial Uses and/or Disclosures of Individually Identifiable information that is reasonably believed to be TEFCA Information.  The risk assessment required under Section 12.2 would be required on an annual basis and prior to any new or substantially different type of non-U.S. Use(s) or Disclosure(s).  

Section 12 also requires Participants and Subparticipants to report TEFCA Security Incidents to certain other organizations with which the affected Participant or Subparticipant is connected pursuant to a Framework Agreement.  Section 12.3 describes this notification structure, as well as the time period for providing the notification and the minimum information that must be included in the notification. 

General Obligations (Section 13 of the Common Agreement). Participants and Subparticipants are expected to comply with all Applicable Law and any provision required by their Framework Agreements, including all applicable SOPs and provisions of the QTF. The Common Agreement specifies the obligations of QHINs and Participants to take reasonable steps to confirm that all Participants and Subparticipants, respectively, are abiding by the Required Flow-Downs and all applicable SOPs and take steps to correct any deficiencies. This includes a grant of authority to the RCE to suspend a Participant’s or Subparticipant’s right to engage in any QHIN-to-QHIN exchange activities in specific circumstances, such as a threat to the security of TEFCA Information or to the infrastructure of a QHIN, or in the case of a threat to National Security.  Section 13 also outlines the parts of a Framework Agreement that would survive after an Agreement is terminated, with related timeframes.

QTF Requirements that Apply to Participants and Subparticipants

The QTF principally describes the standards and processes for technical connectivity among QHINs and is incorporated into the Common Agreement in Section 14. Therefore, the requirements that apply to Participants and Subparticipants generally focus on functional requirements by Participants and Subparticipants necessary to complete an exchange. The requirements below reference specific elements of the QTF Version 1.

To facilitate TEFCA exchange, Participants and Subparticipants:

  • Must share their own facility details with their QHIN for publication in the RCE Directory Service. This includes, for example, entity names and addresses, including for all entities within a multi-facility organization (QTF-103).
  • Must maintain secure connections between the QHIN and Participant with which they have signed a Framework Agreement (QHIN to Participant) (QTF-011).
  • Must maintain audit logs of transactions sent and received via TEFCA exchange (QTF-102).
  • Must properly handle and follow the specified Access Consent Policies in the QTF that facilitate the exchange of patient consent requirements, when needed (QTF-096-101).
  • When initiating a Query or Message Delivery:
  • When Responding to a Query:
    • Must send only one patient identity for each matching patient in response to a patient discovery query (this step may be completed by the QHIN on behalf of the Participant/Subparticipant) (QTF-088); and
    • Should support C-CDA 2.1 templates and code data within documents to nationally standardized code systems (such as those defined in USCDI) (QTF-090, 091, 092).

References

1 Sections 14.1 through 14.4 in the Common Agreement Version 1 are not “Required Flow-Downs.” However, Section 14.2, Compliance with Standard Operating Procedures, states that a QHIN shall require that its Participants and their Subparticipants agree in writing to comply with all applicable SOPs. Further, Section 14.3, Incorporation of Required Flow-Downs in Framework Agreements, requires that (1) each of a QHIN’s Participants be responsible for incorporating the Required Flow-Downs into all Participant-Subparticipant Agreements; and (2) each of a QHIN’s Participants be responsible for requiring that each of their Subparticipants incorporate the Required Flow-Downs into all Downstream Subparticipant Agreements, if any.

2 This list includes summaries of all provisions in the Common Agreement Version 1 that are “Required Flow-Down” provisions. It also includes summaries of certain provisions that are applicable only to QHINs, but that have notable impact on Participants and Subparticipants. All aspects of the Common Agreement Version 1 have at least indirect impacts on Participants and Subparticipants and therefore are not all summarized here. Please review the Common Agreement Version 1 in its entirety for a complete description of “Required Flow-Down” provisions and of other requirements in the Common Agreement.

3 QHINs are prohibited from engaging in QHIN-to-QHIN exchange for any purpose other than an Exchange Purpose under the Common Agreement. However, QHINs, Participants, and Subparticipants may participate in other networks, as well as non-network information exchange. This Common Agreement does not affect the reasons for which Participants and Subparticipants may request and exchange information within other networks and/or under other agreements.

4 Whether a Participant or Subparticipant elects to offer IAS does not affect that Participant’s or Subparticipant’s obligations to Respond to IAS Requests under the Required Flow-Down provisions of Section 9 of the Common Agreement.

Stay Connected

Complete the form below and join our mailing list.