Types of Entity that Can Be a Participant SOP Feedback

AHIP appreciates the opportunity to comment in response to the SOP. We offer three key points to better develop the substance of this SOP:

1) We appreciate the SOP specifies that HIPAA Covered Entities, which includes health insurance providers, are eligible to be both Participants and Subparticipants. We believe each health insurance provider should be able to choose whether to participate and as what type of entity based on their business model or corporate structure. Given the broad nature of the definitions, however, we encourage the RCE to educate stakeholders using more concrete examples of what types of entities can qualify as QHINs, Participants and Subparticipants. Clarifying the role of health insurance providers, among other stakeholders, will prompt more interest and engagement, particularly at these initial and intermediate stages.

2) For the section discussing “TEFCA Exchange Purposes,” we believe it is vital to address more fully the allowed HIPAA purposes of “treatment, payment and healthcare operations.” Many of these purposes are not currently conducted in electronic environments. For example, care management often takes place via phone or facsimile rather than through an electronic process. If electronic functionality does exist, the exchanges are focused primarily on the existing treatment-based network. We recommend that the SOP explain in more detail how the payment and healthcare operations functions will occur in the TEFCA environment. A separate SOP may be the best way to clarify this information.

3) The RCE has stated in past educational events that Health Information Exchanges (HIEs) will be able to apply for QHIN status. The RCE’s technical and supplemental documents discuss moving to a FHIR-based standard. Questions remain that if an HIE does not have any current or future planned capabilities to move to FHIR, how or will this meet the FHIR roadmap for TEFCA? Most payers have FHIR capabilities and would not need a HIE to connect to providers via TEFCA as long as provider directories are complete. We respectfully request clarification in this or a related SOP addressing FHIR and QHINs that do and do not support that functionality, along with the potential business and technological impacts of such implementation decisions.

For the "Updated QHIN Security Requirements for the Protection of TEFCA Information SOP," the SOP describes that the QHIN must obtain a cybersecurity certification and an annual security assessment. The SOP does not explain whether or if these requirements will be required to “flow down” to Participants and Subparticipants as part of the TEFCA contracting processes. This information is needed as entities assess the potential costs and benefits of participating.

Also, when conducting security assessments, the RCE should clarify whether current industry standards will be used (e.g., Standardized Information Gathering (SIG), System and Organization Controls (SOC1 and SOC2) and that new requirements will not be imposed. Requiring standards that are different than typical industry methods can be costly and could result in conflicts with the existing processes being used.

In addition, the Updated QHIN Security Requirements for the Protection of TEFCA Information SOP does not describe whether any federal agencies will be notified if discrepancies are found in any of the TEFCA processes, and specifically the certifications and assessments. Since TEFCA is being operated pursuant to a contract between the RCE and the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC), will ONC take enforcement actions? Will ONC be making referrals for investigations and enforcement to the HHS Office for Civil Rights? These questions should be addressed in a transparent and public way so that entities understand the potential compliance impacts of TEFCA participation. We recommend that enforcement actions not be initiated for entities operating in good faith under the TEFCA structure.