TEFCA promises true data interoperability, but industry must address security challenges


A person is admitted to the emergency room after a car accident. You are unconscious, bleeding internally and need immediate surgery. A rescuer finds the person’s wallet and realizes that he is not from the area and that the hospital has no medical records for him.

The surgeon is now faced with a crucial and potentially dangerous decision. An estimated 8 million Americans take blood thinners, making any surgery that much riskier. It is also true that comorbidities and their severity have a direct impact on surgical outcome, length of stay and direct home discharge. But the person will die without intervention, the surgeon determines, and an operating room is booked.

The ultimate goal of the Trusted Exchange Framework and Common Agreement (TEFCA) is to open up medical information between providers and hopefully eliminate the above scenario. After the TEFCA, the same unconscious person is admitted. A rescuer enters the patient’s driver’s license number into the Electronic Medical Record (EHR) system, where a nationwide match is found. The treating physician can then access data from other health information networks that share common functional and technical requirements for exchange. With more information, the surgeon can make more informed decisions about the patient’s medical care.

There is no doubt that full TEFCA implementation will save lives and improve patient care and outcomes. However, challenges remain centered on how to maintain privacy and security as the number of electronic connections between data networks increases exponentially.

To maintain patient and provider trust in data exchange networks and reduce data breaches and cyber exposure, accreditation programs are needed to promote best practices, administrative simplification, common exchange standards, open competition, and—above all—the protection of information exchanges.

Patient data wants to be free

Officially launched in January 2022, TEFCA is a set of common principles, terms and conditions to support the nationwide exchange of electronic health information across diverse health information networks and platforms. The ultimate goal is to free patient data from information silos and create a common framework for instant information sharing. The US Department of Health and Human Services expects initial testing for the first networks in the fourth quarter of this year.

The regulations call for the creation of qualified health information networks (QHINs) that agree on common exchange terms and functional and technical requirements. QHINs form the communication hub of the TEFCA network, routing requests, responses and messages between people, providers and entities exchanging data.

EHR provider Epic announced its intention to become a QHIN in June. Epic helped build consensus on TEFCA’s standards and procedures. While the announcement is unsurprising, it is still a shot in the arm for the fledgling regulation.

Real interoperability of patient data has been the goal since there have been electronic patient files. But anyone who visits more than one medical provider in a year knows that the industry is still a long way off — even among providers within the same hospital or healthcare system. Patient portals, personal health cards, smartphone apps for emergencies (ICE) and other technologies have been used as examples of data sharing, but anyone who has attempted to navigate any of these portals knows that the information is extremely limited .

Even with today’s technology, obtaining medical records requires phone calls, fax machines, and patience, lots of patience. It is not uncommon for a patient to wait days or weeks to get the documentation they need. As frustrating as it is for patients, it is time consuming and frustrating for medical staff to process and fulfill these requests.

TEFCA promises a better way forward, but the healthcare industry needs to address its data breach problem first – which is where third-party accreditation and certification can help the industry.

Accreditation can help ensure the security of data sharing

Certification of IT networks can go a long way in addressing the interoperability challenge while increasing confidence that healthcare providers are securely sharing data with each other and with patients.

Healthcare continues to be plagued by data breaches and ransomware attacks that continually compromise patient data. In 2021, more than 700 healthcare organizations reported violations of more than 500 records to the Office for Civil Rights’ Breach Portal, better known as the HIPAA “Wall of Shame.” These 704 security breaches compromised nearly 46 million patient records. Almost three quarters of the incidents were attributed to hacking, with another 20% caused by unauthorized access. And while providers reported 72% of all violations, business partners accounted for 13% of the total, affecting more than 10.5 million patients.

Healthcare systems are made up of interconnected technologies, care partners and business partners – each of which can be the weak link in the security chain. For the 11th consecutive year, healthcare has had the highest costs associated with security breaches, now exceeding $9 million per incident.

Two recent surveys underscore the need for healthcare networks to be accredited to ensure data security. In the first, 80% of CIOs and CISOs say their organization has experienced a breach by a third party in the past 12 months. A second survey shows that 44% of hospitals and healthcare systems are not compliant with the basic US National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF) protocols.


TEFCA interoperability standards will undoubtedly improve the flow and availability of patient information and the quality of physician decision-making in emergency situations. However, this free flow of information cannot take place in an exchange environment that is full of weaknesses and vulnerabilities.

Hospitals, healthcare systems, acute and post-acute care facilities, technology providers and business partners already need to manage their overall risk strategies and exposure internally and with partners. Industry accreditation and certification of the security and privacy of these data connections is critical to ensure compliance with standards and best practices while protecting the security, privacy and confidentiality of patient data.

Photo: ipopba, Getty Images


About Author

Comments are closed.