Releases Include Definitions, Updated QHIN Security Requirements for the Protection of TEFCA Information, and the List of Cybersecurity Certifications Under Consideration
The Sequoia Project, selected by the Office of the National Coordinator for Health IT (ONC) as the Recognized Coordinating Entity (RCE) to support the implementation of the Trusted Exchange Framework and Common Agreement (TEFCA), today released additional details regarding the process and requirements for becoming a Qualified Health Information Network (QHIN). The Sequoia Project is requesting feedback on these items before the final documents are released.
“Throughout the TEFCA development process, we’ve sought to instill the principles of transparency and community engagement, which are core to The Sequoia Project’s values,” said Mariann Yeager, chief executive officer of The Sequoia Project. “The feedback we receive through our events, website, and email has been invaluable as we operationalize TEFCA and finalize implementation resources. We look forward to another robust round of engagement regarding the QHIN Onboarding and Designation SOP and the QHIN Application this month.”
The items being released for review include:
- Draft QHIN Onboarding and Designation Standard Operating Procedure (SOP), including requirements and criteria for becoming a QHIN, the process that will be used to evaluate applicants, and the required testing processes.
- Draft QHIN Application that details the proposed application information.
- Draft Types of Entities That Can Be a Participant or Subparticipant in TEFCA SOP which can help entities determine the entry point to the network of TEFCA-compliant QHINs that works for them.
The RCE is seeking stakeholder input on all three documents through June 15, 2022. Drafts are available on the RCE website.
In addition, the forthcoming SOPs are listed in the table below:
TEFCA Standard Operating Procedures Release Schedule
|SOP Name||Summary Description||Expected Publication of Final Version 1|
|1||SOP: QHIN Security Requirements for the Protection of TEFCA Information (TI) (Update)||Updates the SOP to include additional information regarding QHIN security certification requirements and a list of approved certification programs.||Version 1.1 released today*|
|2||SOP: Exchange Purposes||This SOP identifies the exchange purposes that are authorized under the Common Agreement (or in the SOP itself) and specifies which exchange purposes require responses. The Common Agreement authorizes the exchange purposes of treatment, payment, health care operations, public health, government benefits determination, and individual access services—these exchange purposes are available immediately when QHINs go live. Once an SOP for a particular exchange purpose is finalized, QHINs, Participants, and Subparticipants would need to support exchange pursuant to that SOP.||June 2022*|
|3||SOP: RCE Fee Structure for QHINs (Schedule 1)||Specifies the fee structure for fees charged to a QHIN by the RCE (initially such fees would be set at zero).||June 2022*|
|4||SOP: Types of Entities That Can Be a Participant or Subparticipant in TEFCA||Specifies the types of entities that can be Participants or Subparticipants.||July 2022|
|5||SOP: QHIN Onboarding and Designation (and QHIN Application)||Specifies the requirements QHINs must meet, including those needed to be eligible to apply for designation.||August 2022|
|6||SOP: Means to Demonstrate U.S. Ownership and Control of a QHIN||Specifies the Common Agreement policy regarding QHIN foreign ownership.||August 2022|
|7||SOP: Individual Access Service (IAS) Provider Privacy and Security Notice||Sets forth the implementation of the requirements in Common Agreement 10.3.||August 2022|
|8||SOP: Individual Access Services (IAS) Exchange Purpose Implementation||Specifies the expectations of IAS providers, including demographics-based matching and identity proofing.||August 2022|
|9||SOP: Participant and Subparticipant Security||Specifies security requirements for Participants and Subparticipants.||October 2022|
|10||SOP: Other Security Incidents and Reportable Events||Further specifies the Common Agreement’s definition of TEFCA Security Incident(s).||End of 2022|
|11||SOP: Payment and Health Care Operations Exchange Purpose Implementation||The Common Agreement itself specifies that payment and health care operations are authorized exchange purposes, meaning that they are available to be used by QHINs, Participants, and Subparticipants immediately when QHINs go live. This SOP will further define the parameters under which responses to queries are required for these exchange purposes.||Early 2023|
|12||SOP: Public Health Exchange Purpose Implementation||The Common Agreement itself specifies that public health is an authorized exchange purpose, meaning that it is available to be used by QHINs, Participants, and Subparticipants immediately when QHINs go live. This SOP will further define the parameters under which responses to queries are required for this exchange purpose.||Early 2023|
|13||SOP: Government Benefits Determination Exchange Purpose Implementation||The Common Agreement itself specifies that government benefits determination is an authorized exchange purpose, meaning that it is available to be used by QHINs, Participants, and Subparticipants immediately when QHINs go live. This SOP will further define the parameters under which responses to queries are required for this exchange purpose.||Mid 2023|
|14||SOP: Suspensions Process||Specifies requirements and timelines related to suspension per Common Agreement 16.4.1.||2023|
|15||SOP: Successor RCE and Transition||Specifies processes and requirements if there is a change in RCE.||2023|
|*As a result of the significant input that already has been received throughout the TEFCA development process, these SOPs will be released in final form. All SOPs may be revised in the future, and ongoing feedback on any SOP is welcome at any time.|
“Since TEFCA’s release on January 18, 2022, we’ve been entirely focused on hitting our promised timeline of potential live exchange before the year’s end,” continued Yeager. “We look forward to the thoughtful input of potential QHINs and other stakeholders to carefully consider these drafts. Remember that these documents are just that – drafts. We’re not accepting application submissions at this time.”
It is anticipated that the final QHIN Onboarding and Designation SOP Version 1 and final QHIN Application Version 1, both expected in late summer, may differ from the drafts released today, depending on feedback received.
The RCE also released the updated “QHIN Security Requirements for the Protection of TEFCA Information (TI) SOP” on the RCE website and launched an online resource where it will maintain a list of cybersecurity certifications for QHINs. Per the Common Agreement, QHINs must achieve and maintain third-party certification to an industry-recognized cybersecurity framework demonstrating compliance with all relevant security controls.
Prospective QHIN organizations can now access the initial list of cybersecurity certifications published on the RCE website to prepare themselves for the application and potential onboarding process.
On Tuesday, May 17th at noon Eastern time, the RCE will host its monthly informational call and will review today’s release at a high-level. The RCE will also be hosting a public webinar on Wednesday, May 25th, 3 p.m. to 5 p.m. Eastern time, which will be a focused review of the draft QHIN Onboarding and Designation SOP and draft QHIN Application. Registration is now open for both events: https://rce.sequoiaproject.org/community-engagement/.