This year, the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology (ONC) and its Recognized Coordinating Entity (RCE) released the Trusted Exchange Framework and Common Agreement (TEFCA). As the RCE, the Sequoia Project is responsible for developing, implementing, and maintaining the Common Agreement, which sets the technical and legal requirements for health information networks to share electronic health information and is part of the 21st Century Cures Act.
As jointly explained by National Coordinator for HIT Micki Tripathi and Sequoia Project CEO Mariann Yeager, “Within the health information technology world, few things have been as elusive as a governance framework for nationwide health information exchange … The Common Agreement sets a new baseline for the exchange purposes that need to be supported—a common source of friction across networks today.”
HIEs and QHINs
The Sequoia Project is accepting feedback and input on the processes for being designated a Qualified Health Information Network (QUIN) through June 22, and hopes to have everything solidified by year end. Currently under discussion are draft policies for:
- QHIN Onboarding and Designation Standard Operating Procedure (SOP) which will outline the criteria for becoming a QHIN, the application evaluation process, and the required testing processes.
- A QHIN Application that details the proposed application information.
- Types of Entities that can participate as entry points to the “network of networks” structure of TEFCA-compliant QHINs, including health information exchanges (HIEs).
These operationalization details are still being formalized and Yeager has noted that they are “not accepting application submissions” just yet.
But HIEs are going to have to be QHINs. And one item on the qualification list seems certain: QHINs are going to have to achieve and maintain third-party certification to an industry-recognized cybersecurity framework.
Honestly, it’s about darn time.
The health sector has been transitioning to the electronic age for over twenty years, chasing the dream of true interoperability with safeguards for patient privacy protection, strong security, high healthcare standards, and sound business practice. HIEs have been integral to that pursuit.
But achieving true interoperability requires trust in the system. And while data sharing is only one link in that system, it’s an incredibly weak one if it is not secure. Continually worsening trends in healthcare-targeted breaches and cybercrime demonstrate that when it comes to cybersecurity, self-determined preparedness isn’t sufficient—and hasn’t been for quite some time.
HIEs are particularly attractive targets because of the sheer volume of health data they process. Why hack a hospital when you can hack an HIE that connects to thousands of hospitals? Demanding HIEs demonstrate data management and protection proficiency is a no-brainer.
And relying on a third-party accreditation system and framework is the best way to ensure a careful evaluation of the HIPAA compliance and security needs of a modern HIE. And at present, there is only one cybersecurity certification body listed that meets the Common Agreement’s criteria: HITRUST.
Why HITRUST Makes Sense
HITRUST’s CSF and validated assessment addresses a plethora of important controls that ensure both regulatory compliance and good cybersecurity hygiene. It is the de facto healthcare IT gold standard anyway (CMS already requires active assessment for payers). Leaning on that reliable standard for HIEs and any other future QHIN is thus a logical move to ensure there’s “trust” in the Trusted Exchange Framework.
Achieving HITRUST certification dramatically lowers the risk of a cybersecurity attack or personal health information (PHI) breach. Its continuous assessment model imparts a level of situational awareness and IT quality-assurance that removes fear and frees organizations to achieve the vital mission of interoperability. Requiring HITRUST lets us more safely use data to solve big healthcare delivery problems and serve communities better.
There are those who might point to the rigor of HITRUST assessments or time and cost required to achieve certification as drawbacks to the Common Agreement’s impending requirements of HIEs. But I’d counter that compulsory directives are necessary and long overdue. As cybersecurity expert and former CISA COVID task force strategist Joshua Corman stated in recent congressional testimony, “Attacks on healthcare are increasing in volume, variety, and impact—with consequences that now include the loss of life…Seatbelts weren’t voluntary. I don’t believe fire escapes were voluntary. Nor kitchen sanitation codes for commercial restaurants. Public safety isn’t free.”
How Cloudticity Can Help HIEs Achieve HITRUST
Cloudticity is a Certified HITRUST Inheritance Partner, which means we are one of the only companies in the world that provides companies with the ability to accelerate the path to HITRUST by inheriting controls. As a managed services provider (MSP) for healthcare companies on AWS and Azure, our managed services customers can reduce the work needed to achieve HITRUST by up to 40% on average by enrolling in our HITRUST Inheritance Program.