Governance & Risk Management , Healthcare Information Exchange (HIE) , HIPAA/HITECH

What's in HHS' New Plan for Nationwide Health Data Exchange?

Elise Sweeney Anthony of ONC Describes TEFCA's Privacy, Security Proposals
What's in HHS' New Plan for Nationwide Health Data Exchange?
Elise Sweeney Anthony, executive director of policy, ONC

What are the key privacy and security requirements proposed in the latest draft of the Trusted Exchange Framework and Common Agreement issued by federal regulators to promote nationwide, secure health data exchange? Elise Sweeney Anthony of the Office of the National Coordinator for Health IT explains.

The latest draft of TEFCA, released in April, reflects some of the feedback from the 200 comments that ONC received on its first draft of TEFCA that was issued in January 2018, says Anthony of the Department of Health and Human Services' ONC.

ONC is accepting public comment on the latest draft until June 17. That feedback will be considered as ONC works on the final version of TEFCA, she says in an interview with Information Security Media Group.

The ultimate goal of interoperable, nationwide, secure health data exchange is to improve healthcare coordination and patient outcomes - as called for under the 21st Century Cures Act.

Technical 'Pipes'

One of the biggest changes in draft 2 is ONC creating a new separate sub-document - the Qualified Health Information Network Technical Framework - that outlines all the technical specifications of how nationwide secure health information exchange will happen, she says.

"In order for network-to-network exchange to be effective, you have to have the right policies in place, the right governance components - but you also have to the pipes well laid out about how that exchange is going to happen," she says.

ONC has also outlined minimum privacy and security requirements for the qualified health information networks - or QHINs - that will facilitate secure data exchange, she notes.

For instance, under the Common Agreement, entities that do not fall under the jurisdiction of HIPAA that elect to participate in health data exchange would be bound by certain provisions that align with the HIPAA safeguards.

NIST Standards

But some requirements go further, including calling for some specifications laid out by the National Institute of Standards and Technology's Cybersecurity Framework, she notes.

"We include particular [NIST] requirements for identity proofing as well as user authentication," she says. "We've worked closely with our federal partners to think through what are the right requirements to support the movement of information ... in a secure way."

In the interview (see audio link below photo), Anthony also discusses:

  • Other updates and changes contained in the latest draft of TEFCA;
  • How various TEFCA proposals align with HIPAA;
  • What's next for TEFCA.

In her role as executive director of policy at ONC, Anthony leads the agency's engagement on a range of policy efforts. Previously, she served as ONC's deputy director of policy, where she led the agency's coordination with the Centers for Medicare and Medicaid Services on the electronic health record incentive program regulations. Before joining ONC, Anthony, who is an attorney, spent several years spearheading a variety of health improvement initiatives at a law firm.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.