Sizing Up Revised Model for National Health Data ExchangeDo the Minimum Privacy and Security Requirements Go Far Enough?
Healthcare stakeholders and security and privacy experts are sizing up the second draft of the government's proposed Trusted Exchange Framework and Common Agreement, which is designed to promote secure, interoperable nationwide health data exchange.
The new draft is yet another attempt to pave the way for national data exchange after the failure of many previous efforts dating back to the 1990s.
The latest iteration of TEFCA includes a list of minimum security and privacy requirements for the "qualified health information networks" that facilitate secure health data exchange, as well as various participants in the exchange.
While some experts say the latest proposal is a solid step forward toward bolstering the security of health data exchange, others say the emphasis on the HIPAA privacy and security rules as a model for safeguarding that data may be setting the bar too low.
TEFCA, Take Two
The TEFCA draft, recently unveiled by the Department of Health and Human Services' Office of the National Coordinator for Health IT, is part of a federal effort to improve the interoperability of health information technology, especially electronic medical records systems, and bolster secure, national exchange of health information. The ultimate goal is to improve healthcare coordination and patient outcomes - as called for under the 21st Century Cures Act.
Under the latest draft of TEFCA, "qualified health information networks" and participants would be required to implement strong privacy and security protections, ONC says.
The Trusted Exchange Framework, or TEF, and the Common Agreement are two distinct components that aim to create technical and legal requirements for sharing electronic health information on a nationwide scale across disparate health information networks, ONC writes.
The TEF describes a common set of principles that facilitate trust between HINs. These principles would serve as "rules of the road" for nationwide electronic health information exchange.
The Common Agreement would provide the governance necessary to scale a functioning system of connected HINs that will grow over time to meet the demands of individuals, clinicians, and payers. The architecture would follow a "network of networks" structure, which allows for multiple points of entry and is inclusive of many different types of health care entities.
"The HIPAA Security Rule is something you have to be compliant with, certainly, but it does not actually provide security."
—David Finn, CynergisTek
Under the Common Agreement, entities that do not fall under the jurisdiction of HIPAA that elect to participate in health data exchange would be bound by certain provisions that align with the HIPAA safeguards, according to ONC.
"This will bolster data integrity, confidentiality, and security, which is necessary given the evolving cybersecurity threat landscape," ONC says.
ONC issued its first draft of TEFCA in January 2018 and received dozens of comments (see: Analysis: Security Elements of 'Trusted Exchange Network').
ONC is also accepting public comment until June 17 on its latest draft of TEFCA.
The second draft of the TEFCA includes three components: new drafts of the "trusted exchange framework" and the "minimum required terms and conditions" and a first draft of a "Qualified Health Information Network" technical framework.
The three documents are designed to help provide a single "on-ramp" to nationwide connectivity, enable electronic health information to securely follow the patient when and where it is needed, and support nationwide scalability, ONC says.
Stakeholders would have the option of participating in multiple levels of the trusted exchange framework and common agreement environment as appropriate, ONC says.
Three Exchange Modalities
Under the TEFCA draft 2, ONC is continuing its concept of qualified health information networks, which would have the technical capabilities to connect participants on a nationwide scale. Some examples of participants could include a health system, a health IT developer, a payer or a federal agency, ONC says.
Like the first version of TEFCA, the second draft also supports three modalities for secure exchange of health information.
One of the modalities included in the first version - "population-level data exchange" - has been dropped in favor of QHIN Message Delivery or "push" messaging to send electronic health information to one or more QHINs for delivery to one or more participants or individuals.
Scott Stuewe, president and CEO of DirectTrust - the collaborative that maintains the policies, standards, and practices of the Direct protocol for point-to-point encrypted messaging for healthcare - says he's pleased that the latest version of TEFCA supports modalities beyond query-based exchange, "including push messaging like the DirectTrust network enables today."
Minimum Privacy, Security Requirements
Under the Common Agreement in TEFCA draft 2, QHINs and participants would have to abide by a set of "minimum privacy and security requirements," ONC says.
QHINs would have to abide by the HIPAA privacy and security rules as if they applies to electronic health information, ONC notes. They would also have to evaluate their security programs on an annual basis in accordance with NIST Special Publication 800-171.
When identifying vulnerabilities, gaps and risks during risk analysis, QHINs would need to implement appropriate security measures to address those weaknesses, and provide documentation, ONC writes.
Under TEFCA, participants in trusted health information exchange, regardless of whether they are a HIPAA covered entity or business associate, would have to take reasonable steps to promote the confidentiality, integrity and availability of electronic health information.
In addition, participants in trusted exchange, would have to review and modify such safeguards regularly to continue protecting electronic health information in a changing environment of security threats, ONC writes.
The minimum privacy and security requirements would include:
- Identity proofing QHIN participants, participant members and individuals using Identity Assurance Level 2 (IAL) in NIST SP 800-63A;
- Using two-factor user authentication based on NIST draft SP 800-63B.;
- Creating written notices describing QHIN privacy practices regarding the access, exchange, use, and disclosure of EHI.
Step in Right Direction?
Some privacy and security experts say the latest TEFCA draft appears to be a step in the right direction in attempting to bolster the security and privacy of heath information exchange.
"As an industry, the healthcare sector, this has been a long struggle - getting to security and privacy," says former healthcare CIO David Finn, executive vice president at security consultancy CynergisTek.
"This draft does begin to 'bake' security and privacy in," he notes. ONC outlining key principles for exchanging EHI securely and in a fashion that promotes safety, ensures data integrity, and adheres to privacy policies is "a huge step," Finn adds.
Also, setting HIPAA compliance as the spotlighted privacy and security expectation for participants in electronic health information exchange might also be setting the bar too low, even though ONC does make reference to several practices and security controls contained in the National Institute of Standards and Technology Cybersecurity Framework, Finn contends.
"Extending the same obligations business associates have under HIPAA to any applicable entity, regardless whether they fall under HIPAA today, will significantly raise the trust bar that the Trusted Exchange Framework intends to set."
—Scott Stuewe, DirectTrust
"The draft does reference several NIST documents and it even refers to and encourages use of NIST CSF, but then it also reference the mapping of the NIST CSF to the HIPAA Security Rule," Finn notes.
"The HIPAA Security Rule is something you have to be compliant with, certainly, but it does not actually provide security. This is the only sector that hasn't formally adopted the NIST CSF and this would've been a good opportunity to do so - and then, if you are following that, you can map back to HIPAA."
DirectTrust's Stuewe contends that the latest version of the proposal reflects that ONC listened to industry's concern about what security elements must be in place to enable patients to safely access their own records.
"Specifically, ensuring that consumers are reliably identity proofed before getting access to their own records is essential for patient privacy and security. The introduction of requirements for two-factor authentication and for ensuring "meaningful choice" notifications about how records collected in apps will be shared are important additions to the new trust fabric promoted under TEF as well," he says.
In addition, "extending the same obligations business associates have under HIPAA to any applicable entity, regardless whether they fall under HIPAA today, will significantly raise the trust bar that TEF intends to set," Stuewe contends.
Lee Barrett, CEO and executive director of the Electronic Healthcare Network Accreditation Commission, an accreditation organization, supported HHS's decision to require each participant of a health information network to be accountable for the electronic health information it creates, receives, maintains and transmits.
"EHNAC has embedded this requirement for protected health information into its18 accreditation programs and believes strongly that understanding what data is handled, and how and where it is created, received, maintained and transmitted is foundational to safeguarding information," Barrett says.