On December 12, 2023, the U.S. Department of Health and Human Services (HHS), through the Office of the National Coordinator for Health Information Technology (ONC), announced that nationwide health data exchange governed by the Trusted Exchange Framework and Common Agreement (TEFCA) is operational and designated the first cohort of qualified health information networks (QHINs). These events represent important milestones, but there are many more markers on the road to realizing the full promise of TEFCA. We considered sharing some of our own commentary, but we thought that you might prefer a sample of perspectives from stakeholders across the healthcare industry instead.
We hope this article will help you keep your finger on the pulse of all things TEFCA and offer insight into our own strategy as we continue building our EHR+ network.
The QHIN Landscape
With five designated QHINs, two candidate QHINs, and a growing number of organizations that have announced intentions to become QHINs, this is just the beginning of the story. In such a dynamic landscape, one obvious question is how to select a QHIN. In a recent article, Troy Bannister, Chief Strategy Officer at Particle Health, indicated that it may not matter:
Every QHIN must meet a rigorous set of requirements. They have to exchange data, without error, across all other QHINs using open standards (IHE, CCD). They must be able to handle massive data exchange volumes. Even though TEFCA says organizations must respond to individual access (consumer requests), they don’t actually have to ‘based on responder policy.’ Very little differentiation can happen at the QHIN level, and all QHINs will have the same access to the same data since they must exchange data with each other. If data access across all QHINs is the same, their only real differentiator will be pricing.Troy Bannister, “TEFCA And The Commoditization Of Healthcare Data,” Forbes, December 19, 2023.
With no first-mover advantage, Clareto is exercising patience with our own QHIN decision as we contemplate taking the simplest path (we have existing relationships with three of the five designated QHINs) while simultaneously exploring opportunities with other QHINs that could bring additional capabilities to our EHR+ network.
Individual Access Services (IAS)
In Why Wait-and-See: Individual Access Services, we reviewed the IAS standard operating procedure (SOP), identified possible points of failure where consumers may drop out of the process (including identity verification and patient matching), and quantified the potential impact based on available evidence and third-party estimates. After considering the numbers, we concluded that it makes sense to wait-and-see until real-world evidence is available for IAS demonstrating high success rates and enabling evaluation of overlaps with our EHR+ network’s existing coverage. Fortunately, we’re not alone in this regard.
Micky Tripathi, Ph.D., M.P.P., National Coordinator for Health Information Technology, shared his thoughts on near-term challenges to IAS during his keynote address at the eHealth Exchange annual meeting:
Individual access [has] got a real barrier right now in existing networks as we know because, in most cases, what we’re trying to do is force-fit a B2C type of transaction — of patients being able to get their information out of a network — on networks that are basically built with a B2B kind of paradigm, and that’s why we have these issues of trying to do that in IHE and trying to make up tokens and having those tokens force-fit and we’re not getting that kind of adoption because no one wants to build on something that is going to be deprecated at some point not too far away. And it doesn’t provide in that kind of approach the type of end-to-end assurance that every single compliance officer needs to be able to have. Now some organizations may be okay trusting it, but by and large most organizations if we don’t have something that provides the end-to-end assurance that they require for a patient to just be able to access their portal directly, or be able to access their FHIR endpoint directly, then you’re basically saying to them, ‘Well, participate in TEFCA, but that means that you have to let down your compliance bar just a little bit, okay? Oh, and by the way, I don’t have any authority to force you to do this, and I don’t have any money to give you to convince you to do this, but still, please do this, please volunteer.’ Right? No organization — lots of organizations — wouldn’t do that, which, to me, is kind of understandable.Mickey Tripathi, Ph.D., M.P.P., “Session 10: Keynote Address by Dr. Micky Tripathi,” eHealth Exchange Annual Meeting, November 14, 2023.
We highly recommend listening to Dr. Tripathi’s full keynote address for a broader perspective on the health IT regulatory landscape — including overviews of TEFCA, FHIR APIs, and information blocking — and how these separate initiatives are being unified into a single, cohesive strategy.
Our analysis in Why Wait-and-See: Individual Access Services did not attempt to quantify one critical unknown — who will participate in TEFCA, when will they be online, and if/how will they respond to IAS queries. The answers to these questions remain to be seen. At the eHealth Exchange annual meeting, a panel of HIE leaders that have signaled their intentions to participate in TEFCA expressed overall optimism but remained transparent regarding the substantial technical, legal, and policy efforts that will be necessary to harmonize their infrastructure with TEFCA, as well as the potential opportunity costs associated with pursuing TEFCA over other interoperability priorities.
TEFCA Draft Documents
On January 19, 2024, the Sequoia Project — the Recognized Coordinating Entity (RCE) supporting the implementation of TEFCA — released another batch of draft documents to “support greater use HL7 FHIR and make other improvements to [TEFCA],” including the Common Agreement Version 2, the QHIN Technical Framework Version 2, and several revised SOPs. The revised IAS SOP includes several notable changes:
- Differentiates IAS Requests made using demographics-based matching from those made using HL7 FHIR and OAuth with responder-issued credentials;
- Adds an authentication requirement using processes set to at least the NIST AAL2 standard;
- Requires IAS Requests to include evidence of identity proofing via inclusion of an IAL2 Claims Token using the OpenID Connect token format; and
- Retains a response requirement, but with the qualifier of “achiev[ing] an acceptable demographics-based match based on responder policy.”
These ongoing policy and technical changes are one of the reasons why it may be better to be a fast follower than an early adopter, including waiting for these frameworks to be finalized, holding buy vs. build and partnership decisions until such time, and using representative data regarding TEFCA participation, IAS success rates, and other indicators to inform these decisions.
Exchange Purposes (XPs)
In Call to Action: Exchange Purposes, we reviewed the six XPs defined by the Common Agreement Version 1, made the case that none of these XPs were specifically designed to meet the unique needs of the life insurance industry, and proposed the creation of a new XP leveraging existing concepts and well-established precedents wherever possible.
Again, Dr. Tripathi provided some important guidance in his keynote address at the eHealth Exchange annual meeting, previewing a new XP:
There is a use case — and I think I heard [Jay Nakashima, Executive Director at eHealth Exchange] refer to it earlier — we’re calling it permitted exchange purpose #7, which is the authorization-driven one, or research-driven one. It could be — obviously research isn’t the only authorization-driven one, the life insurance use case, others — but the idea is to be able to say that that ought to be one that we start working on. That’s not available right now… because it’s more complicated. You have to deal with issues of how do we standardize the representation of a patient permission and how do we make that portable or make that sort of trusted across the system and make it available in standardized ways to the other parties to be able to have that authorization before they’re willing to move forward.Mickey Tripathi, Ph.D., M.P.P., “Session 10: Keynote Address by Dr. Micky Tripathi,” eHealth Exchange Annual Meeting, November 14, 2023.
We are continuing to advocate for expansion of the existing XPs. We submitted our comments on multiple draft SOPs to the Sequoia Project last year, requested that a stakeholder engagement meeting be convened to address life insurance underwriting and related authorization-based disclosures, and have submitted additional comments to the latest batch of draft documents.
Given all the promise (and continuing evolution) of TEFCA, we will continue to closely monitor this recent progress, advocate for our (and our clients’) priorities, and make decisions regarding our own path forward based on real-world evidence as it becomes available. In the meantime, we remain focused on cultivating direct health data partnerships purpose-built for risk assessment.
We’re not the only ones taking this approach. On a recent podcast, Deven McGraw, Chief Regulatory Officer at Ciitizen, shared her thoughts on the importance of direct partnerships:
We have built a completely different trust model [at Ciitizen] that has nothing to do with the exchange of tokens or anything of that nature. We do require — there’s a set of agreements — it’s very customary to how HIEs build their infrastructure for exchange today, which is based on, you sign an agreement, and you agree to abide by the rules. If you don’t abide by the rules, you can get kicked out of the network… Frankly, it’s just much simpler and is in the process of being tested in the wild today. So while there is this sort of opportunity under both TEFCA and Carequality… there are very different models being pursued for how this happens, and I think it really begs the question about what’s the best way to facilitate the trust that’s needed in order for the information to flow without all these hurdles.Deven McGraw, “InteropTalk Ep. 11: Updates from Interop Summits in San Diego, Patient Access, and TEFCA,” November 28, 2023.
We couldn’t agree more.
In Q4 2023, we signed agreements to add several new data sources to our EHR+ network, including a large health IT partner, offering an EHR dataset covering up to 80 million lives (according to the company’s estimates), and sikka.ai, offering oral health indicators covering 139 million lives. We also signed agreements with three health information exchanges (HIEs), including two in the Northeast and one in the South, offsetting three HIE go-lives last quarter and growing our HIE implementation pipeline to 19 million lives. Each of these health data partners will feature frictionless, authorization-based, near-instant record retrieval. Finally, CareEvolution joined our EHR+ open partner ecosystem, bringing additional tools for managing clinical data obtained via our EHR+ network.
In our next article, we’ll do a deeper dive into the enduring value of direct partnerships and the many benefits of this model.
Clareto, a Munich Re company, operates the largest healthcare interoperability network purpose-built for superior risk assessment via authorization-based disclosures. With connections to EHRs, HIEs, and other sources covering >70% of the US population, Clareto enables access to digital health data to transform underwriting, claims, and other business processes for the life insurance industry. The company’s EHR+ network offers a frictionless experience with no consumer involvement required, smart record retrieval to maximize protective value, algorithm-ready data for enhanced usability, and an open partner ecosystem featuring integrations with complementary solutions and services.
Clareto is a wholly owned subsidiary of Munich Re Life US, one of the leading life reinsurers in the United States. Through its partnership with Munich Re Life US, Clareto aims to provide life insurers with a new set of solutions that assist in the digitization of underwriting processes — driving quicker decisions, greater policyholder satisfaction, and new business growth.