It wasn’t always so, but today we have technology available to exchange health information anywhere there’s an internet connection. What’s slowing us from doing so at nationwide scale is trust. The frictions are human and institutional. They cannot be addressed exclusively with technology. 

Let’s look at the policy triangle that affects each network participant’s sharing posture. On the first side, there’s the HIPAA Privacy Rule that permits but does not require responses to network queries for treatment purposes. On the second side of the policy triangle, there’s the information blocking regulations, which change the “you can share” electronic health information posture to a general expectation that “you will share.” The Trusted Exchange Framework and Common Agreement™ (TEFCA™) is the third side of the triangle. TEFCA’s Common Agreement for QHINs™ and Terms of Participation for all other Participants and Subparticipants serve as obligations among all those within TEFCA and specify when they must share with each other.  

So… if there’s a regulation that says when you’re permitted to share health information, another that says when you ought to share, and agreements in place that say when you must share, what’s the holdup? To answer with two phrases: “stranger danger” and “interpretative drift.” 

Trust Among Strangers – at Scale

TEFCA’s cornerstone is its ability to scale connectivity nationwide by, among other things, establishing the trust conditions necessary to automate responses to network queries between parties that have never exchanged with each other. To establish this kind of trust, we need aligned interpretations of key definitions and appropriately rigorous network entry processes. This means those who join TEFCA will need to put in more work upfront. TEFCA’s directory infrastructure also has protections in place to prevent its Participants and Subparticipants from querying for exchange purposes for which they are not authorized. Moreover, TEFCA’s governance includes processes for identifying potential misuse of authorized exchange. Despite these risk mitigations (that can evolve as the network matures), TEFCA’s scale has, almost inevitably, led some participating in TEFCA Exchange to give more thought to the “strangers” to whom they’re responding.  

I’ll… take… is it Treatment for $800, Alex

Every HIPAA-covered health care provider that participates in TEFCA should be able to query any other HIPAA-covered health care provider also participating in TEFCA for treatment purposes and expect a response. Simple, right? Not so fast. At present, representatives from QHINs, Participants, and Subparticipants are deliberating 25 years of interpretative differences on what constitutes “treatment” and who’s considered a “health care provider” under HIPAA. Subtle differences in interpretation on the ground can have substantive impacts on perceived risk and network participation, which can grind information sharing to a halt. When a requester describes its rationale for making a treatment query and a responder (who is a HIPAA covered entity or business associate and accountable under HIPAA for its disclosures) disagrees that the request is for “treatment,” we reach an information exchange impasse.  

Unifying these interpretative differences is a key part of the hard work that our private sector colleagues have committed to doing through TEFCA. Continued efforts to drive to interpretative consensus, combined with disciplined onboarding processes and fair auditing and adjudication of disputes, can go a long way to bring TEFCA’s promise to fruition.  

Every day, as we tackle these detailed (and at times tedious) discussions, we’re appreciative of the engagement and investment that our colleagues have made to bring TEFCA Exchange to the nation. More than 60,000 locations are now connected through TEFCA and we’ll keep working to make sure everyone can continue to benefit from its one set of network participation policies, one set of nationwide connectivity services, and one approach to network oversight.