TEFCA promises true data interoperability, but industry must address security challenges – MedCity News
An individual is admitted to the emergency department following an auto accident. They are unconscious, bleeding internally, and needs immediate surgery. An aide locates the individual’s wallet and determines that they are not local and that the hospital has no patient records for them.
The surgeon now faces a crucial and potentially dangerous decision. An estimated 8 million Americans take blood thinners, making any surgery much riskier. It’s also true that co-morbidities and their severity have a direct bearing on surgical outcomes, length of stay, and a whether patient is discharged directly to home. But the individual will die without intervention, the surgeon determines, and an operating room is booked.
The ultimate goal of the Trusted Exchange Framework and Common Agreement (TEFCA) is to open up medical information among providers, hopefully eliminating the scenario above. Post-TEFCA, the same unconscious individual is admitted. An aide enters the patient’s driver’s license number into the electronic health records system (EHR), where a match is found across the country. The attending physician then can access data from other health information networks that share common functional and technical requirements for exchange. With more information, the surgeon can make more-informed decisions about the individual’s medical care.
There’s no doubt that a full TEFCA rollout will save lives and improve patient care and outcomes. Challenges remain, however, centered on how to maintain data privacy and security as the number of electronic connections increases exponentially among data networks.
To help maintain patient and provider confidence in data-sharing networks and reduce data breaches and cyber exposure, accreditation programs are needed to promote best practices, administrative simplification, common interchange standards, open competition, and — above all — the protection of information exchange.
Patient data yearns to be free
TEFCA was formally launched in January 2022 and encompasses a common set of principles, terms, and conditions to support nationwide exchange of electronic health information across disparate health information networks and platforms. The ultimate aim is to free patient data from information silos, creating a common framework for immediate information sharing. The U.S. Department of Health and Human Services expects initial testing for the first networks in Q4 of this year.
Regulations call for the creation of qualified health information networks (QHINs) that agree to common terms of exchange, along with functional and technical requirements. QHINs form the communications hub of the TEFCA network, routing queries, responses, and messages among individuals, providers, and facilities that are exchanging data.
EHR vendor Epic announced its intent in June to become a QHIN. Epic helped build consensus on TEFCA’s standards and procedures, so while the announcement is not surprising, it’s still a shot in the arm for the fledgling regulation.
True interoperability of patient data has been the goal for about as long as EHRs have existed. But anyone who visits more than one medical provider in a year knows the industry remains a long way from it — even among providers within the same hospital or health system. Patient portals, personal health passports, in case of emergency (ICE) smartphone apps, and other technologies have been used as examples of data sharing, but anyone who’s tried to navigate any of these knows that information is extremely limited.
Even given today’s technology, obtaining medical records requires phone calls, fax machines, and patience, lots of patience. It’s not uncommon for a patient to wait days or weeks to acquire needed records. As frustrating as it is for patients, it’s equally time-consuming and frustrating for medical staff to field and fill these requests.
TEFCA holds the promise of a better way forward, but the healthcare industry must first come to grips with its data breach problem — which is where industry third-party accreditation and certification can help.
Accreditation can help ensure security of data interchange
Certification of IT networks can go a long way toward meeting the interoperability challenge while instilling confidence that healthcare providers are exchanging data securely among themselves and with patients.
Healthcare continues to be plagued by data breaches and ransomware attacks that continually put patient data at risk. In 2021, more than 700 healthcare organizations reported breaches of more than 500 records to the Office for Civil Rights’ Breach Portal, better known as the HIPAA “wall of shame.” Those 704 breaches compromised nearly 46 million patient records. Nearly three-quarters of incidents were attributed to hacking, with another 20% being caused by unauthorized access. And while providers reported 72% of all breaches, business associates represented 13% of the total number, affecting more than 10.5 million patients.
Healthcare systems are comprised of interlinked technologies, care partners, and business associates — any one of which can be the weak link in the security chain. For the 11th consecutive year, healthcare has had the highest breach-related costs, which now top $9 million per incident.
Two recent surveys underscore the need for accreditation of healthcare networks to help keep data safe. In the first, 80% of CIOs and CISOs says their companies have experienced a breach originating with a third-party vendor in the past 12 months. A second survey shows that 44% of hospitals and health systems failed to meet basic protocols under the U.S. National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF).
Conclusion
TEFCA interoperability standards will undoubtedly improve the flow and availability of patient information and the quality of clinician decision-making in emergent circumstances. But that free flow of information cannot take place in an interchange environment that is rife with weaknesses and vulnerabilities.
Hospitals, health systems, acute and post-acute care facilities, technology vendors, and business associates must already manage overall risk strategies and exposure internally and with partners. Industry accreditation and certification of the security and privacy of those data connections is vital to ensure adherence to standards and best practices while protecting the security, privacy and confidentiality of patient data.
Photo: ipopba, Getty Images