Inside Angle
From 3M Health Information Systems
TEFCA: A beginning for nationwide interoperability
In accordance with the 21st Century Cures Act, The Office of the National Coordinator (ONC) for Health Information Technology has released the draft version of the Trusted Exchange Framework and Common Agreement (TEFCA). TEFCA aims to establish interoperability between disparate Health Information Networks (HINs) through the creation of “trusted exchange framework.” According to the ONC, there are more than 100 HINs currently operating in the U.S. and they do not share data with each other; to compensate, many organizations have resorted to joining multiple HINs—burdening them with high implementation costs for limited interoperability. In contrast, TEFCA aims to provide nationwide interoperability with substantially lower costs by allowing healthcare organizations easy access to the data necessary to provide higher quality care. Essentially, TEFCA will designate a certain number of HINs to serve as “Qualified Health Information Networks” (QHINs). To facilitate interoperability, data is shared in response to queries sent by the members of a HIN; if the necessary data cannot be found within the network of the QHIN they participate in, then the QHIN will share the query with other QHINs until the data is found and returned. This strategy effectively joins separate HINs and the QHINs they participate in together into a unified, interconnected system.
Oversight of the QHINs will be provided not by the government, but by a private entity designated by the ONC to serve as the Recognized Coordinating Entity (RCE). The RCE will be responsible for enacting TEFCA, subject to guidance from ONC—principles for participants to adhere to include standardization, transparency, cooperation, security and patient safety, access and data-driven accountability. While TEFCA leaves most technical decisions up to the RCE, the guiding principles which the draft framework espouses naturally favor a distributed, publicly-auditable system. A distributed architecture will be more fault tolerant, as it is devoid of any single points of failure, allowing for more uptime. Additionally, it will be more scalable because the capacity of the system will not be limited by any centralized pieces. Finally, a distributed system will minimize data consolidation, ensuring that no single repository exists which, if compromised, would provide access to all Americans’ health records; this provides increased privacy for patient data compared to a centralized system.
A distributed system alone is not enough. We also recommend that TEFCA be implemented with robust auditing capabilities, such that individual patients can see who accessed their records, when and for what reason. Providing robust auditing capabilities will help TEFCA meet its transparency goals and provide a strong disincentive for misuse and inappropriate data access. A possible logging solution could be based off Google’s work with Certificate Transparency, in which security certificates are written into a publicly-accessible, append-only log organized as a Merkle tree—a cryptographic data structure resistant to tampering. Considering the sensitive nature of healthcare data, it is likely more appropriate that logs be kept in a secure manner by a third party, but the basic structure of the logs could be similar. All queries transmitted within a QHIN, and especially between QHINs, would be logged. Additionally, metadata from all responses would be logged. These cryptographically secure logs could then be shared with participants of the respective QHINs, as well as other qualified third parties with a need to know (such as the RCE, ONC or a designated auditor).
One additional step should be taken—a mechanism should be established for patients to access log data related to their personal health information (PHI). This final step, and potentially only this step, would establish the strong deterrent needed to keep the system secure. If logs are kept but regular audits are not thorough enough, it is possible that bad actors could abuse access to data without being caught quickly. If patients have a mechanism to monitor their personal data, then watchdogs and proactive citizens could take on a critical role in providing oversight to TEFCA, ensuring that it is used only for its intended purposes. Over time, this would also allow people to build trust in the system, which is especially necessary considering TEFCA’s voluntary nature, so we can accomplish TEFCA’s vision of “a system where individuals are at the center of their care and where providers have the ability to securely access and use health information from different sources.”
Rey Johnson is an analyst for the 3M Healthcare Data Dictionary team.