EHRA questions rationale of added TEFCA security protocols

While acknowledging that securing access to data is a shared goal, the HIMSS Electronic Health Record Association suggests ONC's interoperability framework does not consider existing controls, or certain business standards and workflows.
By Andrea Fox
10:51 AM

Image: Pixabay/Pexels

In its comments to the ONC on the draft QHIN, Participant and Subparticipant Additional Requirements SOP, the EHR Association recommends workforce authentication requirements be applied only to the Qualified Health Information Network workforce, with specific consideration given to participants and sub-participants who are not HIPAA-covered entities.

WHY IT MATTERS

The Office of the National Coordinator for Health Information Technology (ONC) is accepting comments on proposed requirements for QHINs, participants and sub-participants under its Trusted Exchange Framework and Common Agreement developed by the enlisted Sequoia project.

In its January 13 letter, EHRA indicated that the need and benefit of added requirements are unclear and suggested narrowing the scope for workforce authentication requirements and auditing standards.

"Auditing standards should align with those in place under the ONC Certification Program," the association said.

"We note that Carequality does not have such authentication requirements, nor has identified the need to do so."

In addition to noting the substantial end-user workflow changes that would be required, the association of vendors also said healthcare providers as covered entities can determine what authentication methods are appropriate for their workforces under HIPAA, based on their understanding of their risks.

If there is a need to require additional authentication, "we suggest that it be done consistently through regulatory processes to ensure [protected health information] meets the same standards and procedures wherever it flows, within an organization, within a network or outside a network."

Other comments on definitions and standards are in the spirit of specifying TEFCA actors and focusing on QHIN and non-covered entities more specifically, says EHRA.

The association said it is also concerned that the multi- or two-single-factor authentication requirement for the entire workforce across QHINs, participants and sub-participants is "too broad to be feasible in the current exchange environment."

Other than specific use cases like eprescribing controlled substances, "Organizations are otherwise not required to deploy the proposed approaches, and there is no reason to consider [TEFCA information] any different from other information that a covered entity currently manages and provides access to users with current controls."

Where all participants need to manage PHI, the standard operating procedures should align with existing requirements for managing PHI where TEF is not part of the fabric, EHRA said.

THE LARGER TREND

The number of planned QHIN applicants is growing, including ambulatory IT and electronic health record vendors, ushering in greater interoperability for healthcare.

The eHealth Exchange in its QHIN partnership announcement said in August it was eager to enhance interoperability under TEFCA.

"This will provide a seamless experience for the organizations coming forward with intentions to participate in this federally endorsed framework for patient data sharing," the organization had said.

ON THE RECORD

"We suggest aligning the requirement to adhere to ASTM E2147-18 with ONC’s Certification Criterion §170.314(d)(2), which references § 170.210(e)(1), which in turn references § 170.210(h) - ASTM E2147-18 (incorporated by reference in § 170.299)," said EHRA in its letter.

"We note that § 170.210(e)(1) specifically identifies specific sections in ASTM E2147-18." 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.