“TEFCA raises the bar to protect the privacy and security of health information” is what Steve Gravely of Gravely Group told the National Committee on Vital and Health Statistics (NVCHS) on April 12, 2024, in Washington, DC. 

Steve was honored to be part of an excellent panel presentation to update the NVCHS on TEFCA and how it hoped to transform health information exchange and interoperability nationwide. 

Along with JaWanna Henry, MPH, MCHES of ONC, Mariann Yeager CEO of The Sequoia Project – ONC’s Recognized Coordinating Entity – and Chantal Worzala Principal at Alazro Consulting, LLC., they had an interactive conversation with the Committee about TEFCA.

Steve Gravely focused on how TEFCA requires QHINs, Participants and Subparticipants to protect the privacy and security of health information. Some of Steve’s key points:

1. TEFCA requires compliance with key provisions of the HIPAA Privacy Rule and the HIPAA Security Rule for any QHIN that is not already subject to HIPAA. These Non-HIPAA Entities (NHE) must comply with a specific list of HIPAA Privacy Rule requirements and to require its Participants and Subparticipants to comply with these requirements as well, even if they are not subject to HIPAA.

2. All QHINs must be certified by HITRUST, or another third-party certification body that the RCE adds in the future. This is a very rigorous process that requires a substantial investment by every QHIN in resources to show how it meets the HITRUST Certification Requirements or to upgrade specific systems to the HITRUST required standard.

3. QHINs must conduct annual third-party security assessments to assure that they stay up-to-date on security measures.

4. QHINs are required to designate a Chief Information Security Officer (CISO) who is responsible for the overall security posture of the QHIN. These CISOs will participate in the TEFCA Cybersecurity Council which is chaired by the REC’s CISO and be responsible for the security posture of the entire TEFCA network.

5. QHINs agree to report Security Incidents promptly to the RCE and other affected QHINs. This reporting requirement must be flowed down to a QHINs Participants and Subparticipants.

TEFCA assures that every QHIN, Participant and Subparticipant is operating under one common set of requirements which are known by everyone.  Such transparency and common requirements are known to promote trust.