A person is admitted to the emergency room after a car accident. They are unconscious, bleeding internally and need immediate surgery. An assistant finds the person’s wallet and discovers that he is not local and that the hospital has no patient records for him.
The surgeon is now faced with a crucial and potentially dangerous decision. Approximately 8 million Americans accept blood thinners, making any operation much more risky. It is also true that co-morbidities and their severity are directly related surgical results, length of stay and whether the patient was discharged directly to home. But the individual will die without intervention, the surgeon determines and an operating room is booked.
The ultimate goal of the Trusted Exchange Framework and Common Agreement (TEFCA) is to open up medical information among providers, hopefully eliminating the scenario above. After TEFCA, the same unconscious individual is admitted. An assistant enters the patient’s driver’s license number into the electronic health record (EHR) system, where a nationwide match is found. The treating physician can then access data from other health information networks that share common functional and technical exchange requirements. With more information, the surgeon can make more informed decisions about the individual’s medical care.
There is no doubt that full implementation of TEFCA will save lives and improve patient care and outcomes. However, challenges remain centered on how to maintain data privacy and security as the number of electronic connections grows exponentially between data networks.
To maintain patient and provider trust in data sharing networks and reduce data breaches and cyber exposure, accreditation programs are needed to promote best practices, administrative simplification, common exchange standards, open competition and — above all — protection of information exchange.
Patient data longs to be free
TEFCA officially launched in January 2022 and covers a common set of principles, terms and conditions to support the national exchange of electronic health information across various health information networks and platforms. The ultimate goal is to free patient data from information silos, creating a common framework for instant information sharing. US Department of Health and Human Services awaiting initial testing for the first networks in Q4 of this year.
The regulations require the establishment of Qualified Health Information Networks (QHINs) that agree general conditions of exchange, along with functional and technical requirements. QHINs form the communication hub of the TEFCA network, routing requests, responses and messages between individuals, providers and facilities that exchange data.
EHR Provider Epic announced its intention in June to become a QHIN. Epic helped build consensus on TEFCA’s standards and procedures, so while the announcement isn’t surprising, it’s still a shot in the arm for the fledgling regulation.
True interoperability of patient data has been a goal almost as long as EHRs have existed. But anyone who visits more than one medical provider in a year knows that the industry remains far from it—even among providers within the same hospital or health system. Patient portals, personal health passports, emergency response (ICE) smartphone apps and other technologies have been used as examples of data sharing, but anyone who has tried to navigate any of them knows that information is extremely limited.
Even with today’s technology, obtaining medical records requires phone calls, fax machines and patience, lots of patience. It is not unusual for a patient to wait days or weeks to receive the necessary records. As frustrating as it is for patients, it’s just as time-consuming and frustrating for medical staff to submit and fulfill these requests.
TEFCA holds the promise of a better way forward, but the healthcare industry must first address its data breach problem—which is where third-party industry accreditation and certification can help.
Accreditation can help ensure the security of data exchange
Certification of IT networks can go a long way toward meeting the challenge of interoperability while instilling confidence that healthcare providers are securely exchanging data with each other and with patients.
Healthcare continues to be plagued by data breaches and ransomware attacks that continually put patient data at risk. In 2021, more than 700 healthcare organizations reported breaches of more than 500 records on the Office for Civil Rights’ Breach Portal, better known as HIPAA’s “wall of shame.” These 704 violations are almost compromised 46 million patient records. Nearly three-quarters of incidents are due to hacking, and another 20% are caused by unauthorized access. And while providers reported 72% of all breaches, business partners accounted for 13% of the total, affecting more than 10.5 million patients.
Healthcare systems are comprised of interconnected technologies, care partners, and business partners – each of which can be the weak link in the security chain. For the 11th year in a row, healthcare is the highest costs related to infringementwhich now reach $9 million per incident.
Two recent studies highlight the need for accreditation of healthcare networks to maintain data safety. In the first, 80% of CIOs and CISOs say their companies have experienced a breach originating from a third party supplier in the last 12 months. A second study found that 44% of hospitals and health systems failed to meet basic protocols according to the US National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF).
Conclusion
TEFCA’s interoperability standards will undoubtedly improve the flow and availability of patient information and the quality of clinician decision-making in emergency settings. But this free flow of information cannot take place in an exchange environment that is full of weaknesses and vulnerabilities.
Hospitals, health systems, acute and post-acute care facilities, technology providers and business partners must now manage overall risk strategies and exposure internally and with partners. Industry accreditation and certification of the security and privacy of these data links is vital to ensure compliance with standards and best practices while protecting the security, privacy and confidentiality of patient data.
Photo: ipopba, Getty Images