• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

The Health Data Interoperability Highway Is Coming. Is Your Organization Ready?

by Lee Barrett, Commission Executive Director of DirectTrust 01/20/2023 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print
Lee Barrett, Commission Executive Director of DirectTrust

Not many of us remember a time when there weren’t interstates widely available to help us get to where we need to go. Winding roads and sleepy towns can be nostalgic, but they’re not great time savers when time is of the essence.

At a macro level, The Trusted Exchange Framework and Common Agreement (TEFCA) promises to be the interoperability superhighway for healthcare data, speeding information on patients from care facility and care provider — regardless of location or healthcare entity — to where it’s currently needed. That could be a routine visit with a new provider or it could be a life-and-death situation where an unconscious patient is wheeled into the Emergency Department with no family member present to provide any context about the patient, co-morbidities, or prescriptions.

But the superhighway of anything isn’t without hazards, unless careful planning occurs, as happened with the U.S. interstate system. When building began on the interstate system in 1956, the death rate per 1 million miles driven was 6.28. Today, that figure is 1.46 deaths per 1 million miles — a testament to diligent efforts to build continually safer highways, design safer cars, adopt speed limits, and provide ongoing oversight.

A similar effort will be needed for TEFCA to fulfill its promise to free patient information from the siloes where it currently resides without compromising the privacy and security of that data, which points to the utility of accreditation and certification among those who exchange data to help keep privileged information safe.

Exploiting the weakest link

Safeguarding information is always a matter of the weakest link. The most secure data network or hospital system can be undone by a third-party vendor with lax security controls that has network access through an API or some other method. Likewise, the tightest security controls can be breached through a phishing or social engineering attack that compromises a single individual, then attempts to move through the network to gain more control.

As the saying in cybersecurity goes, bad actors only need to succeed once to infiltrate a network, which means that hospitals, health systems, providers, care centers, business associates, and other third parties must adopt and implement stringent security protocols and good cybersecurity hygiene to keep data safe.

Interoperability will undoubtedly increase the number of risk vectors that exist at every exchange point. Now, instead of the security of a single system, with all of its individual connections, it will be thousands of systems, each of which has hundreds — if not thousands — of individual connections.

Large vendors and state and multistate health information networks (HINs) have already expressed interest in making application to the Recognized Coordinating Entity (RCE) contracted by the Office of the National Coordinator (ONC) to gain designation as qualified health information networks (QHINs), which will serve as the communications hub of the network to route queries, responses, documents, and more among those who are exchanging data. Those already announcing their intentions to apply to become QHINs include EHR vendor Epic, ambulatory EHR and practice management solution vendor NextGen Healthcare, the CommonWell Health Alliance, clinical data exchange network Kno2, and CRISP Shared Services, which provides the infrastructure for five statewide HIEs.

Healthcare must get a handle on cybersecurity

The Office of the National Coordinator (ONC) for Health Information Technology named The Sequoia Project as the recognized coordinating entity (RCE) responsible for developing the common agreement for TEFCA and setting baseline technical, legal, privacy, and security requirements to fulfill the promise of interoperability.

Sequoia will designate and monitor QHINs to ensure they are collaborating effectively and abiding by the terms of the common agreement. The details of the common agreement will include technical specifications and minimal security standards for QHINs and others to participate in data exchange. The stakes are high — healthcare providers and business associates continue to be hit by ransomware attacks and data breaches. The healthcare industry incurs the highest costs to remediate breaches, at more than $10 million per incident, almost double the second most-affected industry.

Given healthcare’s poor record at keeping protected health information (PHI) safe, security experts fear that interoperability will increase the number of attacks, undermining the intended purpose of making data more accessible among providers, patients, and care facilities.

A recent survey of CIOs and CISOs across industries showed that 80% reported a breach within the past 12 months that started with a third-party vendor. In fact, the average respondent reported they had been breached 2.5 times in this manner in the last year. 

What’s clear is that many entities operating in the healthcare ecosystem still lack the needed tools, experience, and cyber rigor required to significantly reduce the risk of a cyberattack.

Trusted Network Accreditation Program

EHNAC and HITRUST have long promoted the secure exchange of healthcare data through accreditation and certification programs. The organizations have teamed up to offer the Trusted Network Accreditation Program (TNAP), designed to comply with TEFCA regulatory standards to address security and privacy requirements. The HITRUST R2 has been named as part of the Security Standard Operating Procedure (SOP) for those entities that make application to the RCE seeking QHIN designation as a QHIN. There may be other certifications named in the future, but the HITRUST R2 certification, required as part of TNAP, is currently the only security certification designated by the RCE to meet the requirements of the common agreement.

The TNAP program is designed to accommodate stakeholders that will exchange data, including QHINs, other health information networks, health information exchanges, accountable care organizations, data registries, labs, providers, payers, vendors, and suppliers. It requires the HITRUST R2 Validated Assessment and a third-party assessment against EHNAC’s TEFCA-specific requirements outside of just information security.

As TEFCA regulations change, the accreditation program will be updated to keep pace and maintain a laser-like focus on the security and privacy of data within a network and during transmission, while also monitoring business practices and management of human and physical resources.

Data interoperability has been an objective since the first electronic healthcare records systems came online in the 1960s, and the concept picked up the pace about 30 years ago. After many stops and starts, the ideal of true data interchange is closer than ever. But healthcare organizations must recognize that the industry does not have a stellar track record of safeguarding protected health information, which makes certifications and accreditation programs vital and required to ensure confidence in interoperability.

About Lee Barrett

Lee Barrett is the Commission Executive Director of DirectTrust, and includes contributions by Michael Parisi, Vice President of Adoption, HITRUST.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: accountable care, Accountable Care Organizations, Ambulatory EHR, API, Clinical Data Exchange, CommonWell Health Alliance, Cybersecurity, DirectTrust, Health Information Exchanges, Health Information Technology, Health IT Interoperability, Health Systems, Healthcare Data, HIEs, HIT, HITRUST, interoperability, Kno2, NextGen, Office of the National Coordinator, ONC, Payers, PHI, Phishing, Ransomware Attacks, risk, Sequoia Project, Vital

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Kinetik CEO Sufian Chowdhury on Fighting NEMT Fraud & Waste

Most-Read

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

WeightWatchers Files for Bankruptcy to Eliminate $1.15B in Debt

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

KLAS: Epic Dominates 2024 EHR Market Share Amid Focus on Vendor Partnership; Oracle Health Sees Losses Despite Tech Advances

'Cranky Index' Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

‘Cranky Index’ Reveals EHR Alert Frustration Peaks Midweek, Highest Among Admin Staff

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Madison Dearborn Partners to Acquire Significant Stake in NextGen Healthcare

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Wandercraft Begins Clinical Trials for Physical AI-Powered Personal Exoskeleton

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |