Critical Infrastructure Security, Data Security, Governance, Risk and Compliance

Sequoia Project seeks comment on HHS security measures for healthcare interoperability

An update to QHIN TEFCA guidance from the Sequoia Project shares possible security requirements to address longstanding concerns. (“Patient files at Howard University Hospital” by Medill DC is licensed under CC BY 2.0.)

The Sequoia Project is asking healthcare stakeholders to comment on newly shared security requirements for entities looking to become a Qualified Health Information Network (QHIN) as part of the Trusted Exchange Framework and Common Agreement, the Department of Health and Human Services’ plan to support interoperability across the sector. 

The Office of the National Coordinator selected the Sequoia Project to develop and support the adoption of TEFCA, which initially rolled out in January. The collaborative effort has been pooling industry feedback and implementing those recommendations to improve the upcoming final document.

TEFCA is designed as a legal agreement between the Sequoia Project and QHINs and establishes the legal and technical baseline for data exchange between QHINs, completing a critical 21st Century Cures Act requirement. The framework is also meant to support patient access to their data, while improving care coordination and patient outcomes.

The ongoing development aims to support the HHS interoperability initiative. During the initial January rollout, ONC Chief Micky Tripathi, Ph.D., explained that TEFCA supports “simplified nationwide connectivity for providers, health plans, individuals, and public health.”

In short, TEFCA is meant to “significantly reduce the number of connections individuals and healthcare providers need to make to get the health information they seek for treatment and individual access to services,” ONC officials explained during the initial release.

The Sequoia Project has been working to improve the guidance, which will later be broadened to support various exchange processes over time, such as operations, payments, public health, and government benefits determinations.

Throughout the ongoing development process, the partners have reached out for feedback to bolster community engagement and ensure transparency, Sequoia Project CEO Mariann Yeager, noted with the release.

The Sequoia Project released elements for comment in July and September, aiming to ensure the privacy and security of data sharing among providers. The latest update from the Sequoia Project targets QHIN onboarding and the designation of standard operating procedure and the QHIN Application.

Industry stakeholders are being asked to provide the Sequoia Project with feedback on the proposed criteria for entities seeking to become a QHIN, the process for evaluating applicants, and the possible testing processes. Other newly shared elements include proposed QHIN application information and the types of entities able to participate in the TEFCA SOP.

On May 16, the Sequoia Project released an update to its standard operating procedures to include further information into possible security requirements for QHIns and a list of approved certification requirements. The updates appear to address some of the privacy and security concerns raised by some stakeholder groups late last year.

The comment period for these particular updates is open until July 15. According to its release, the Sequoia Project will seek further comment on the fee structure and exchange purposes in June.

The Sequoia Project has steadily worked throughout the year to ensure TEFCA is deployed ahead of the planned year-end “live exchange,” explained Yeager. “We look forward to the thoughtful input of potential QHINs and other stakeholders to carefully consider these drafts.” 

The final version of QHIN onboarding guidance, the first version of the designated standard operating procedures, and the final QHIN application are planned for release in the late summer. The Sequoia Project intends to incorporate relevant industry feedback into the final releases.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds