The Common Agreement is a critical component of the Trusted Exchange Framework and Common Agreement (TEFCA), providing the legal and operational foundation needed to support secure and compliant health information exchange across the United States. It outlines the governing approach and infrastructure necessary to scale a national system of interconnected Qualified Health Information Networks (QHINs) and acts as a legal agreement between the Recognized Coordinating Entity (RCE) and the QHINs, and also provides the flow-down terms that apply to all TEFCA participants and subparticipants.
Over time, we have witnessed the evolution of the Common Agreement. The first version offered high-level policies and procedures that incorporated extensive public input. CA V1.1, which was in place when TEFCA and the first QHINs launched in December 2023, included various changes required by the United States Department of Health and Human Services (HHS). Now, CA V2.0 represents a significant leap forward, having moved many aspects of the CA to Standard Operating Procedures (SOPs) and evolving to support HL7 FHIR-based transactions.
With the Common Agreement V2.0 now in effect, our team at Health Gorilla thought it would be an excellent opportunity to recap the SOPs being developed and published along with CA V2.0 and describe how they may impact TEFCA exchanges.
- QHIN Technical Framework (QTF) Version 2.0: This SOP builds on previous versions by enhancing data standards, security protocols, and interoperability requirements to support seamless health information sharing. The framework aims to ensure consistent, reliable access to health data while maintaining high privacy and security standards.
- Facilitated FHIR Implementation SOP: This SOP supports the use of Fast Healthcare Interoperability Resources (FHIR) for data exchange across the framework, an enhancement that will expand TEFCA’s supported technologies to include additional structured data formats. The incorporation of the FHIR SOP emphasizes the RCE’s commitment to innovation, as well as targeted, secure, and timely data exchanges.
- Individual Access Service (IAS) Provider Requirements SOP: This SOP delineates the necessary standards and procedures for IAS providers to ensure individuals can securely and efficiently access their health information through TEFCA. It includes guidelines for verifying user identity, maintaining data privacy and security, informing individuals about how their data will be shared, and ensuring interoperability with other QHINs and TEFCA participants. It also outlines the handling and reporting of security incidents.
- Governance Approach SOP: This SOP outlines the roles, responsibilities, and procedures of TEFCA’s current Transitional and future Governing Council, which will act as a resource to the RCE and ONC, as well as the governing body for activities conducted under the Framework Agreements. This SOP emphasizes collaboration among stakeholders, consistent monitoring, and evaluation of practices to maintain data integrity, privacy, and security.
- Delegation of Authority SOP: This SOP outlines the requirements that QHINs, Participants, and Subparticipants are required to follow when authorizing another organization, such as an IT vendor or service provider (a “Delegate”) to initiate requests on its behalf (“Delegated Requests”). This SOP aims to streamline operations by enabling designated individuals or entities to act on behalf of Covered Entities and similar primary participants while maintaining robust checks and balances to safeguard the integrity, security, and compliance of health information exchange activities.
- Expectations for Cooperation SOP: This SOP outlines the expectations for reasonable cooperation that QHINs, Participants, and Subparticipants must follow for all matters related to TEFCA exchanges. It sets expectations for proactive engagement, conflict resolution, and adherence to common standards and policies, ensuring that all parties work synergistically to enhance efficiency, compliance, and the overall effectiveness of the CA V2.0 governance and operational processes.
- Exchange Purposes SOP: This SOP defines the purposes for which data can be exchanged under TEFCA and includes specific requirements for different use cases. It lists the approved reasons for sharing information, outlines when a response is required vs. optional, and explains when fees are or are not allowed for exchanges between QHINs.
- RCE Directory Service Requirements Policy SOP: This SOP outlines the requirements for the RCE Directory Service and sets the standards and guidelines for maintaining a comprehensive and accurate directory of entities participating in health information exchange under the Common Agreement. It details the requirements for listing and updating participant information, ensuring data accuracy, privacy, and security.
- TEFCA Security Incident Reporting SOP: This SOP establishes the procedures for reporting security incidents within the TEFCA framework. It specifies the types of incidents that must be reported, the required timelines for reporting, and the protocols for communicating with relevant stakeholders. The SOP includes guidelines for initial response, investigation, and mitigation efforts to address the incident and prevent future occurrences.
- Treatment Exchange Purpose (XP) Implementation SOP: This SOP specifies conditions under which participants must respond to treatment-related data requests. The TEFCA Required Treatment exchange purpose is a narrower version of what’s been used across other networks in the past, which has been based on the somewhat ambiguous definition of Treatment under HIPAA. This was done in an effort to clarify precisely what is and what is not appropriate, to build trust throughout the new framework, and to ensure all QHINs and their participants feel comfortable and secure initiating and responding to Treatment queries across the TEFCA.
As you can see, many of these SOPs rolled out in conjunction with CA V2.0 were done in an effort to improve trust, security, and the adoption of the Trusted Exchange Framework and Common Agreement. As one of seven Qualified Health Information Networks and the only one with a simultaneous California Qualified Health Information Organization (QHIO) designation, Health Gorilla has had the opportunity to provide feedback and suggestions on what’s included above and is proud to see the development of TEFCA taking place. We still have a long way to go, but the progress made so far is very encouraging.
To learn more about our QHIN, QHIO, and other interoperability solutions, contact us here.