ASTP Final Rule Codifies Requirements for TEFCA-Qualified Health Information Networks

BACKGROUND ON TEFCA

TEFCA is a set of principles, terms, and technical requirements that aim to facilitate health information exchange by creating a nationwide network of participating health information networks (HINs) that meet all the requirements to exchange data according to TEFCA standards (TEFCA exchange).

TEFCA originated in the 21st Century Cures Act of 2016, which required ASTP to convene public-private and public-public partnerships to build consensus and develop or support a trusted exchange framework, including a common agreement, among HINs nationally. The Cures Act specified that its statutory framework must not be construed to “require” an HIN to adopt or participate in TEFCA (i.e., TEFCA participation must remain voluntary unless the statute is amended to state otherwise).

HINs designated by ASTP to participate in TEFCA exchange are called qualified HINs (QHINs). Entities that contract with a QHIN to access TEFCA exchange are known as participants. Participants can also connect others, known as subparticipants, to participate in TEFCA exchange. The network of participants and subparticipants connected to a QHIN comprise the QHIN’s designated network. To maintain and implement the standards for TEFCA exchange and to oversee the resulting TEFCA network, ASTP may delegate certain authority to one or more RCEs. Currently, the only RCE selected by ASTP is The Sequoia Project.

The standards for TEFCA exchange, requirements for participation, and governance protocols for the TEFCA network are currently set forth in a suite of documents, including the Trusted Exchange Framework and the Common Agreement. The Trusted Exchange Framework describes a common set of foundation principles and practices to facilitate data sharing. The Common Agreement establishes the infrastructure and governing approach for users in different HINs to securely share information with each other. The Common Agreement is a legal contract that is signed by a QHIN and the RCE.

Additional requirements are found in the Standard Operating Procedures (SOPs) and the QHIN Technical Framework (QTF). SOPs are issued by the RCE and provide detailed information or requirements related to the exchange activities under the Common Agreement. The SOPs address governance, privacy, and security requirements; RCE directory services; and QHIN application and designation. The QTF outlines the technical specifications and other technical requirements necessary for QHINs to exchange information.

These documents include the purposes for which information may be requested or sent via TEFCA exchange. There are currently six exchange purposes: treatment, payment, healthcare operations, public health, government benefits determinations, and individual access services (i.e., services permitting individuals to access and obtain their own health data). Currently, QHINs are required to support exchange for any of these purposes, but QHINs, participants, and sub-participants are only required to respond to requests made for treatment or individual access services purposes. ASTP has been clear that it intends to eventually require responses to requests made under any exchange purpose, however.

For more information on TEFCA and for a list of QHINs and candidate QHINs, see The Sequoia Project’s website.

TEFCA REGULATIONS IN THE FINAL RULE

With only minor changes from the proposed rule, the final rule creates a new 45 CFR Part 172 with regulations codifying:

• Qualification requirements for QHIN designation
• The processes for QHIN onboarding and designation
• A QHIN attestation process
• QHIN termination and appeals rights
• ASTP’s authority to delegate responsibility to the RCE

The final regulations related to QHIN designation, onboarding, suspension, and termination closely reflect the requirements and processes contained in the Common Agreement and the RCE’s current SOPs. The final rule creates the appeals process for ASTP and RCE decisions and the QHIN attestation process. In the final rule, ASTP added language requiring the RCE to seek and receive ASTP prior authorization before making certain decisions, including QHIN designation decisions, setting and determining QHIN compliance with onboarding requirements, deeming a QHIN designation application withdrawn for failure to respond to requests for more information, and suspending or terminating a QHIN.

Subpart A: Purpose, Definitions, and RCE Authority

Subpart A of the final rule provides the statutory basis for the regulations (Section 3001(c)(9) of the Public Health Service Act) and states that the purpose of the regulations is to promote full network-to-network exchange of health information and to create a voluntary process for QHINs to attest to the adoption of TEFCA. It also defines key terms that mirror the definitions provided in current TEFCA documents. Finally, this subpart lists the responsibilities that ASTP may delegate to the RCE, including QHIN designation and onboarding, suspension, and implementing a QHIN’s self-termination or termination by mutual agreement between the QHIN and the ASTP or the RCE.

Subpart B: Qualifications for Designation as a QHIN

Subpart B contains the required qualifications for designation as a QHIN, which are separated into three categories:

• Ownership requirements
• Exchange requirements
• Designated network services requirements

The first category, ownership, includes requirements for a QHIN:

• To be a US entity
• To not be under foreign control
• To have no director, officers, executives, or owners of 5% or more of the HIN on the US Department of the Treasury’s Specially Designated Nationals and Blocked Persons List or the HHS Office of the Inspector General’s List of Excluded Individuals/Entities

Healthcare data is a critical piece of national infrastructure. According to ASTP, these ownership requirements are intended to protect health data from high-risk actors and ensure that those who control the health information exchanged via TEFCA are subject to US law.

The second category, the exchange requirements, set a floor of technical and operational capabilities that a QHIN must meet. To be designated as a QHIN, an entity must be capable of:

• Exchanging data between two or more unaffiliated parties
• Exchanging all required information (i.e., the electronic health information held by an entity responding to a request via TEFCA exchange that is relevant to a request for a required exchange purpose)
• Exchanging data for at least one exchange purpose
• Receiving and responding to transactions from other QHINs for all exchange purposes
• Initiating transactions for the exchange purposes that the entity will permit its participants and subparticipants to use through TEFCA exchange

The third category of requirements, for designated network services, are meant to ensure that the TEFCA exchange network infrastructure performs at a high level. A QHIN is required to maintain operational and legal authority to operate and govern its designated network. This includes establishing representative and participatory groups that approve network governance processes and participate in governance. QHINs must also maintain dispute resolution procedures and written policies on network oversight and control, security, privacy, data breach response, and change management. QHINs are required to maintain the technical capacity for high volumes of transactions commensurate with the level of TEFCA participants and to maintain secure network-to-network connectivity. Finally, QHINs are required to have adequate financial resources and personnel to support their functions, including maintaining minimum financial reserves or insurance-based cybersecurity coverage.

Subpart B details additional requirements for QHINs offering individual access services to enable patients to gather their own healthcare information, including a requirement to obtain express individual consent and standards for handling individually identifiable information maintained by the QHIN.

Subpart C: The QHIN Designation and Onboarding Process

Subpart C establishes QHIN onboarding and designation processes, including application submission, review, and withdrawal processes. Onboarding is the process of a prospective QHIN becoming operational in the production environment. Designation refers to the written determination that an Applicant QHIN has satisfied all regulatory requirements.

The final regulations include details about what information must be included in a QHIN application and timelines for review of applications. Once an application has been confirmed to be complete, ASTP or the RCE has 60 calendar days to complete its review of an application unless extended by written notice to the applicant. The final rule requires applicants to respond to requests for additional information from ASTP or the RCE and to notify ASTP or the RCE if, following submission of the application, any information in the application becomes untrue or materially changes.

Once approved by ASTP (or the RCE with ASTP’s prior authorization), an Applicant QHIN must submit the signed Common Agreement. The Applicant QHIN has 12 months to complete the onboarding process with ASTP or the RCE, which possess discretion to extend the onboarding period by up to 12 months. During the onboarding process, the Applicant QHIN must regularly check in with ASTP or the RCE to report progress, coordinate technical testing, and address any issues. Once the onboarding requirements are satisfied, the Common Agreement will be countersigned and the Applicant QHIN will receive notice that it has been provisionally designated as a QHIN. The QHIN is then required to submit proof within 30 days of successful completion of a data transaction with all other in-production QHINs according to TEFCA exchange standards and procedures.

If a QHIN submits satisfactory proof, its QHIN designation becomes final 60 days after submission. If unsuccessful, a QHIN must submit an explanation for why it was unable to complete the required transactions and a plan and timeline for addressing any issues. ASTP (or the RCE with ASTP’s prior authorization) would then review the plan within five business days. If a QHIN fails to submit its plan, or if ASTP (or the RCE with ASTP’s prior authorization) rejects the plan, the QHIN’s designation will be revoked.

The final rule permits an Applicant QHIN to withdraw its application any time before designation by providing written notice to ASTP or the RCE. If an application is withdrawn for a failure to respond to a request for information, or if it is rejected, an Applicant QHIN must wait six months before submitting a new application.

Subpart D: Suspension of QHINs, Participants, and Subparticipants

Subpart D includes the circumstances under which a QHIN, participant, or subparticipant may be suspended from participating in TEFCA exchange. Under the final rule, a QHIN may be suspended if the QHIN is responsible for a threat condition. A threat condition exists in the following circumstances:

• A material breach of a Framework Agreement that has not been cured within 15 days of receiving notice of the breach
• A TEFCA security incident
• An event that the ASTP, RCE, QHIN, participant, or subparticipant has reason to believe will disrupt TEFCA exchange
• Any event that could pose a risk to national security interests

ASTP (or the RCE with ASTP’s prior authorization) may also order a QHIN to suspend participants and subparticipants for doing or failing to do something that results in a threat condition. ASTP or the RCE is required to make a reasonable effort to notify the affected parties in advance of a suspension. The final rule also specifies conditions and requirements for a QHIN to suspend sharing data with another QHIN because of reasonable concerns about the privacy or security of the information exchanged.

Subpart E: Termination of a QHIN

The final rule permits a QHIN to voluntarily terminate its designation with 90 business days prior written notice. ASTP (or the RCE with ASTP’s prior authorization) may also immediately terminate a QHIN for a material breach of any applicable regulatory requirements and failure to remedy that breach within 30 days, unless extended by another 30 days by ASTP or the RCE, or for a material breach of the Common Agreement that cannot be remedied.

Subpart F: Review and Appeal of RCE or ASTP Decisions

This subpart establishes a process for review of ASTP’s or the RCE’s decisions, including appeals rights. ASTP retains the authority to review an RCE’s decision at its sole discretion. Applicant QHINs may appeal the denial of their applications, and QHINs can appeal a decision to suspend a QHIN, participant, or subparticipant or terminate a QHIN’s Common Agreement. If ASTP provided prior authorization for a decision, no ASTP personnel involved in the prior authorization may participate in the review of the decision.

A notice of appeal must be submitted electronically to ASTP within 15 days of receiving notice of the decision being appealed. The initial notice of appeal is only required to include the information necessary to apprise ASTP of the appeal. The appealing QHIN will then have 30 calendar days from submission to provide a more fulsome description of the facts supporting its appeal and any documentation it would like considered during the appeal.

ASTP may exercise first review of the RCE’s determination, but a QHIN or Applicant QHIN may seek subsequent review by a hearing officer appointed by the HHS Secretary. An appeal will not stay a decision to suspend or terminate unless ordered by a hearing officer. Review of the RCE’s determination is de novo, and the appealing QHIN or Applicant QHIN has the burden of supporting its appeal by a preponderance of the evidence. The hearing officer is required to issue a written determination of the appeal.

Subpart G: QHIN Attestation Process

Section 4003(b) of the Cures Act requires HHS to establish a process for HINs to attest to adoption of the Trusted Exchange Framework and the Common Agreement. This subpart details the process for QHINs to submit an attestation, ASTP’s review of the attestation, and requirements for the creation and maintenance of a directory of designated QHINs.

THE McDERMOTT DIFFERENCE

If you have questions about how the final rule may affect your organization, please contact any of the authors of this On the Subject, your regular McDermott lawyer, or your McDermott+ consultant.