Fax to the Future: TEFCA, QHINs, and Health Data Exchange

For decades the workhorse of healthcare interoperability has been the fax machine. While fax has many downsides, being slow, messy, and expensive compared to digital records exchange, it is generally perceived as secure.  For that reason, it may have persisted despite many attempts to retire it.  Indeed, improving the portability of patient records has been a goal since at least 2005, when Hurricane Katrina displaced tens of thousands of patients without records of their medications or diagnoses. That catastrophe eventually led the US government to promote the adoption of electronic medical record systems that could share information and to fund the development of state-level health information exchanges (HIEs) through matching grants to promote regional data interoperability.

This has been a long and winding road.  Over the last two decades more than 35 billion taxpayer dollars have been distributed in incentives and grants to healthcare systems and health information exchanges, supporting the growth of an ecosystem of health IT and EHR vendors. Despite those investments, health systems and insurers in the US still spend an estimated $2 billion faxing records every year, a substantial inefficiency that electronic exchange could mitigate.  Now, after 20 years, healthcare is about to get its own internet superhighway, in the form of Qualified Health Information Networks (QHINs), which began sharing records electronically earlier this year.   What this means is that someday soon, your doctor will be able to access your complete and accurate past health information without relying on you to fill out a paper on a clipboard.  Maybe in another couple of years, we’ll see fax machines finally disappear from insurance claims processing.

The new system enabling this is called the Trusted Exchange Framework and Common Agreement (TEFCA), which is overseen by the Office of the National Coordinator for Health Information Technology (ONC), a part of the Department of Health and Human Services. TEFCA was established under the 21st Century Cures Act to create a cohesive, nationwide approach to health information exchange, and follows earlier efforts organized under the HITECH Act. This electronic information exchange will be mediated by the QHINs operating on the foundation developed and overseen by the Sequoia Project, a neutral party and non-profit engaged by ONC to bring the many stakeholders together to craft standard agreements, operating procedures, data models, record locators, and other essential components of a data sharing ecosystem.  The Sequoia Project is often referred to as the Recognized Coordinating Entity or RCE for TEFCA. 

Already, today’s Health Information Networks like CommonWell Alliance, and the e-Health Exchange have become QHINs, joined by several other organizations, including an HIE, Konza, and organizations that have provided the software to power many HIEs, like Medallies, and Kno2.  On the other hand, Carequality, the data sharing collective whose common agreement in many ways laid the foundation for the TEFCA agreement, will eventually sunset as their members transition to QHINs. For now, both systems continue operating in parallel.  

For executives across the healthcare continuum, as well as patients and providers, understanding this transition is important.  TEFCA provides the standardized framework designed to simplify connectivity, enhance interoperability, and protect patient data. It does so in several ways, such as streamlining today’s model in which EHRs and the dozens of HIEs have numerous point-to-point connections, sharing data locally, and through regional and national networks including the HINs.  TEFCA establishes common principles and importantly, the legal agreements, that ensure trust across the network participants that data sharing is secure and seamless.  Establishing trust hasn’t been easy, and today the connectivity is focused on providers.  Soon, it will enable patient directed data sharing, called Individual Access, and hopefully soon after payers and public health organizations will be included. 

One obvious question for the newly initiated is how TEFCA is different from HIPAA, the Health Information Portability and Accountability Act that has governed healthcare data privacy and security since 1996. HIPAA established national standards for how healthcare providers, insurers, and their business associates handle patient data, emphasizing confidentiality and the prevention of unauthorized access or disclosure.  The emphasis was establishing patient privacy and data security.  Technology has changed significantly since then, and TEFCA aims to facilitate the exchange of health information while preserving the foundation of privacy and security established by HIPAA over the past two decades.  In sum, HIPAA set the rules for protecting health information and TEFCA provides the guidelines for sharing it efficiently and securely on a national scale. Together, they ensure that as health data becomes more accessible to those who need it, patient privacy and data security remain paramount.

Today, with TEFCA and the now operational QHINs, our nation has taken a foundational step toward achieving the broader vision outlined in the ONC’s Health Interoperability Outcomes 2030. The ONC anticipates a US healthcare ecosystem where individuals are empowered with easy and secure access to their health information, which can be shared easily and securely by their providers. It envisions data moving seamlessly across systems and organizations, following the patient and supporting coordinated care while reducing redundant testing.  Further, this model of standardized access to data is expected to fuel innovation, such as AI- and data-enabled care models. Moreover, interoperability should promote health equity by facilitating wider access to high-quality, evidence-based care.

The QHINs are the focal point of TEFCA and serve as primary hubs facilitating health information exchange among participants. The process to become a QHIN involves several steps. Organizations must first review TEFCA materials, including the Common Agreement, Technical Framework, and Standard Operating Procedures, to evaluate their readiness to meet technical, security, and governance requirements. They then submit an initial application, providing detailed information demonstrating their capabilities and commitment to TEFCA principles, along with supporting documentation that evidences compliance with required standards and policies.  The Sequoia Project, acting as the Recognized Coordinating Entity (RCE), assesses the application during the review and onboarding phase. Applicants must complete interoperability and security testing phases and establish governance structures and operational policies aligned with TEFCA requirements. Upon meeting all criteria, they receive designation as a QHIN and begin participating in the nationwide health information exchange, connecting with other QHINs and participants.  As noted above, this is a demanding process that has only been completed by seven organizations, all of which were deeply involved in healthcare interoperability for many years.

Of course the motivation behind all these changes was to improve the care of patients. The economy has changed dramatically since HIPAA was first enacted.  With the growth of social media, there is much more awareness of the value of data, heightening individuals' concern over the collection and use of their information.  At the same time, there has been enormous growth in the use of connected health applications by patients, who have grown to expect that their data is used to improve their care.  Patients are more engaged and want both access and control.  With QHINs enabling secure, real-time access to their health records across different providers and systems, patients can better advocate for themselves, and ideally access expertise, such as second opinions and molecular tumor boards through a connected data ecosystem. 

At the same time, greatly expanded access to records raises questions about who owns your medical records versus the data within them. Traditionally, healthcare providers owned the physical medical records, but patients have rights under HIPAA to access the information contained within them. With the push for interoperability, electronic copies of records proliferate and the ownership of data becomes less clear.  This introduces new problems.  For example, we have seen dozens of copies of the same document in patients’ records, typically when a patient lives in between two major medical centers.  At each admission, records are pulled from the neighboring center and a copy is created–then a copy of a copy, etc.  

In the digital world of healthcare interoperability it is important that patients have greater access to and ultimately control over their health data. While TEFCA promotes a patient-centric approach—emphasizing policies that empower patients and including standardized consent mechanisms with strong identity proofing requirements—it does not resolve these emerging questions about data ownership. The stringent identity measures required wouldn't have been possible a few years ago, but are built upon tools that are becoming familiar to air travelers.  

There are obviously other concerns raised by data sharing.  Ironically, while the Individual Access service is only just starting to be available to patients, it involves markedly higher security than is required for access by providers.  Of course providers are bound by HIPAA, and thus have security and privacy requirements and liabilities.  Yet, the risk of unauthorized access remains, as cyber attacks such as the Change Healthcare ransomware attack demonstrate. TEFCA includes robust security frameworks, and strict requirements and vetting of network participants, but continuous vigilance is required. Equity and access are also critical considerations.  The biometric security requirements of patient access can discriminate against people who do not have smart phones and reliable internet connections.  This is an important consideration as the effectiveness of TEFCA is evaluated:  Will interoperability increase or reduce healthcare disparities?  

Improved care coordination is another benefit for patients. With interoperability, they experience smoother transitions between providers, reducing the risk of redundant tests or conflicting treatments. Providers can access complete patient histories, allowing for more personalized and effective care plans.  Of course, without better technology sitting atop this data, interconnectivity risks replicating the existing challenges.  Turning a 600 page fax into a 600 page pdf isn’t considered a big improvement at busy medical practices.  With a smart semantic layer and the rapidly improving capabilities of AI, it is reasonable to expect that your records will be as accessible as an internet search or as engaging as an AI-powered chatbot.  As a patient, you will be able to engage with data quickly to answer important questions.  

Similar benefits are expected to accrue to providers and payers, from reducing duplicative tests and procedures, which lowers costs for everyone, to reducing preparation or waiting times, to accelerating prior authorization.  Improved data sharing will also enable benchmarking far beyond today’s quality benchmarks, personalizing care and improving reimbursement rates under value-based care models.  These changes create fertile ground for innovation.  We believe that this represents the start of an era, like the beginning of other networks, such as interbanking, credit cards, and the world wide web.  Standards, interoperability, and the exchange of data should drive new innovation, create new tools, and enhance care in ways that are obvious and entirely unexpected.  

The implementation of TEFCA, and emergence of QHINs mark a major step toward achieving true healthcare data interoperability. This shift goes beyond technology; it will transform how care is delivered. Patients will gain greater control and access to their health information, leading to better engagement and outcomes. Providers benefit from real-time, comprehensive data that reduces administrative burden and enhances care coordination.  All stakeholders stand to benefit from increased efficiency.  The TEFCA framework will unlock innovations in AI-driven care, public health, and precision medicine, all while reducing costs and promoting equity.