The following is a guest article by Dave Cassel, Chief Customer Officer at Health Gorilla and Former Executive Director of Carequality
Talking about privacy and security in health information exchange is tricky. Saying you want to improve it implies that it isn’t good enough now, and that’s never the message we want to send. But improvements can always be made, and must be made.
As with many things, there are degrees – and when it comes to health data, you can never be too private or too secure.
Established by the 21st Century Cures Act, the Trusted Exchange Framework and Common Agreement (TEFCA) holds so much promise. By creating an on-ramp for the superhighway of nationwide health data exchange, TEFCA makes sure patient records follow the patient wherever they go. But like any highway, guardrails and limits are absolutely necessary for keeping everyone safe.
In fact, Health Gorilla’s 2023 State of Interoperability Report found that 91 percent of health system CIOs support TEFCA but 58 percent expressed the need for more protection and guardrails around the data. And 75 percent reported that data privacy and security as their primary concern regarding TEFCA.
Health IT Security reported just last month that the number of health records exposed rose from 21.1 million in 2019 to 28.5 million in 2021 – and 35 percent more patients were impacted in the second half of 2022.
That’s a disturbing thing to hear, and yet not surprising. In particular, electronic health record (EHR) hacking is on the rise and the reasons for these are manifold. An unfortunate side effect of the consolidation of health records into larger data sets is that it creates targets for cybercriminals who are getting more sophisticated over time.
IAS and QHINs
Also raising the stakes is the fact that the healthcare ecosystem is on the cusp of making Individual Access Services (IAS) a reality. IAS refers to a set of services that enable individuals to access, control, and manage their personal healthcare information.
IAS allows patients to take a more active role in their own healthcare to make informed decisions about how their data is used and shared. More broadly, it can improve access to medical services, and enhance the quality of care patients receive. Ensuring that this access is safe, however, requires the right tools for identity management, data management, and privacy protection.
Health Gorilla’s recent partnership with CLEAR, a secure identity verification platform, will make the identity authentication piece of this possible – ensuring that the right records are going to the correct patient. The data management and privacy pieces will be supported by our already stringent protections in place and bolstered by the rigors of TEFCA.
We are all excited – and rightly so – about its potential to further break down barriers to interoperability. But I am equally enthusiastic about the leveling up of privacy and security standards TEFCA will bring.
TEFCA has been described as a “network of networks” approach to nationwide interoperability, and the health data exchange framework as an ecosystem. The interconnected nature of it makes it crucial that every single part is 100 percent secure.
To that end, Health Gorilla is one of the six candidate Qualified Health Information Networks organizations (QHINs) under TEFCA announced in February. The organizations that ultimately achieve that designation will have both an opportunity and a heavy responsibility to ensure that the TEFCA exchange ecosystem maintains the highest degree of trust.
HITRUST Certification
Part of establishing and maintaining that trust is exemplified in our recently attained HITRUST Risk-based, 2-year (r2) Certified status, which demonstrates that Health Gorilla’s Health Interoperability Platform has met key regulations and industry-defined requirements and is appropriately managing risk.
This certification puts Health Gorilla in an elite group of healthcare organizations. By including federal and state regulations, standards, and frameworks, and incorporating a risk-based approach, the HITRUST Assurance Program helps organizations address security and data protection challenges through a comprehensive and flexible framework of prescriptive and scalable security controls.
TEFCA’s renewed focus on patient privacy and data security make sense. Governmental compliance can feel like red tape but for healthcare organizations responsible for the flow of patient information, it’s there for a very important reason.
Setting a Higher Bar
While the industry has historically been protected by government oversight, Health Gorilla and several other organizations are looking to deepen public-private collaboration by applying to be QHINs.
Joining a QHIN will not be mandated, but the Centers for Medicare and Medicaid Services (CMS) has indicated that belonging to one will satisfy interoperability requirements for reimbursement adjustments – incentivizing participation as soon as this year.
While CMS has historically incentivized health information exchange activities in general, incentives have typically not focused on a specific program. The higher governance and security bar will benefit from oversight by the Office of the National Coordinator for Health Information Technology (ONC). This will clear the way for federal agencies, including CMS, to participate in and incentivize TEFCA in a way that they have not been able to with previous initiatives.
Keeping health data private and safe while also making it accessible to everyone who needs it – healthcare providers, patients, etc. – is perhaps the biggest challenge of all. It is extremely complicated and a big part of the reason that true interoperability remains elusive. But with TEFCA, I believe we can get there.
