Initial industry comments are trickling in on the government health IT arm's proposed "on-ramp" to national connectivity, highlighting worries the initiative is biting off more than it can chew. Official comments on the second draft of the Trusted Exchange Framework and Common Agreement won't be released until early next week.
Providers, payers and health IT vendors generally support the idea, much like they support HHS' sweeping rules to promote free data sharing and halt the practice of information blocking. But groups worry the government is doing too much too quickly, with multiple organizations weighing in on the relatively abbreviated timeline of TEFCA implementation and its accompanying administrative burden.
There are also many unanswered questions surrounding the parameters of the framework and its rollout. It's also not clear how ONC will incentivize participation given TEFCA's voluntary nature, and how it will weigh privacy concerns versus giving patient access to their own health data.
"Why reinvent the wheel?," health exchange trade association DirectTrust CEO Scott Stuewe said. "We strongly urge ONC to build on what's working, rather than creating an entirely new construct with significant complexities and the potential for increased costs."
Fast timeline could 'cripple' interoperability
Industry is worried about the quick turnaround for TEFCA implementation and compliance.
The framework, drafted by the Office of the National Coordinator for Health IT, is meant to support nationwide interoperability by introducing a common set of data exchange principles, outlining mandatory terms and conditions and detailing the components of data exchange among qualified health information networks (QHINs), networks of organizations that agree to the same data-sharing infrastructure.
Mandated by the bipartisan 21st Century Cures Act, ONC introduced the first draft in January 2018. Following a public comment period, ONC released the second updated draft mid-April and public comments were due Monday.
ONC plans to finalize an overlapping information blocking rule by the beginning of next year and to release the first draft of the Common Agreement in 2020. If all goes according to schedule, vendors would have until January 2020 to begin rolling out TEFCA-certified products, and the first cohort of QHINs would be functioning in August of the same year.
But stakeholders say those deadlines need to be pushed back.
Insurer Cigna called the timeline "too aggressive" while group purchasing organization Premier slammed it as "overly ambitious" due to the "significant burdens" industry stakeholders will face, including the costs of TEFCA implementation and participation, staffing, privacy and security modifications, contractual changes, education and training and other issues.
Health IT executive groups the College of Healthcare Information Management Executives and its affiliate the Association for Executives in Healthcare Information Technology anticipate the complexity and volume of the necessary changes will take "far longer than 24 months."
In their letter to National Coordinator for Health IT Don Rucker, CHIME and AEHiT worried "establishing timelines and premature requirements could cripple interoperability progress and establish unnecessary burdens" — a concern shared by multiple health IT and provider groups like the American Hospital Association, health IT and exchange nonprofit WEDI and the Sequoia Project.
"As currently drafted, the TEFCA would both disrupt and duplicate existing exchange mechanisms and would require extensive changes to existing activities and revisions to the terms of thousands of legal agreements," Sequoia Project officials wrote in their comments to ONC.
In an attempt to alleviate some of this burden, ONC plans to phase in new exchange modalities and purposes to give industry time to incorporate the standards into their business processes.
CHIME and AEHiT, along with the Healthcare Information and Management Systems Society and EHR giant Epic, "strongly support" an eventual rollout to give organizations time to pilot different use cases under TEFCA and reduce unnecessary spending and costs.
AHA also supports a phased-in approach as the Common Agreement includes almost 30 terms and conditions for businesses to incorporate. The hospital group reiterated its concern that "updating participant and business associate agreements will take a significant amount of time."
CHIME and AEHiT agreed. "Vendors and providers only have so much bandwidth," they said.
Carrots and sticks: how to incentivize TEFCA participation
As mandated by Congress in Cures, participation in TEFCA is voluntary, causing many parties to express concern about how successful or widespread industry adoption of the standards and framework will be.
Congressional health IT advisory board HITAC floated various incentives to get industry on board with TEFCA in a meeting earlier this month, including requiring participation in the standards for participation in other federal programs like Medicare, Medicaid or Veteran Community Care.
"Maybe we don't want to go into that political space, but that's what it could come to for TEFCA to work," task force co-chair John Kansky said.
Federal agencies like CMS and the VA would have to be on board for this to work, and it would require extensive rulemaking. But CMS' ongoing push for interoperability alongside ONC suggests this could be a possibility, HITAC commissioners said.
"The Cures Act says, 'yes, participation is voluntary,' but federal agencies can require it by contract or agreement," said Mark Savage, task force member and director of health IT at the National Partnership for Women & Families.
Another strategy would have the government take an organization's participation in TEFCA into consideration when determining whether or not an organization is guilty of information blocking. But HITAC members slammed this plan as a "slippery slope" and a "double-edged sword."
Industry commenters seemed to agree.
"TEFCA Draft 2 is not an adequate safe harbor for compliance with the 21st Century Cures Act's legal prohibition against information blocking," the nonprofit DirectTrust said.
It would be "entirely premature" for the government to make participation in TEFCA mandatory because there are several outstanding operational issues that still need to be addressed, CHIME and AEHiT commented. "The framework has not been finalized, the Recognized Coordinating Entity (RCE) has not been selected, and the number and makeup of the Qualified Health Information Networks (QHINs) remains unknown," they said.
Payer trade association America’s Health Insurance Plans agreed. "We believe an incentive-based approach may be more effective than a punitive," it commented.
Providers, health IT groups stump for standardized APIs
Although the U.S. healthcare industry is normally dead set against government regulation, the majority of stakeholders want government standardization of application programming interfaces (APIs), with AHA, Pew Charitable Trusts, CHIME, AEHiT and the University of California, San Francisco Center for Digital Health Innovation all coming out in favor of the proposal.
In its second TEFCA draft, ONC removed its previous requirement that QHINs support Fast Healthcare Interoperability Resources (FHIR) APIs as an exchange modality.
FHIR, a standardized way computers can send and receive messages from one another, allows for the exchange of individual data elements, rather than the entire patient medical record. ONC estimates more than 80% of hospitals and two-thirds of clinicians already use EHRs that leverage FHIR.
"Without such a requirement, a Trusted Exchange Framework for document-based exchange will never provide the interoperability that Congress, ONC, CMS, and the nation all expect with forthcoming standardized APIs," the UCSF CDHI wrote in its comments to ONC.
AHA questioned why ONC wouldn't require QHINs to support FHIR APIs as an exchange method when they are doing so for certified health IT products in the interoperability regulations. Health IT actors should be held to the same standards that ONC and CMS have set out for payers, providers and individuals, the provider lobby said.
Pew's health IT project director Ben Moscovitch also recommended ONC apply FHIR to TEFCA APIs and other use cases in order to ensure relevant data elements can be easily exchanged between patients and their clinicians.
Debate over data privacy versus access continues
How to keep personal health information secure as the industry pushes for free and unfettered data sharing is an ongoing dispute across the healthcare system. These concerns bubbled up again in stakeholder comments on TEFCA, with myriad groups noting inconsistencies and uncertainties in the documents' second draft.
"Our members are still confused by the overall interplay between HIPAA, data blocking policies and TEFCA," CHIME and AEHiT commented, while Premier urged ONC to clarify how TEFCA will "allow for variation in state privacy, security, data access and consent laws and regulations."
The three groups, along with HIMSS and AHIP, recommended TEFCA be aligned as closely as possible with HIPAA to ensure patient privacy without injecting new privacy standards and the burden of implementing them into the industry.
A common theme across the comments was that strong privacy protections need to be balanced with patient access, giving ONC a fine line to tread in finalizing the regulation.
TEFCA in its current form would limit patients to requesting their own health data or directing a copy of their data be sent to a third party. Many commenters said these two exchange modalities for patients aren't broad enough.
"Patients need and use interoperability for the spectrum of health care needs, not just exercising these two rights under HIPAA's Privacy Rule," UCSF CDHI said. "ONC should broaden Individual Access Services to include other core health use cases for patients and individuals so that they have a full and equal on-ramp."
Such use cases could include patients participating in care planning and shared decision-making with their providers, sharing remote monitoring or other patient-generated data or securely messaging their care team.
HITAC has debated introducing specialized QHINs to work on patient access alone, an initiative HIMSS also supports. "We have a growing amount of these cases where direct access for consumers to come in and act on their health information becomes greater," commissioner and director at health IT and policy company Audacious Inquiry, Christina Caraballo, said in a meeting Wednesday. "I think it is something we should really consider."
Yet other HITAC members were uncertain about specialized QHINs, noting it's important all exchange purposes are addressed and that specialization will come in at the larger health information exchange network level.
Another provision in TEFCA that would allow patients to consent to how their information is shared also raised concerns. Under HIPAA, providers can share a patient's information freely when it's related to treatment, payment and healthcare operations, so this "Meaningful Choice" provision could create two competing standards, health IT groups said, not to mention how it would interact with state law, which is often stricter than HIPAA.
"The concept of meaningful consent is generally unclear," AHA wrote, noting there's no current standard in the industry to communicate consent. Premier, CHIME and AEHiT also commented "Meaningful Choice" would be challenging and complicated to enact.
Despite the delicacy and complexity of the issue, the government's regulatory advisers seem undaunted, with TEFCA task force co-chair Arien Malec saying Wednesday: "We just have a lot to think about and more work to do."