Safeguards in New National Network Include Insurance, App Mandates, Cybersecurity Council – JD Supra
Report on Patient Privacy 22, no. 2 (February, 2022)
The new national health information network calls for a number of privacy and security safeguards and standards that, in some instances, exceed what HIPAA covered entities (CEs) and business associates (BAs) are required to meet under current federal regulations.
For example, qualified health information networks (QHINs) that join the national one will have to maintain a certain level of cyber insurance, and obtain certification by a nationally recognized security framework, such as the HITRUST. In addition, organizations such as health apps that join the network that aren’t now defined as CEs will find they have to comply with breach or security incident notification and other requirements that mimic HIPAA.
After years in development, last month officials with the HHS Office of the National Coordinator for Health Information Technology (ONC) and the Sequoia Project, its recognized coordinating entity (RCE), announced the Trusted Exchange Framework and Common Agreement (TEFCA).[1] Together they will underpin a national, interoperable health information network, composed itself of QHINs. Interested organizations may apply to be QHINs within the coming months, with the network itself expected to be rolled out over the next few years.
ONC made it clear to the Sequoia group that “privacy and security” were to be a “huge focus area” in TEFCA, Sequoia CEO Mariann Yeager told RPP in an interview. Along with feedback from stakeholders, there was a “consistent sentiment that there should be a high bar for privacy and security for QHINs, given the role that they would play as really part of a national backbone,” Yeager said.
She added that the Common Agreement “expects covered entities and business associates to continue to meet their obligations under HIPAA and comply with applicable law,” but certain HIPAA-like standards will now be imposed on “entities that are not subject to HIPAA that are parties to the exchange.”
The Trusted Exchange Framework “is a set of non-binding principles to facilitate data-sharing among health information networks,” ONC Director Micky Tripathi and Yeager wrote Jan. 18 on the ONC blog.[2] The Common Agreement “will operationalize simplified electronic health information exchange for many across the US and will provide easier ways for individuals and organizations to securely connect.”
In the beginning, the emphasis is on building a foundation to make information available to patients, providers and health systems; payers; and technology developers, Yeager said. Functionality for researchers—interest from this group is already high—will be coming later, she said.
Regional and some national networks already exist; they are expected to be among the first applicants to be QHINs. Yeager couldn’t estimate the number that would apply, but said it is likely to be fewer than 100.
Some of the standards and requirements in TEFCA could serve as a model for hospitals, health plans and others that sometimes struggle to ensure their protected health information is safeguarded throughout its life cycle, and currently have just HIPAA as a guide.
Minimum of $5 Million Annual Coverage Required
In addition to certification and insurance, TEFCA addresses security in other ways, including requiring quick notification of security incidents and the establishment of a Cybersecurity Council that will have a variety of oversight duties.
Between notifications, credit monitoring, remediation efforts and responses to the inevitable class-action suit, breaches are expensive. To share the cost—and the accountability—many CEs require their BAs and others to maintain cyberinsurance, but there may not be a national industry standard for levels of coverage.
For QHINs, there will be. Under standard operating procedures the RCE issued last month,[3] QHINs are required to have a cyber risk/technology errors and omissions insurance policy that covers up to $2 million per incident or $5 million per year. A QHIN also could prove to the RCE that it has the internal resources to equal these limits, or meet the requirement through some combination of insurance and financial reserves.
Alan Swenson, executive director of Carequality, itself a framework for nationwide health information exchange that is working with the RCE, told RPP the coverage amounts came from discussions with ONC officials regarding policy requirements and with potential QHINs and stakeholders and also reflect “what other networks and frameworks have in place.”
A QHIN that runs into trouble—for example, loses coverage, has its limits reduced or fails to satisfy any conditions of coverage—must notify the RCE “without delay.” If conditions of coverage aren’t met, the QHIN must send the RCE “its plan of correction without delay and, in all cases, within thirty (30) days of such discovery.”
Certification Mandate Includes Annual Tech Audits
As noted, QHINs will need to be certified by a third-party organization. Yeager said the RCE is likely to select several such organizations, which officials were evaluating at the time of the RPP interview. In addition to HITRUST, another organization under consideration is the Electronic Healthcare Network Accreditation Commission (EHNAC), Yeager said.
Under the standard operating procedure for QHIN security requirements,[4] in addition to certification, QHINs will be required to have an annual “technical audit of in-scope systems on an annual basis (including comprehensive penetration testing and review of the results of vulnerability scans, including patch and vulnerability management records of its systems and applications) to ensure that its systems are properly defended against emergent threats.”
The RCE will expect to receive “an appropriate report or summary of the results of its certification renewal assessments and annual technical audits” from a QHIN within 30 days of its receipt. If there are any “unaddressed deficiencies” that reach a certain threshold, the QHIN will need to prove they have been remediated within 15 days of learning of them.
If remediation takes longer, the QHIN “must develop and implement an appropriate plan of action and milestones…identifying the necessary activities, resources needed, responsible party/parties, reasonable mitigation efforts and/or compensating controls, and the timetable to full remediation,” and provide it to the RCE within 15 days of its receipt of the certification/audit report.
Cybersecurity Council Expected to be Active
To provide a “proactive…oversight role from a security perspective,” an 11-member Cybersecurity Council will be formed to “evaluate the risks of QHIN-to-QHIN exchange, to serve in an advisory capacity to the governing council, to really look at the security posture of the TEFCA-based exchange,” and to evaluate cybersecurity incidents and “how to address them,” Yeager explained.
Members will also consider which organizations can best serve as certification entities, she said, and whether those should change over time. Similarly, the council will update the RCE “on additional standard operating procedures and expectations around security. We do expect that group to be a very actively engaged group.”
The RCE’s chief information security officer (CISO) will chair the council, which will be composed of five QHIN CISOs, and five others will come from participants in individual QHINs, she added. The council is expected to meet “at least quarterly,” she said.
Due to the sensitivity of proceedings, the council will not meet in public, but the RCE itself “will be as transparent as possible,” Yeager said. If the Cybersecurity Council makes recommendations, the RCE may share them to solicit stakeholder feedback, she added. The council is addressed in the Common Agreement.
Apps to Seek Consent, Notify After Incidents
In the Common Agreement, TEFCA calls organizations that permit patients or other allowed individuals to request information via the national network “individual access service providers.”
These could be a “provider organization that makes a patient portal available today. And they extend functionality into that patient portal to allow their individuals, using individual access services to request information from others,” Yeager explained. These providers would already be HIPAA CEs.
But “there will also be a number of patient-facing app developers who come on as individual service providers and may just be a participant or sub-participant within a QHIN or within another network making access available to a patient while they themselves are completely non-HIPAA covered,” she said.
This type of service provider will have to obtain patient consent to carry out an access request and provide information about how it will use that information—a written “privacy and security notice” similar to the notice of privacy practices CEs have to distribute now. The consent must be obtained the first time an access request is initiated; the Common Agreement allows for electronic signatures.
An individual access provider that experiences a “security incident” would have to notify affected individuals or those “believed” to be affected “without unreasonable delay” and no later than 60 days from discovering the issue, according to the Common Agreement.
‘An Assurance of Trust’
The notification must include a description of the incident, the type of information involved, what the organization did to mitigate the incident, what actions patients can take and contact information where individuals can learn more. There is no requirement to provide services such as credit monitoring, nor to report the incident to any regulatory governmental bodies or the general public nor the news media, unlike a HIPAA breach. That means if a breach occurs with a non-HIPAA covered entity it wouldn’t appear on the Office for Civil Rights (OCR) breach reporting page and might otherwise not be widely known.
“We’re really not trying to assert any legal authority” that doesn’t exist today, Yeager said. ONC and ORC, which enforce HIPAA, “don’t have the legal authority to regulate the apps; that’s not something we would just insert” in the Common Agreement, she said.
Years of debate about expanding HIPAA to include entities such as health apps have remained just that, creating a “pretty big gap under existing law,” Yeager said, “and that’s why it was so important to make sure that there was a consistent standard and a set of expectations for entities not subject to HIPAA.”
In addition to app providers, “there are health care providers that are not covered entities because they don’t conduct any administrative transactions.” The TEFCA standards provide “an assurance of trust,” she added.
1 Office of the National Coordinator for Health Information Technology, ONC TEFCA Recognized Coordinating Entity, “Common Agreement for Nationwide Health Information Interoperability: Version 1,” January 2022, https://bit.ly/3GoIk9D; HHS, “ONC Completes Critical 21st Century Cures Act Requirement, Publishes the Trusted Exchange Framework and the Common Agreement for Health Information Networks,” news release, January 18, 2022, https://bit.ly/3oO4tZ5.
2 Micky Tripathi and Mariann Yeager, “3…2…1…TEFCA is Go for Launch,” January 18, 2022, Health IT Buzz (blog), January 18, 2022, https://bit.ly/3fWAZmB.
3 ONC TEFCA Recognized Coordinating Entity, “Standard Operating Procedure (SOP): QHIN Cybersecurity Coverage, Applicability: QHINs,” accessed February 7, 2022, https://bit.ly/3rt14QO.
4 ONC TEFCA Recognized Coordinating Entity, “Standard Operating Procedure (SOP): QHIN Security Requirements for the Protection of TI, Applicability: QHINs, RCE,” accessed February 7, 2022, https://bit.ly/3J0larE.
[View source.]