What Makes ONC's 'Trusted Exchange Framework' So Complex?DirectTrust CEO David Kibbe, M.D., Analyzes ONC's Health Data Exchange Proposals
Federal regulators' recently issued draft for a "trusted exchange framework" aimed at propelling nationwide, secure, interoperable, query-based health data exchange is a complex proposal that requires careful analysis, says David Kibbe, M.D., leader of DirectTrust, which governs the secure "Direct" healthcare email protocol.
The draft framework, announced on Jan. 5 by the Department of Health and Human Services' Office of the National Coordinator for Health IT, "appears to ... set up a voluntary federation for standards-based health information exchange [organizations] ... for 'pull' and 'query response," Kibbe says.
In contrast, DirectTrust's much simpler and narrower Direct protocol provides specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the internet.
Based on ONC's proposals for the Trusted Exchange Framework and Common Agreement, or TEFCA, the agency appears to envision that many of the approximately 100 health information exchange organizations in the U.S. and potentially other entities - such as hospitals or payers - will voluntarily seek becoming "Qualified Health Information Networks," which would be governed by a new oversight entity, dubbed a "Recognized Coordinating Entity," Kibbe says.
According to the ONC proposals, these Qualified HINs would need to implement the components of the trusted exchange framework, including a common method for authenticating all network participants and agreeing to a common set of rules for trusted exchange.
"This is all reminiscent of what evolved over time with the federated network of networks for Direct exchange, which is now governed by DirectTrust in our trust framework," Kibbe says in an interview with Information Security Media Group. "So, I have to like the general idea that TEFCA is introducing, although there are some differences, and TEFCA is pretty complicated compared to Direct."
TEFCA contains several complex components.
"The Qualified Health Information Network, by definition, centralizes the data it receives from healthcare organizations ... and that's why [HINs] need services such as a [patient] record locator and master patient index," he says.
By comparison, the exchange of data via the Direct protocol "is much simpler," he says. Data is exchanged via DirectTrust's network of accredited Health Information Service Providers, or HISPs, which do not centralize or manage health data "other than to make it secure via the Direct protocol," he says. "We don't have record locators in our network. We're involved with moving data from one place to another securely in an interoperable fashion."
A key question, Kibbe suggests, is why would anyone become a Qualified HIN. "There are some costs associated with becoming a qualified HIN," he notes. "It's not clear to me the incentives any organization would have to voluntary submit to a common agreement, such as in TEFCA, that would require modifications to existing participation agreements and [other] trust frameworks."
In addition, under TEFCA, Qualified HINs must agree to facilitate additional permitted data disclosures, such as for public health, benefits determination and individual access by patients, Kibbe notes.
"The Qualified HINs would be required to open up their data stores via services they might not yet have," he says. That means "they might need to devote additional resources in their networks to make upgrades to meet these newly [proposed] mandated IT capabilities," he says.
An important consideration for potential Qualified HINs, Kibbe says, is "would the costs involved with these newly permitted disclosures and this concept of an 'on ramp' that allows an end user to access many health information exchanges ... be acceptable within the framework provided [by ONC's proposals], which does not include new money" in terms of federal incentives? (See Is ONC's 'Trusted Exchange Framework' Doable?.)
ONC is accepting public comment on its draft TEFCA proposals until Feb. 18.
In the interview (see audio link below photo), Kibbe also discusses:
- Various other differences between Qualified HINs supporting query-based exchange - as defined by ONC's proposed TEFCA - versus DirectTrust's health information service providers, or HISPs, supporting the simpler and more limited Direct protocol;
- The pros and cons of ONC's proposed TEFCA;
- Top health data exchange initiatives planned by DirectTrust this year.
Kibbe, a physician, is founding president and CEO of DirectTrust, a not-for-profit trade association that created and maintains the security and trust framework for using the Direct Project protocol. The protocol provides specifications for a secure, scalable, standards-based way to send encrypted health information directly to known, trusted recipients over the internet. Kibbe is also senior adviser to the American Academy of Family Physicians.