Regulation
Key Insights and Information
- Published in the Federal Register: Health Data, Technology, and Interoperability: Trusted Exchange Framework and Common Agreement (TEFCA); A Rule by the Health and Human Services Department on Dec. 16, 2024
- Final Rule is in effect 30 days after publication in the Federal Register
- The Final Rule focuses on three key issues: the TEFCA Manner Exception for Information Blocking, Administrative changes to certification requirements, and TEFCA revisions of definitions and clarifying QHIN responsibilities and governance by ASTP/ONC and RCEs
- This fact sheet focuses on the Manner Exception and Certification Changes
- Other components of certification (USCDI, Bulk FHIR, Digital Imaging, Public Health Certifications) are still being reviewed and may be finalized in future rulemaking.
Information Blocking and the TEFCA condition under the Manner Exception
- HTI-1 Final Rule established an actor’s practice of limiting the manner in which it fulfills a request to access, exchange, or use EHI via TEFCA will not be considered information blocking when it meets the following conditions:
- the actor and requestor both be part of TEFCA
- the requestor is capable of such access, exchange, or use of the requested EHI from the actor via TEFCA
- any fees charged by the actor and the terms for any license of interoperability elements granted by the actor in relation to fulfilling the request are required to satisfy, respectively, the Fees Exception (§ 171.302) and the Licensing Exception (§ 171.303)
- Exception is only available when both the actor and the requestor participate in TEFCA as QHINs, Participants, or Subparticipants
- Exception is only available when both the actor and the requestor participate in TEFCA as QHINs, Participants, or Subparticipants
- FHIR API Exchange Manner Exception will be expanded to include exchange based on versions of the FHIR standards that are more advanced than those required in current versioning of certification
- Only applies to advanced FHIR standards listed in the SVAP “Standards Version Advancement Process
- Only applies to advanced FHIR standards listed in the SVAP “Standards Version Advancement Process
- Eventually all TEFCA QHINs will be required to support exchange via FHIR API standards (No finalized timeline in the rulemaking)
- Option A would be to sunset the limitation in § 171.403(c) once all QHINs can support brokered FHIR.
- Option B would be to sunset the limitation in § 171.403(c) if all QHINs, Participants and Subparticipants support facilitated FHIR exchange
- Option A would be to sunset the limitation in § 171.403(c) once all QHINs can support brokered FHIR.
- the actor and requestor both be part of TEFCA
Certification of Health IT Updates
- Terms “Complete EHR” and “EHR Module” have been removed from Health IT certification regulations
- “Complete EHR” and “EHR Module “terms have been replaced with “Health IT Module”
- Removes time limited provisions dictated by the Cures Act Final Rule
- Privacy and Security Certification Requirements for Decision Support Interventions
- Health IT Modules certified to the “decision support interventions” (§ 170.315(b)(11)) must also be certified to the following privacy and security certification criteria on and after January 1, 2028
- “authentication, access control, and authorization” in § 170.315(d)(1)
- “auditable events and tamper-resistance” in § 170.315(d)(2)
- “audit report(s)” in § 170.315(d)(3)
- “automatic access time-out” in § 170.315(d)(5)
- “emergency access” in § 170.315(d)(6)
- “end-user device encryption” in § 170.315(d)(7)
- “encrypt authentication credentials” in § 170.315(d)(12)
- “multi-factor authentication” in § 170.315(d)(13).
- *Comments received about other provisions related to decision support interventions certification criteria are still in review
- *Comments received about other provisions related to decision support interventions certification criteria are still in review
- Privacy and Security Certification Framework Correction
- Adds 170.550(h)(4) back to the Privacy and Security certification requirements
- Methods to demonstrate compliance with each privacy and security criterion: one of the following methods must be used to meet each applicable privacy and security in (h)(3)
- Directly, by demonstrating a technical capability to satisfy the applicable certification criterion or certification criteria; or
- Demonstrate, through system documentation sufficiently detailed to enable integration, that the Health IT Module has implemented service interfaces for each applicable privacy and security certification criterion that enable the Health IT Module to access external services necessary to meet the privacy and security certification criterion.
- Directly, by demonstrating a technical capability to satisfy the applicable certification criterion or certification criteria; or
- Methods to demonstrate compliance with each privacy and security criterion: one of the following methods must be used to meet each applicable privacy and security in (h)(3)
- Adds 170.550(h)(4) back to the Privacy and Security certification requirements
- “authentication, access control, and authorization” in § 170.315(d)(1)
- Health IT Modules certified to the “decision support interventions” (§ 170.315(b)(11)) must also be certified to the following privacy and security certification criteria on and after January 1, 2028
Related
Interoperability
HTI-1 Final Rule: Five Key Resources for Understanding New Standards, Specifications, Certifications
White Papers
Cybersecurity and Privacy
Articles