Data Strategy — Healthcare interoperability

On 18 January 2022 the U.S. Office of the National Coordinator for Health IT (ONC) and The Sequoia Project released Version 1 of the Trusted Exchange Framework and Common Agreement (TEFCA), opening applications for prospective Qualified Health Information Networks (QHINs). TEFCA establishes nationwide policies, procedures, and technical requirements for secure, standardized exchange of electronic health information. Health systems, payers, health information networks, and technology vendors must now prepare operational roadmaps, governance structures, and sourcing strategies to participate in TEFCA exchange while aligning with information blocking and interoperability rules.

Framework overview

TEFCA includes two major components: the Trusted Exchange Framework (principles for nationwide exchange) and the Common Agreement (a legal contract between the Recognized Coordinating Entity (RCE) and QHINs). Version 1 defines exchange purposes (treatment, payment, health care operations, public health, benefits determination, and individual access services), security requirements, flow-down obligations to participants and subparticipants, and dispute resolution processes. QHINs must support standardized exchange via FHIR- and IHE-based transactions, maintain strong cybersecurity controls, and uphold minimum performance standards.

Operational priorities for potential participants

Teams preparing to join TEFCA—whether as QHINs, participants, or subparticipants—should focus on:

• Gap assessments. Conduct readiness assessments comparing existing network capabilities, security controls, and legal agreements against TEFCA’s Common Agreement and QHIN Technical Framework. Document remediation plans and allocate budgets for necessary upgrades.
• Data governance. Establish policies governing permissible use, data minimization, consent management, and handling of sensitive data classes (for example, substance use disorder records governed by 42 CFR Part 2). Align TEFCA participation with HIPAA Privacy and Security Rules and state privacy laws.
• Security posture. Implement zero-trust architectures, continuous monitoring, and incident response procedures that meet TEFCA security requirements and NIST SP 800-53 controls. Prepare to show compliance through audits and reporting to the RCE.
• Interoperability infrastructure. Upgrade APIs, record locator services, and patient matching capabilities to support high-volume query and message-based exchange. Ensure systems can process FHIR-based individual access services and integrate with edge gateway solutions.

Operational teams should coordinate with clinical informatics, compliance, and IT to align TEFCA workflows with existing health information exchange (HIE) participation and federal incentive programs.

Governance moves and leadership engagement

TEFCA participation requires strong governance:

• Executive sponsorship. Appoint senior leaders (for example, CIO, Chief Medical Information Officer, Chief Privacy Officer) to oversee TEFCA strategy, supported by a cross-functional steering committee covering compliance, legal, security, and operations.
• Policy oversight. Boards or compliance committees should review and approve TEFCA participation strategies, including risk assessments, patient engagement plans, and resource allocation. Meeting minutes should capture deliberations about joining as a QHIN versus participant, cost-benefit analysis, and alignment with organizational mission.
• Performance monitoring. Establish governance dashboards tracking service-level adherence, exchange volumes, incident trends, and participant onboarding metrics. Provide quarterly updates to executive leadership.
• Escalation procedures. Develop escalation pathways for breaches, disputes, or operational failures reported by the RCE, including criteria for notifying regulators, business partners, and patients.

Governance bodies must ensure TEFCA obligations integrate with information blocking compliance, particularly when responding to requests for electronic health information from patients and third parties.

Sourcing strategy and vendor management

Participation often depends on technology vendors, managed services, and data partners:

• Gateway providers. Evaluate interoperability platform vendors offering QHIN gateway services, directory management, and analytics. Contracts should specify TEFCA compliance deliverables, security attestations, uptime guarantees, and support for evolving standards.
• Identity and consent tools. Source solutions for patient identity proofing, record matching, and consent orchestration that meet TEFCA’s individual access services requirements and integrate with patient portals.
• Cybersecurity partners. Engage managed security service providers for continuous monitoring, threat hunting, and incident response aligned with TEFCA security obligations. Include provisions for coordinated response with the RCE and other QHINs.
• Legal and compliance advisors. Retain counsel familiar with TEFCA, HIPAA, and state privacy laws to review participation agreements, develop data use policies, and assist with dispute resolution.

Vendor management offices should maintain an inventory of TEFCA-relevant contracts, monitor service-level performance, and enforce flow-down obligations to subcontractors.

Clinical and operational integration

TEFCA impacts front-line clinical operations and patient engagement:

• Workflow design. Map clinical workflows for retrieving external records, reconciling data, and documenting patient consent. Ensure training materials illustrate TEFCA-enabled use cases like cross-network care coordination and public health reporting.
• Data quality management. Implement validation processes for incoming data, addressing duplicate records, mismatched identifiers, and terminology mapping. Coordinate with health information management teams to reconcile discrepancies.
• Patient education. Develop educational materials explaining TEFCA, data sharing benefits, and privacy protections. Provide channels for patients to manage preferences and submit complaints.
• Public health collaboration. Align TEFCA participation with state immunisation registries, disease surveillance, and emergency preparedness programs, ensuring governance covers data sharing during outbreaks.

Operational readiness must include integration testing, go-live rehearsals, and feedback loops for clinicians to report issues.

Metrics and continuous improvement

Track TEFCA performance using measurable indicators:

• Number of networks, providers, and payers onboarded to TEFCA exchange.
• Query success rates, response times, and data payload completeness.
• Incident response metrics, including detection time and resolution time for security events.
• Patient satisfaction scores related to data access and interoperability services.
• Compliance metrics for information blocking requests fulfilled within required timelines.

Continuous improvement cycles should review metrics monthly, prioritize remediation, and share lessons with industry collaboratives such as the ONC Health Information Exchange Workgroup.

Regulatory alignment

Teams must harmonize TEFCA activities with other federal regulations:

• Information blocking. Ensure TEFCA workflows support timely responses to requests for electronic health information under the 21st Century Cures Act. Document legitimate exceptions and maintain audit trails.
• CMS interoperability rules. Align TEFCA integration with CMS requirements for payer-to-payer data exchange, patient access APIs, and provider directory updates.
• State laws. Address state-specific consent, privacy, and data localization rules, particularly for sensitive conditions and minors. Update TEFCA policies to reflect variations.
• Security frameworks. Map TEFCA security requirements to NIST Cybersecurity Framework and HITRUST controls to support certification and risk management.

Legal and compliance teams should monitor ONC FAQs, RCE bulletins, and evolving QHIN application guidance to stay current.

What comes next

The Sequoia Project plans phased onboarding of QHINs, followed by expansion of exchange purposes, testing requirements, and reporting obligations. Future TEFCA updates may introduce additional exchange modalities (for example, population health analytics) and refine security expectations. Teams investing early in governance, operational capabilities, and sourcing partnerships will be positioned to use TEFCA for care coordination, payer-provider collaboration, and public health resilience.

Key resources

• ONC TEFCA Resource Center
• Recognized Coordinating Entity (The Sequoia Project)
• TEFCA Common Agreement Version 1

This brief helps health networks operationalize TEFCA with interoperability readiness assessments, vendor governance, and real-time compliance analytics.

More on this topic

Further reading from our research library.

Data Strategy · Credibility 40/100 · July 13, 2022

ONC USCDI v3 Final Release

The U.S. ONC finalized United States Core Data for Interoperability (USCDI) v3 on 13 July 2022, expanding required health data classes and elements, prompting providers and health IT vendors to update data-exchange…

Data Strategy · Credibility 76/100 · March 9, 2020

Data Strategy — Healthcare interoperability

ONC dropped the 21st Century Cures Act final rule mandating interoperability and information blocking prohibitions. Healthcare providers, health IT developers, and health information networks now have legal obligations…

Data Strategy · Credibility 73/100 · December 12, 2023

Tefca First Qhins Designated

ONC and the TEFCA Recognized Coordinating Entity named the first Qualified Health Information Networks, opening nationwide exchange onboarding for 2024.

Data Strategy · Credibility 87/100 · January 18, 2024

TEFCA interoperability — First QHINs cleared to exchange nationwide

ONC and The Sequoia Project designated six Qualified Health Information Networks under the Trusted Exchange Framework and Common Agreement, activating nationwide FHIR-based exchange obligations for participants…

Data Strategy · Credibility 73/100 · March 18, 2024

Data Strategy — Healthcare interoperability

The U.S. Office of the National Coordinator released Draft USCDI v5, expanding interoperability data classes that providers and digital health platforms must prepare to exchange as HTI-1 enforcement nears.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

January 18, 2022

Coverage pillar

Data Strategy

Source credibility

73/100 — medium confidence

Topics

Healthcare interoperability · TEFCA · United States

Sources cited

3 sources (healthit.gov, iso.org)

Reading time

5 min

Source material

1. Trusted Exchange Framework and Common Agreement Version 1 — Office of the National Coordinator for Health IT
2. Biden-Harris Administration Launches Trusted Exchange Framework and Common Agreement — Office of the National Coordinator for Health IT
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization