← Back to all briefings
Data Strategy 5 min read Published Updated Credibility 40/100

Data Strategy Briefing — January 18, 2022

The 18 January 2022 TEFCA launch set U.S. health data networks on a path toward Qualified Health Information Network onboarding, demanding rigorous operational playbooks, governance guardrails, and vendor sourcing strategies.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On 18 January 2022 the U.S. Office of the National Coordinator for Health IT (ONC) and The Sequoia Project released Version 1 of the Trusted Exchange Framework and Common Agreement (TEFCA), opening applications for prospective Qualified Health Information Networks (QHINs). TEFCA establishes nationwide policies, procedures, and technical requirements for secure, standardised exchange of electronic health information. Health systems, payers, health information networks, and technology vendors must now prepare operational roadmaps, governance structures, and sourcing strategies to participate in TEFCA exchange while aligning with information blocking and interoperability rules.

Framework overview

TEFCA comprises two major components: the Trusted Exchange Framework (principles for nationwide exchange) and the Common Agreement (a legal contract between the Recognized Coordinating Entity (RCE) and QHINs). Version 1 defines exchange purposes (treatment, payment, health care operations, public health, benefits determination, and individual access services), security requirements, flow-down obligations to participants and subparticipants, and dispute resolution processes. QHINs must support standardized exchange via FHIR- and IHE-based transactions, maintain robust cybersecurity controls, and uphold minimum performance standards.

Operational priorities for potential participants

Organisations preparing to join TEFCA—whether as QHINs, participants, or subparticipants—should focus on:

  • Gap assessments. Conduct readiness assessments comparing existing network capabilities, security controls, and legal agreements against TEFCA’s Common Agreement and QHIN Technical Framework. Document remediation plans and allocate budgets for necessary upgrades.
  • Data governance. Establish policies governing permissible use, data minimisation, consent management, and handling of sensitive data classes (e.g., substance use disorder records governed by 42 CFR Part 2). Align TEFCA participation with HIPAA Privacy and Security Rules and state privacy laws.
  • Security posture. Implement zero-trust architectures, continuous monitoring, and incident response procedures that meet TEFCA security requirements and NIST SP 800-53 controls. Prepare to demonstrate compliance through audits and reporting to the RCE.
  • Interoperability infrastructure. Upgrade APIs, record locator services, and patient matching capabilities to support high-volume query and message-based exchange. Ensure systems can process FHIR-based individual access services and integrate with edge gateway solutions.

Operational teams should coordinate with clinical informatics, compliance, and IT to align TEFCA workflows with existing health information exchange (HIE) participation and federal incentive programmes.

Governance moves and leadership engagement

TEFCA participation requires robust governance:

  • Executive sponsorship. Appoint senior leaders (e.g., CIO, Chief Medical Information Officer, Chief Privacy Officer) to oversee TEFCA strategy, supported by a cross-functional steering committee covering compliance, legal, security, and operations.
  • Policy oversight. Boards or compliance committees should review and approve TEFCA participation strategies, including risk assessments, patient engagement plans, and resource allocation. Meeting minutes should capture deliberations about joining as a QHIN versus participant, cost-benefit analysis, and alignment with organisational mission.
  • Performance monitoring. Establish governance dashboards tracking service-level adherence, exchange volumes, incident trends, and participant onboarding metrics. Provide quarterly updates to executive leadership.
  • Escalation procedures. Develop escalation pathways for breaches, disputes, or operational failures reported by the RCE, including criteria for notifying regulators, business partners, and patients.

Governance bodies must ensure TEFCA obligations integrate with information blocking compliance, particularly when responding to requests for electronic health information from patients and third parties.

Sourcing strategy and vendor management

Participation often depends on technology vendors, managed services, and data partners:

  • Gateway providers. Evaluate interoperability platform vendors offering QHIN gateway services, directory management, and analytics. Contracts should specify TEFCA compliance deliverables, security attestations, uptime guarantees, and support for evolving standards.
  • Identity and consent tools. Source solutions for patient identity proofing, record matching, and consent orchestration that meet TEFCA’s individual access services requirements and integrate with patient portals.
  • Cybersecurity partners. Engage managed security service providers for continuous monitoring, threat hunting, and incident response aligned with TEFCA security obligations. Include provisions for coordinated response with the RCE and other QHINs.
  • Legal and compliance advisors. Retain counsel familiar with TEFCA, HIPAA, and state privacy laws to review participation agreements, develop data use policies, and assist with dispute resolution.

Vendor management offices should maintain an inventory of TEFCA-relevant contracts, monitor service-level performance, and enforce flow-down obligations to subcontractors.

Clinical and operational integration

TEFCA impacts front-line clinical operations and patient engagement:

  • Workflow design. Map clinical workflows for retrieving external records, reconciling data, and documenting patient consent. Ensure training materials illustrate TEFCA-enabled use cases like cross-network care coordination and public health reporting.
  • Data quality management. Implement validation processes for incoming data, addressing duplicate records, mismatched identifiers, and terminology mapping. Coordinate with health information management teams to reconcile discrepancies.
  • Patient education. Develop educational materials explaining TEFCA, data sharing benefits, and privacy protections. Provide channels for patients to manage preferences and submit complaints.
  • Public health collaboration. Align TEFCA participation with state immunisation registries, disease surveillance, and emergency preparedness programmes, ensuring governance covers data sharing during outbreaks.

Operational readiness must include integration testing, go-live rehearsals, and feedback loops for clinicians to report issues.

Metrics and continuous improvement

Track TEFCA performance using measurable indicators:

  • Number of networks, providers, and payers onboarded to TEFCA exchange.
  • Query success rates, response times, and data payload completeness.
  • Incident response metrics, including detection time and resolution time for security events.
  • Patient satisfaction scores related to data access and interoperability services.
  • Compliance metrics for information blocking requests fulfilled within required timelines.

Continuous improvement cycles should review metrics monthly, prioritise remediation, and share lessons with industry collaboratives such as the ONC Health Information Exchange Workgroup.

Regulatory alignment

Organisations must harmonise TEFCA activities with other federal regulations:

  • Information blocking. Ensure TEFCA workflows support timely responses to requests for electronic health information under the 21st Century Cures Act. Document legitimate exceptions and maintain audit trails.
  • CMS interoperability rules. Align TEFCA integration with CMS requirements for payer-to-payer data exchange, patient access APIs, and provider directory updates.
  • State laws. Address state-specific consent, privacy, and data localisation rules, particularly for sensitive conditions and minors. Update TEFCA policies to reflect variations.
  • Security frameworks. Map TEFCA security requirements to NIST Cybersecurity Framework and HITRUST controls to support certification and risk management.

Legal and compliance teams should monitor ONC FAQs, RCE bulletins, and evolving QHIN application guidance to stay current.

Forward look

The Sequoia Project plans phased onboarding of QHINs, followed by expansion of exchange purposes, testing requirements, and reporting obligations. Future TEFCA updates may introduce additional exchange modalities (e.g., population health analytics) and refine security expectations. Organisations investing early in governance, operational capabilities, and sourcing partnerships will be positioned to leverage TEFCA for care coordination, payer-provider collaboration, and public health resilience.

Key resources

Zeph Tech helps health networks operationalise TEFCA with interoperability readiness assessments, vendor governance, and real-time compliance analytics.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Healthcare interoperability
  • TEFCA
  • United States
Back to curated briefings