TEFCA interoperability — First QHINs cleared to exchange nationwide

The Office of the National Coordinator for Health IT (ONC) and The Sequoia Project announced on January 18, 2024 that six organizations achieved Qualified Health Information Network (QHIN) status under the Trusted Exchange Framework and Common Agreement (TEFCA). The designations move TEFCA from planning into live operations, creating a single on-ramp for cross-network exchange that aligns with Cures Act information blocking and HTI-1 interoperability rules.

Healthcare providers, payers, and health IT vendors integrating with a QHIN must now map onboarding, testing, and privacy attestations to the Common Agreement and the QHIN Technical Framework (QTF).

Interoperability readiness checkpoints

• Participant agreements. Review QHIN terms to confirm permitted purposes, security event reporting timelines, and flow-down obligations to subparticipants, aligning them with existing Business Associate Agreements and HIPAA disclosure logs.
• Technical onboarding. Build FHIR R4 endpoints and brokered message services that satisfy QTF requirements for patient discovery, query, and message delivery, including IHE ATNA-style audit trails and system-of-record assertions.
• Privacy operations. Update consent workflows to respect federal and state restrictions on sensitive data (for example, 42 CFR Part 2) and ensure segmentation metadata persists across QHIN routing so downstream nodes can enforce restrictions.

Operational priorities for 2024

• Testing and validation. Schedule conformance testing with the Recognized Coordinating Entity (RCE), documenting error handling, availability SLAs, and security control mappings for SOC 2 or HITRUST evidence packages.
• Provider outreach. Communicate TEFCA participation, patient access options, and permitted uses to clinicians and patients, using HTI-1 decision support transparency templates to explain how exchanged data informs CDS outputs.
• Monitoring and incident response. Integrate QHIN security event reporting (required within 24 hours for certain incidents) into enterprise incident response plans, and run tabletop exercises simulating cross-network outages or data integrity issues.

What comes next

• Exchange purposes expansion. TEFCA initially supports treatment, individual access services, public health, and payment; ONC has signaled additional purposes and FHIR-based exchange obligations will follow as QHIN capacity matures.
• Alignment with CMS rules. CMS Interoperability and Prior Authorization rules will rely on FHIR APIs and payer-to-payer exchange that complement TEFCA, making data model harmonization a 2024 roadmap item for payers.
• Certification updates. HTI-1 certification conditions require transparency for decision support interventions and adoption of USCDI v4 by 2026, reinforcing the need to keep FHIR payloads and metadata consistent across TEFCA and certified EHR modules.

Source material

• ONC announcement of first six QHIN designations (January 18, 2024)
• Trusted Exchange Framework and Common Agreement resources from the RCE

Interoperability, privacy, and compliance leads should sequence TEFCA onboarding with HTI-1 timelines to minimize duplicate testing and evidence collection.

Implementation detail

Successful implementation requires a structured approach that addresses technical, operational, and organizational considerations. Organizations should establish dedicated implementation teams with clear responsibilities and sufficient authority to drive necessary changes across the enterprise.

Project governance should include regular status reviews, risk assessments, and stakeholder communications. Executive sponsorship is essential for securing resources and removing organizational barriers that might impede progress.

Change management practices help ensure smooth transitions and stakeholder acceptance. Training programs, communication plans, and feedback mechanisms all contribute to effective change management outcomes.

Compliance checking

Compliance verification involves systematic evaluation of implemented controls against applicable requirements. Organizations should establish verification procedures that provide objective evidence of compliance status and identify areas requiring remediation.

Internal audit functions play an important role in providing independent assurance over compliance activities. Audit plans should incorporate risk-based prioritization and coordination with external audit requirements where applicable.

Continuous compliance monitoring capabilities enable early detection of control failures or compliance drift. Automated monitoring tools can provide real-time visibility into compliance status across multiple control domains.

Third-party factors

Third-party relationships require careful management to ensure compliance obligations are properly addressed throughout the vendor ecosystem. Due diligence procedures should evaluate vendor compliance capabilities before engagement.

Contractual provisions should clearly allocate compliance responsibilities and establish appropriate oversight mechanisms. Service level agreements should address compliance-relevant performance metrics and reporting requirements.

Ongoing vendor monitoring ensures continued compliance throughout the relationship lifecycle. Periodic assessments, audit rights, and incident response procedures all contribute to effective third-party risk management.

Strategic factors

Strategic alignment ensures that compliance initiatives support broader organizational objectives while addressing regulatory requirements. Leadership should evaluate how this development affects competitive positioning, operational efficiency, and stakeholder relationships.

Resource planning should account for both immediate implementation needs and ongoing operational requirements. Organizations should develop realistic timelines that balance urgency with practical constraints on resource availability and organizational capacity for change.

Key metrics

Effective monitoring programs provide visibility into compliance status and control effectiveness. Key performance indicators should be established for critical control areas, with regular reporting to appropriate stakeholders.

Metrics should address both compliance outcomes and process efficiency, enabling continuous improvement of compliance operations. Trend analysis helps identify emerging issues and evaluate the impact of improvement initiatives.

What this means for business

This development carries significant strategic implications for organizations across multiple sectors. Business leaders should evaluate how these changes affect their competitive positioning, operational models, and stakeholder relationships. Early adopters who address emerging requirements often gain advantages over competitors who delay action until compliance becomes mandatory.

Strategic planning should incorporate scenario analysis that considers various implementation approaches and their associated costs, benefits, and risks. Organizations should also consider how their response to this development affects relationships with customers, partners, regulators, and other key stakeholders.

Operational approach

Achieving operational excellence in response to this development requires systematic attention to process design, technology enablement, and workforce capabilities. Organizations should establish clear operational metrics that track both compliance outcomes and process efficiency, enabling continuous improvement over time.

Operational processes should be designed with appropriate controls, checkpoints, and escalation procedures to ensure consistent execution and timely issue resolution. Automation opportunities should be evaluated and prioritized based on their potential to improve accuracy, reduce costs, and enhance scalability.

Oversight approach

Effective governance ensures appropriate oversight of compliance activities and timely escalation of significant issues. Organizations should establish clear roles, responsibilities, and accountability structures that align with their compliance objectives and risk appetite.

Regular reporting to senior leadership and board-level committees provides visibility into compliance status and supports informed decision-making about resource allocation and risk management priorities.

Adapting over time

Compliance programs should incorporate mechanisms for continuous improvement based on lessons learned, emerging best practices, and evolving requirements. Regular program assessments help identify enhancement opportunities and ensure sustained effectiveness over time.

Organizations that approach this development strategically, with appropriate attention to governance, risk management, and operational excellence, will be well-positioned to achieve compliance objectives while supporting broader business goals.

More on this topic

Further reading from our research library.

Data Strategy · Credibility 40/100 · July 13, 2022

ONC USCDI v3 Final Release

The U.S. ONC finalized United States Core Data for Interoperability (USCDI) v3 on 13 July 2022, expanding required health data classes and elements, prompting providers and health IT vendors to update data-exchange…

Data Strategy · Credibility 91/100 · October 28, 2025

Data Strategy — TEFCA

TEFCA’s FHIR roadmap targets national production exchange by 31 December 2025, so QHINs and participants must complete fourth-quarter certification, security attestations, and runbook testing ahead of the cutover window.

Data Strategy · Credibility 73/100 · December 12, 2023

Tefca First Qhins Designated

ONC and the TEFCA Recognized Coordinating Entity named the first Qualified Health Information Networks, opening nationwide exchange onboarding for 2024.

Data Strategy · Credibility 73/100 · August 26, 2024

Data Strategy — Healthcare interoperability

TEFCA's FHIR roadmap continues to evolve in 2024. The Trusted Exchange Framework and Common Agreement is pushing toward FHIR-based health information exchange. If you are building healthcare interoperability solutions…

Data Strategy · Credibility 73/100 · January 18, 2022

Data Strategy — Healthcare interoperability

TEFCA launched with its Common Agreement—a framework for nationwide health information exchange. If you are building healthcare integrations, this is the path toward interoperability without dozens of point-to-point…

Continue in the Data Strategy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Data Strategy Operating Model Guide

  Design a data strategy operating model that satisfies the EU Data Act, EU Data Governance Act, U.S. Evidence Act, and Singapore Digital Government policies with measurable…

• Data Interoperability Engineering Guide

  Engineer interoperable data exchanges that satisfy the EU Data Act, Data Governance Act, European Interoperability Framework, and ISO/IEC 19941 portability requirements.

• Data Stewardship Operating Model Guide

  Establish accountable data stewardship programmes that meet U.S. Evidence Act mandates, Canada’s Directive on Service and Digital, and OECD data governance principles while…

Coverage intelligence

Published

January 18, 2024

Coverage pillar

Data Strategy

Source credibility

87/100 — high confidence

Topics

TEFCA · QHIN · FHIR · Healthcare interoperability

Sources cited

3 sources (healthit.gov, rce.sequoiaproject.org, iso.org)

Reading time

6 min

Source material

1. First six organizations designated as QHINs under TEFCA — Office of the National Coordinator for Health IT
2. Trusted Exchange Framework and Common Agreement (TEFCA) — The Sequoia Project
3. ISO 8000-2:2022 — Data Quality Management — International Organization for Standardization