TEFCA Onboarding: How the ONC Plans to Strengthen Security and Provider Gatekeeping

The U.S. Government is moving to tighten the gatekeeping process for the Trusted Exchange Framework and Common Agreement (TEFCA), responding to mounting pressure from healthcare providers over data security and patient privacy. Thomas Keane, MD, MBA, the National Coordinator for Health IT, has confirmed that new, more rigorous TEFCA onboarding requirements and vetting procedures are currently under development to ensure that only appropriate entities gain access to the network.

The move comes as health systems express growing apprehension regarding the criteria used to vet participants before they can access the nationwide health information exchange. The push for stricter oversight reached a critical point when 40 health systems formally wrote to the Sequoia Project, the Recognized Coordinating Entity for TEFCA, calling for more stringent onboarding protocols to protect sensitive medical data.

For providers, the stakes are high. While the goal of TEFCA is to streamline the exchange of electronic health records (EHR) across different networks, the openness of the system creates perceived vulnerabilities. Dr. Keane has acknowledged these concerns, stating that the government is taking provider feedback seriously and is actively introducing additional requirements and vetting procedures to both TEFCA and the Qualified Health Information networks (QHINs).

As a government-administered network, TEFCA possesses a unique advantage over private health information exchanges: the power of federal enforcement. Unlike private sector agreements, which may rely on contractual disputes, the government can employ a suite of legal and regulatory tools to punish fraudulent behavior or inappropriate data exchange.

The Enforcement Edge: Why Government Administration Matters

A central point of the current policy shift is the distinction between private networks and a government-backed framework. Dr. Keane has emphasized that because the government serves as the administrator for TEFCA, it has access to enforcement tools that private entities simply do not possess. This administrative role allows for direct coordination with high-level federal legal and regulatory bodies.

The Enforcement Edge: Why Government Administration Matters

To ensure the integrity of the network, the National Coordinator’s office coordinates regularly with the Office for Civil Rights (OCR), the Department of Justice (DOJ), and the Office of General Counsel. This inter-agency approach means that if fraudulent exchange purposes occur or if there is inappropriate behavior on the network, the government can take decisive corrective action.

all TEFCA agreements are not mere guidelines. they are legally binding assertions of appropriate exchange purposes. This legal framework provides a foundation for accountability, ensuring that any entity participating in the network is legally committed to the security and privacy standards mandated by the federal government.

Leadership at the Helm: Who is Dr. Thomas Keane?

The direction of U.S. Health IT is currently being shaped by a leader with a rare blend of technical and clinical expertise. Dr. Thomas Keane serves as the ninth National Coordinator for Health IT. His background is uniquely suited for the complexities of TEFCA, as he is both a physician and an engineer.

Before his current appointment, Dr. Keane worked as an enterprise software engineer and a finite element software developer, providing him with a deep understanding of the underlying architecture of health information systems. He later trained as an interventional radiologist, giving him a first-hand perspective on how data availability—or the lack thereof—impacts patient care in a clinical setting.

Dr. Keane’s experience within the Department of Health and Human Services (HHS) is extensive. He previously served as a Senior Advisor to the Deputy Secretary of HHS and held a critical role as an administrator of the COVID-19 Provider Relief Fund. He led the development of the AHRQ National Nursing Home COVID Action Network, demonstrating a career-long focus on utilizing data to manage public health crises.

Addressing the Privacy Gap in Health Information Exchange

The tension surrounding TEFCA onboarding reflects a broader struggle in modern medicine: the balance between interoperability and privacy. Interoperability—the ability of different systems to communicate—is essential for reducing medical errors and eliminating redundant testing. However, when the “gates” to this data are perceived as too wide, providers fear that patient privacy may be compromised.

The current initiative to strengthen vetting is designed to close this gap. By introducing stricter requirements for onboarding, the ONC aims to provide health systems with the confidence that the entities they are exchanging data with have been rigorously screened. This is particularly vital as the network expands and more QHINs integrate their participants.

Key Takeaways for Health Providers

  • Stricter Vetting: The ONC is developing additional requirements for onboarding to TEFCA to address security concerns raised by providers.
  • Federal Oversight: TEFCA’s government administration allows for enforcement via the DOJ and OCR, offering a level of accountability not found in private networks.
  • Legal Accountability: Participation in TEFCA involves legally binding assertions regarding the appropriate purpose of data exchange.
  • Clinical-Technical Leadership: The strategy is being led by Dr. Thomas Keane, who brings experience as both a software engineer and an interventional radiologist.

What Happens Next?

The development of these additional vetting procedures is an ongoing effort. The National Coordinator’s office is currently in the process of introducing these new requirements to TEFCA and the various QHINs. While specific deadlines for the rollout of the new onboarding rules have not been detailed, the commitment to “hearing” and acting upon the concerns of the 40 health systems indicates a priority shift toward security-first interoperability.

Healthcare administrators and IT leaders should monitor official updates from the Office of the National Coordinator for Health IT (ONC) regarding the specific nature of the new vetting requirements and how they may impact the onboarding timeline for new participants.

Do you believe stricter government vetting will resolve provider privacy concerns, or is the risk inherent in any large-scale exchange? Share your thoughts in the comments below.

Leave a Comment