Wipfli logo
Insights - Articles, Blogs and on-demand webcasts

Articles & E-Books


How HITRUST will help keep the national health data exchange secure

Dec 04, 2022

The daunting task of bringing together disparate networks of electronic health information to create a secure national exchange accessible to patients, healthcare providers, health plans and other stakeholders took a major step forward at the beginning of 2022.

The final rule establishing the Trusted Exchange Network and Common Agreement (TEFCA) has enabled qualified health information networks (QHINs) to start getting certified. It’s the culmination of a multiyear effort incorporating one of the signature goals of the 21st Century Cures Act signed into law by President Obama in 2016.

Why is it so important? The increased interoperability of these records systems across platforms will give participants nationwide (yet well-protected) access to health information, while supporting better clinical decision-making and providing patients with more choices in their healthcare.

TEFCA’s mission

Developing the underlying framework was the responsibility of the U.S. Department of Health and Human Services Office of the National Coordinator for Health Information Technology. The agency summarized the mission of TEFCA in a statement: “The Common Agreement will establish the infrastructure model and governing approach for users in different networks to securely share basic clinical information with each other — all under commonly agreed-to expectations and rules, and regardless of which network they happen to be in.” 

TEFCA establishes a “network of networks” that will include various points of entry for a wide variety of stakeholders:

  • Health information networks
  • Health information exchanges
  • Individuals
  • Providers
  • Federal agencies
  • Public health agencies
  • Health plans and other payers
  • Health IT developers

The agreement includes support for treatment, payment, healthcare operations, individual access services, public health and government benefits determination.

HITRUST certification

Individuals and organizations need to seek QHIN designation under the terms of the framework. That process involves review and approval by the so-called recognized coordinating entity (RCE), The Sequoia Project. Those participants can meet TEFCA security requirements by obtaining HITRUST certification.

Indeed, HITRUST is the only assessment recognized by the RCE for participants to prove that they meet the security agreements laid out in TEFCA.

HITRUST certification will be important in providing information security assurances of QHINs and their participants and sub-participants. Establishing this foundation of security across all QHINs will address the broad needs of all constituents when sharing digital health information throughout the national network.

This means that for the first time, healthcare providers (groups and individuals) and health plans, who have never before had a compelling reason to seek HITRUST certification, will now need to pursue this objective as a prerequisite to participate in a QHIN. Because it’s a lengthy process, organizations shouldn’t delay in starting the process. The path to HITRUST certification can take nine to 12 months to complete.

If a potential participant already has achieved HITRUST certification, it should be less cumbersome overall, but the certification will still need to be reviewed carefully for compliance.

Demand for participating in TEFCA likely will be very high. It represents a critical development in improving access to health information, while maintaining security that will benefit the public and the organizations that serve them. It will reduce expensive, complex and duplicative information interfaces as it streamlines sharing across needs and platforms.

With a laser focus on data accuracy, privacy and security, the creation of this overarching health information network should reduce cost and time burdens on healthcare providers as it improves connectivity across organizations.

How Wipfli can help

Wipfli, a leading provider of HITRUST assessment services, can help your organization obtain the certification needed to achieve QHIN status or participate in a QHIN. Getting started promptly is important because of the length of the assessment process. Wipfli advisors have deep experience in guiding organizations through the complex process, as we have long been an authorized HITRUST External Assessor organization.

Contact us to learn more about our HITRUST consulting and certification services.

Sign up to receive additional security and risk mitigation information in your inbox, or continue reading on:


Paul J. Johnson, CPA
View Profile