gmast3r/istock via Getty Images
AHA calls for TEFCA individual access SOP delay, citing patient privacy concerns
The AHA asserted that the proposed individual access SOP, with new patient-matching and consent rules, may risk patient privacy through data misattribution or unauthorized access.
The American Hospital Association published a letter to The Sequoia Project asking it to delay implementation of the TEFCA Individual Access Services Exchange Purpose Standard Operating Procedures version 3.0. The association cited patient privacy concerns, saying it could expose hospitals to data breaches and patient misidentification. Currently, the IAS XP SOP has an implementation deadline of Aug. 1, 2027.
In its letter to Mariann Yeager, CEO of The Sequoia Project, the AHA acknowledged the importance of data interoperability and highlighted the value of TEFCA in supporting better patient safety and continuity of care.
What's more, the AHA noted that its members recognize that IAS -- the pathway that enables patients to request their records through Qualified Health Information Networks rather than hospital portals -- can help patients make more informed decisions and promote engagement.
"At the same time, the protection of patient data is foundational to patient trust in the health care system and, as such, the government has codified, through statute and regulation, actions certain entities must take to ensure such protection," the AHA stated.
"Thus, any efforts to foster data exchange must be balanced with the existing statutory obligations to protect patient data."
The AHA asserted that the proposals in the IAS XP SOP "do not contend with the statutory and regulatory obligations of hospitals and health systems to protect patient data," creating potential compliance and liability risks.
The AHA instead recommended either establishing a safe harbor for providers who use this SOP for an IAS request or developing regulations that align the proposal with HIPAA.
Understanding the IAS XP SOP proposal
Digital health tools and apps can become IAS providers under TEFCA, enabling patients to use the apps of their choice to obtain copies of their medical records from TEFCA participants. This workflow is similar to how individuals can connect their bank and credit card accounts to a personal finance app to manage their budgets, Epic noted in a blog post.
The IAS provider must sign a contract with a QHIN to become a TEFCA participant.
The IAS XP SOP proposals in question outline the specific requirements that IAS providers are required to follow for individual identity verification when sending an IAS query, as well as identifying when a QHIN, participant or subparticipant is required to respond to an IAS query.
Typical IAS workflows entail identity verification, patient matching and patient consent.
The proposed IAS XP SOP contains three proposed approaches for entities within the TEFCA ecosystem to respond to IAS requests, touching on all threecomponents of the IAS workflow:
-
Response Approach 1: Requires responding entities to respond to IAS requests using a FHIR credential-based login flow using specified demographic fields for patient matching.
-
Response Approach 2a: Requires responding entities to respond to any valid IAS requests when the IAS provider has provided the new "TEFCA IAS Consent," or TIC, flow that verifies that the individual has consented to use the IAS.
-
Response Approach 2b: Requires the responding entity to respond to IAS requests when the entity has determined a match consistent with its response policy, which may include fewer demographic fields or responding without requiring the TEFCA IAS Consent flow.
These three approaches -- credential-based, consent-based or policy-driven -- were designed to support TEFCA's goals of information exchange while promoting flexibility and privacy.
The AHA's stance
The AHA argued that the proposed SOP relies on "untested consent and patient matching components, presenting significant compliance risks for responding nodes that are covered entities."
Additionally, the AHA suggested that the Aug. 1, 2027, deadline does not provide enough time to build and test functionality and integrate workflows.
"Approaches 2a and 2b reference a new proposed TIC process, whereby the third-party app would validate and verify that the individual has consented to use the IAS. TIC workflows do not currently exist and have not been tested," the AHA noted.
"Most significantly, the proposed process has not been reconciled with the legal and regulatory obligations for responding nodes that are covered entities to verify requests for access and use of data."
The AHA asserted that the TIC approaches could prevent providers from verifying the identity and authority of third-party entities requesting data, possibly putting them at risk of HIPAA violations. What's more, the proposals do not specifically address local privacy and consent requirements, which may vary by state.
Additionally, the AHA took issue with the patient-matching methodologies in the IAS SOP workflow that would require manual entry of demographic data fields, which could lead to patient misidentification or data theft, it said.
The AHA urged The Sequoia Project to work with regulators to create a statutory safe harbor that protects providers from liability for disclosures completed via these IAS approaches. Rather than move forward with the proposals as written, the AHA encouraged The Sequoia Project to issue requests for information and seek feedback from key stakeholders before finalizing the guidelines.
"Should the Sequoia Project move forward with proposals without addressing these risks, we are concerned that providers will be disincentivized from participating in TEFCA, given these significant legal, compliance and patient care concerns," The AHA said.
Jill Hughes has covered health tech news since 2021.
