February 20, 2018 Donald Rucker, MD National Coordinator for Health Information Technology US Department of Health and Human Services 330 C Street, SW Washington, DC 20201 Dear Dr. Rucker: On behalf of the Healthcare Information and Management Systems Society (HIMSS), we are pleased to provide comments to the Office of the National Coordinator for Health Information Technology (ONC) in response to the Trusted Exchange Framework and Common Agreement (TEFCA) Draft Guidance. HIMSS appreciates the opportunity to leverage our members’ expertise in offering feedback on the Framework, and we look forward to continued dialogue with ONC on interoperability within the healthcare IT community, especially around implementation of the various provisions included in the 21st Century Cures Act (Public Law 114 -255). HIMSS is a global voice, advisor, and thought leader of health transformation through health information and technology with a unique breadth and depth of expertise and capabilities to improve the quality, safety, and efficiency of health, healthcare, and care outcomes. HIMSS designs and leverages key data assets, predictive models and tools to advise global leaders, stakeholders, and influencers of best practices in health information and technology, so they have the right information at the point of decision. HIMSS drives innovative, forward thinking around best uses of information and technology in support of better connected care, improved population health, and low cost of care. HIMSS is a notfor-profit, headquartered in Chicago, Illinois, with additional offices in North America, Europe, United Kingdom, and Asia. HIMSS remains committed to assisting ONC in supporting and educating all stakeholders to achieve widespread interoperability leading to information exchange that improves the quality and cost effectiveness of healthcare delivery. The release of the HIMSS Call to Action: Achieve Nationwide, Ubiquitous, Secure Electronic Exchange of Health Information last fall reinforces our thought leadership on and commitment to these topics. When discussing the move toward a learning health system, it is also important to emphasize the importance of health information exchange and interoperability. We will continue to leverage our resources and diverse membership to ensure all individuals and communities have access to the tools necessary to share health information in a secure and appropriate manner. HIMSS appreciates the work undertaken by ONC and its stakeholders to create this draft guidance document. The effort to minimize the point-to-point interface agreements required in the long-term and the flexibility for providers to find the right exchange network that supports their care delivery model needs is the right approach. The overall concept underlying TEFCA is pushing our nation in the appropriate direction of enabling providers and communities to deliver smarter, safer, and more efficient care; promoting innovation at all levels; and, achieving a system where individuals are at the center of their care and where providers have the ability to securely access and use health information from different sources. For our public comment, HIMSS offers the following thoughts and recommendations on creating a Trusted Exchange Framework and Common Agreement: • Revise the Proposed Trusted Exchange Framework Requirements for Qualified Health Information Networks (QHINs) to Ensure the Community Capitalizes on the Current Efforts Underway Across Existing Interoperability Exchanges, Networks, and Approaches HIMSS proposes to maintain the role of the Recognized Coordinating Entity (RCE) and its current duties in the proposal, but would like to see changes around what is required of QHINs as well as the eligibility requirements for QHINs. We endeavor to find a path forward that allows existing interoperability exchanges, networks, approaches, and frameworks to largely continue to function under their existing business models, qualify as QHINs, and have them report to the RCE as the primary oversight mechanism of TEFCA. Today, there is significant momentum being built across the community to support broader nationwide exchange. All of the major interoperability approaches ONC identified as part of the process to implement 21st Century Cures have made considerable progress in building the reach of their networks, increasing collaborations/partnerships with other approaches, and enhancing the services that they offer to providers and other interoperability participants. However, HIMSS is concerned that the community will not be able to maintain the current upward trajectory of nationwide interoperability if these entities have to make significant adjustments to their workplans to become QHINs under TEFCA. While the proposed guidance acknowledges that the provisions laid out in the Trusted Exchange Framework will necessitate networks to modify parts of their existing participation agreements and trust frameworks to support the move to QHINs, these modifications in the proposed guidance would be a significant, resource-intensive undertaking for current networks. In addition to modifying agreements, there are several other steps that current networks will have to take to become QHINs. As the community learned in the push to meet technology requirements in the Medicare and Medicaid Electronic Health Records Incentive Programs, building or changing technology to meet government standards can lead to impeded innovation and stifled progress. HIMSS aims to avoid creating new obstacles in the push to nationwide interoperability through TEFCA. ONC should also change expectations around what is the ideal overall manageable number of QHINs reporting to the RCE. ONC Leadership has stated how they expect only a small number 2 of QHINs to come into existence. However, as ONC considers granting additional flexibilities to QHINs, it should also think about how many QHINs should ultimately be established. In terms of capitalizing on what’s working across the data exchange landscape today, there may be less disruption across the community if ONC relaxed QHIN requirements, as well as sought the creation of more QHINs. HIMSS encourages ONC to build and capitalize on the role of current interoperability exchanges, networks, approaches, and frameworks in the TEFCA guidance. Rather than mandating major modifications to these entities in order to become QHINs, ONC should provide more flexibility around what qualifies as a QHIN. More closely aligning QHIN requirements with current exchange structures can still enable providers and patients to have a single “on-ramp” to exchange, under the appropriately-established guardrails from ONC and the RCE. • Reinforce the Role of the RCE but Phase-In the Move to Full Implementation of the Framework HIMSS supports the premise of creating a robust RCE that has oversight, governance, transparency, and representation responsibilities for the Framework overall and creation of the Common Agreement. Under the scenario that HIMSS has outlined, the RCE would be responsible for working with QHINs that largely continue to function under their existing business models, and ensure that they are working closely together in the push to nationwide interoperability. Many of the implementation timelines in the framework guidance and the US Core Data for Interoperability (USCDI) will be challenging. HIMSS would like to ensure that the RCE adopt a distributed governance model that relies on the participation of representatives from all the modified QHIN entities working under the Framework to specify the “rules of the road” for participation under the RCE structure. Further, the Framework should specify what the timelines should be in moving toward adoption of a Common Agreement. HIMSS notes that this proposed phase-in is inline with the language from 21st Century Cures about pilot testing a framework prior to full implementation. The RCE should also work on facilitating even greater partnerships and collaborations across all the modified QHIN entities to ensure that the community is moving toward the single “on-ramp” approach that eases the burden of exchange participants and allows for innovations to continue to develop. Such an approach should minimize disruption while not derailing the current innovative efforts underway across the community. In addition, the approach should provide an oversight mechanism for the RCE to monitor the market, as well as ensure that modified QHIN entities continue to collaborate and meet the needs of their participants. HIMSS wants to ensure that the process to create a Common Agreement is open and transparent. Further, this is creation process occur soon after the selection is made of an RCE. HIMSS sees the Common Agreement as a dynamic, foundational document that provides the basis for the implementation of the entire Trusted Exchange Framework; as a result, finalizing it is critical to the success of the entire enterprise. In addition, so that the RCE evolves based upon feedback from the modified QHIN entities, participants, and end users, the RCE should set up a formal, comment process to review the Common Agreement periodically. This will ensure all stakeholders have a voice in any future revisions. Moreover, HIMSS recommends that ONC and the RCE include standards and technical guidelines in use case specific implementation guides incorporated by reference into the Common Agreement, rather than integrating them into the Common Agreement itself. For example, when a standards change is necessary, the applicable implementation guide could be updated rather than having to revise any legal provisions in the Common Agreement. HIMSS supports the idea of the Common Agreement as a durable legal agreement that does not require frequent revision. Overall, HIMSS emphasizes that TEFCA itself should not explicitly recommend or reference specific standards or standards bodies. Standards continue to evolve as innovation occurs. As a result, specific standards or their implementation guides should be referenced in an addendum to the Common Agreement. Otherwise, we are limiting further standards development and innovation from across the community. As the RCE finalizes work on the elements for a Common Agreement and begins to monitor modified QHIN entity compliance with the Common Agreement, it should take public action to address any non-conformities with the Common Agreement. It is also important to emphasize that the RCE should create a forum to gather, identify, and share best practices for technical standards and formats. After being selected, we envision the RCE will pivot to learning mode; that the RCE will facilitate the sharing of different ideas, approaches, and success stories, and build on stakeholder expertise from across the community about how nationwide interoperability should be achieved within the Framework. Another opportunity to phase-in these provisions is around the idea of the permitted purposes in TEFCA. ONC should consider whether the community should focus on the following initial purposes: treatment, healthcare operations, and public health. Other permitted purposes can be phased-in as the Framework matures. As previously discussed, HIMSS would like to see TEFCA create a system where: (a) existing interoperability approaches largely continue to function under their current participation agreements in order to limit disruption; (b) qualify as QHINs; (c) and, report to the RCE about their capabilities, trust and operational practices, and the technical standards that they are employing to ensure that there is more oversight than exists today. The RCE would also work to encourage collaboration between modified QHIN entities and other stakeholders that are considering whether to work under the framework structure. Finally, HIMSS encourages the new RCE and its governing council to conduct a gap analysis to determine where resources should be leveraged to advance nationwide exchange. If there is a gap in a region or for a particular care setting, HIMSS expects the RCE would work with community stakeholders to facilitate the creation of a new modified QHIN to address gaps. • Ensure that the Appropriate Regulatory Policy Levers are in Place to Support the Framework and Its Goals Given the voluntary nature of TEFCA, HIMSS endorses the idea that future regulatory policy levers utilize the Framework to support its goals and increase the long-term sustainability of the Framework overall. For example, we encourage ONC and the HHS Office of the Inspector General to leverage the Framework in the upcoming proposed regulation on the 21st Century Cures Act Information Blocking provisions to incentivize more participants to share data in alignment with the Framework. TEFCA provides a foundation for the actions that will likely be required in the upcoming proposed rule and creates the business case for providers to get fully on board as modified QHIN entities and/or exchange participants. • Focus the Initial TEFCA Broadcast Queries on a Smaller Set of USCDI Data Classes HIMSS recognizes the value of USCDI and the 22 data classes identified in the draft guidance and aspires to an environment where exchange participants have all 22 data classes available and ready to share. In order to increase the likelihood of engagement, we recommend a phased-in approach. We encourage ONC to consider including provisions for a smaller initial data set in response to a broadcast query. Rather than requiring each query to share the 22 data classes, ONC should consider a system where the clinician requesting the information determines which data classes they would like to receive for a particular patient. Such a “checklist” from the requestor would ease the administrative burden on participants as they begin to work under the TEFCA Framework, and allow them to receive the data that they can use and that fits into their workflow. Some clinicians may only want patient name (and other identifying characteristics), vital signs, medication list, allergy list, and, problem list, while others may also want clinical notes. For example, if the clinician is dealing with a particularly complex case, they may request more rather than less information. It is also important to note that an initial limited sharing set would also help abide by the “minimum necessary” provisions in the Health Insurance Portability and Accountability Act (HIPAA) of 1996. As exchange increases under TEFCA guidelines, there could be future conditions where more data classes are required to be shared. The RCE, in conjunction with ONC as well as the modified QHIN entities that have chosen to work within the Framework, would all work together to agree upon what the future data classes should be, as well as when revisions to the sharing set are warranted. HIMSS is also supportive of the proposed USCDI expansion process and identifying the candidate and emerging data classes well in advance of when such a data class would formally be part of the USCDI. However, the aggressive timelines that are included in the draft guidance around the USCDI and when it is initially implemented, as well as how it will be continually updated, needs further review from ONC. More preparation time to ensure that the technical specifications are in place for each data class is welcome—and HIMSS appreciates ONC’s description that the technical work on a specific data class could take 12-24 months to complete. The timelines identified in the USCDI for release of a candidate class in 2019 should be reviewed carefully as TEFCA implementation moves forward. As TEFCA proceeds, the process for an initial candidate class expansion may well stretch into 2020 or beyond. In addition, HIMSS identified several data classes that ONC and the RCE should consider for prioritization when a candidate class is considered: pediatric vital signs; imaging reports, along with an accompanying context for that report (encounter, diagnosis, hospitalization); and, sexual orientation and gender identity demographic data. The TEFCA Guidance also includes the idea that QHINs must have policies and procedures in place to allow a patient to withdraw or revoke his or her participation in the exchange of his or her electronic health information on a prospective basis. HIMSS supports this provision, and asks that patients have the right to establish privacy restrictions around certain data class information that cannot be shared through a broadcast query without the patient’s authorization. There could be a scenario where a patient wants to share information in general, but does not want to allow the sharing of certain data classes or data elements. Patients should have the right to keep some of their information private, while sharing other elements of their electronic health information more broadly. • Coordinate the Annual Review Processes for USCDI and the Interoperability Standards Advisory HIMSS endorses the idea of ONC’s Interoperability Standards Advisory (ISA) and the publication of an annual update of the best available standards and implementation specifications. As the USCDI also identified an annual process for determining candidate and emerging data classes, HIMSS suggests that ONC coordinate the two annual reviews since there are significant interdependencies between ISA and USCDI. Each process is critical to enabling nationwide interoperability. Therefore, ONC should ensure that the standards and technical specifications provided by USCDI match up to ISA’s best practice standards for sharing data. • Provide Additional Information Related to the Expected Costs and Fees for All Stakeholders More guidance is needed from ONC on the expected costs and fees for participation in the TEFCA structure. Such information is critical for creating the value proposition for each stakeholder that is considering joining a network and exchanging data. The TEFCA Guidance includes definitions of fees, reasonable allowable costs, and attributable charges, but lacks specificity on what participants should expect as they implement/purchase exchange solutions. HIMSS is asking ONC to create guidelines and tools so participants can understand what is going to be required of them to make this investment and participate in the TEFCA Framework. The TEFCA Guidance is on the right path with the provision about the publication of a fee schedule by QHINs in the framework 15 days after signing the Common Agreement, but more cost information is needed for all stakeholders to move in that direction as participants weigh whether to join an exchange network. Although HIMSS is supportive of this idea of cost transparency associated with data exchange, ONC should ensure that cost-related reporting is workable for modified QHIN entities and in a useable format for TEFCA participants. In addition, HIMSS recommends that ONC structure TEFCA to make allowances for safety net providers that may not be as well-resourced as other participants. The community needs to ensure that these providers are able to share/receive data and that incentives are in place to encourage participation. • Ensure the Appropriate Privacy and Security Considerations are in Place under TEFCA HIMSS supports the TEFCA Principle focused on the secure exchange of electronic health information and in a manner that promotes patient safety and ensures data integrity. QHINs also need to ensure the confidentiality and availability of electronic health information— in addition to the integrity of such information. It is important to emphasize that integrity goes beyond just patient matching and making sure that the patient data is up-to-date prior to exchange; from an information assurance perspective, integrity means that the data is not tampered with, nor modified, without authorization. For example, data may be tampered or modified without authorization by an insider threat actor (out of negligence or intentionally doing so), by an external threat actor, or by a combination of both insider threat and external threat actors. Data may also be destroyed or corrupted without authorization. In addition, as TEFCA focuses on the availability of electronic health information for sharing, ONC should consider clarifying what it means for data to be “available”. Such information could potentially be unavailable to the network in the event of a denial of service attack against a vulnerable application or resource. Such information may be unavailable to the extent that a resource and/or application is not working properly or undergoing maintenance. Moreover, HIMSS asks ONC for clarification on the appropriate standards that modified QHIN entities should use to ensure providers and organizations participating in exchange have confidence the appropriate consent or written authorization was captured prior to the exchange of electronic health information. As ONC discusses in the draft guidance, the HIPAA Rules do not have a consent requirement: there could be other state and federal laws that apply, and require patient consent. To move towards nationwide exchange, we need more clarity in TEFCA around how ONC expects modified QHIN entities to ensure consent was captured. • Develop and Test Other Standards for Batch Queries HIMSS is supportive of the Population Level Data Use Case outlined in the draft guidance. However, we ask that ONC provide some clarity around the standards that need to be in place to do batch queries for this use case. The standards specified in the draft guidance are not designed for large-scale transfers. ONC posits that 12 months after the applicable standard is adopted by HL7, QHINs should be ready to exchange patient data. Overall, that timeline may be too challenging to meet. Broadly speaking, the premise of the Population Level Data Use Case should undergo further review until the appropriate standards are in-place. In addition, HIMSS reiterates that TEFCA should not specifically or explicitly recommend or reference specific standards or standards bodies. Standards continue to evolve and innovation continues to occur. As a result, specific standards or their implementation guides should be referenced in an addendum to the Common Agreement. Otherwise, we are limiting further standards development and innovation from across the community. • Provide More Patient Matching, Identity Proofing, and Authentication Resources in TEFCA HIMSS has identified several challenges related to patient matching in the TEFCA draft guidance. Although stakeholders understand there are many useful technologies for patient matching, there are concerns across the community about how a network or participant that has its own patient matching algorithm with its own parameters, may miss patient records at a partner that is using a different algorithm. For this reason, HIMSS is asking that ONC work with the RCE to create more resources for modified QHIN entities and participants related to patient matching that would help mitigate some of these issues. Helpful tools would include the different approaches that a network could take toward matching, lessons learned, testing of different methods, and benchmarking evaluations. Overall, HIMSS wants to ensure that TEFCA presents a robust strategy where patients are accurately identified and privacy is protected. In addition, HIMSS recommends requirements around demographic data in support of patient matching be specified in an RCE addendum rather than formally included in the Common Agreement document. Including specificity around requirements in the RCE documents would provide more long-term flexibility to the community overall. • Present the Nebraska Health Information Initiative as a Model State Prescription Drug Monitoring Program and Opioid Use Case In the TEFCA Guidance, ONC raises several questions, including: how a single on-ramp to data could work to support broader uses for access and exchange of prescriptions for controlled substances contained in Prescription Drug Monitoring Programs (PDMPs); and, whether there is an existing entity or entities positioned to support the opioid use case directly. The work underway in Nebraska helps to answer both questions and highlights the convergence of an active state health information exchange and favorable state laws to enable these projects to proceed optimally. Nebraska was the first state to require reporting of all dispensed prescription drugs to the PDMP. As a result, it became a comprehensive tool for all providers in the state to make more informed decisions. The PDMP also has an alert notifying the provider if the patient has received high dosages of opioids in the past seven to 30 days, which could signal a higher risk for adverse events like a possible overdose. The state also requires that the Nebraska Health Information Initiative’s (NeHII’s) exchange and the PDMP are hosted on the same platform, easing the coordination between the two technologies. The state has also worked with NeHII to ensure that the state PDMP is user-friendly and accessible. More specifically on the opioid issue, Nebraska has advanced prescription drug overdose prevention initiatives, including an opioid prescribing resource for providers and a federal grant focused on opioid response. The Nebraska Pain Management Guidance Document promotes consistent, safe and effective pain management standards for Nebraska prescribers. Although not a requirement, it is a voluntary tool for clinicians to use to treat acute pain, chronic pain, and non- opioid options for pain treatment, treat pain in special populations, and opioid tapering/discontinuation. In terms of an opioid response, Nebraska received a $2 million grant from the Substance Abuse and Mental Health Services Administration that provides critical funding for targeted training on the complexities of opioid use and invests in evidence-based prevention and treatment interventions. Overall, HIMSS encourages ONC to look to Nebraska, and the work occurring there, for model practices and use cases for PDMP-exchange coordination and opioid-specific advances. HIMSS is committed to be being a valuable resource to ONC and the entire community to help enable nationwide interoperability. We welcome the opportunity to meet with you and your team to discuss our comments in more depth. Please do not hesitate to contact Jeff Coughlin, Senior Director, Federal & State Affairs, at 703.562.8824, or Eli Fleet, Director, Federal Affairs, at 703.562.8834, with questions or for more information. Thank you for your consideration. Sincerely, Denise W. Hines, DHA, PMP, FHIMSS CEO eHealth Services Group Chair, North America Board of Directors Harold F. Wolf III President & CEO HIMSS