CMS has inadvertently sown some confusion around what are now in my experience mostly being called ‘Trusted Payer Exchanges’ – the things that MA plans, Medicaid managed care plans, CHIP managed care entities, and QHPs in the FFEs will be required to join. (‘QHPs in the FFEs’ begs to be rapped – somebody give me a beat.)
In the proposed rule (CMS-9115-P) requiring such joinery, CMS uses the terms “trust network” (5x), “trusted network” (1x), “trusted exchange framework” (5x), “trusted exchange network” (8x), and their apparent lovechild, “trusted health information exchange network” (1x) all to mean the same thing.
But it is not at all clear whether that same thing is a health information network or a trusted exchange framework or both.
The Trusted Exchange Framework and Common Agreement (TEFCA) has defined for us all what a ‘trusted exchange framework’ is. Ever hear of one before that? Me neither. A trusted exchange framework is a network of networks, a federation of networks, with an overarching trust agreement.
In TEFCA, payers and providers can’t join it, only Health Information Networks that meet the bar of technical and legal criteria and are blessed as Qualified Health Information Networks. There are a few places in the TEFCA literature where the ‘framework’ is called a ‘network’, such as the title of page 9 of this presentation by Andrew Gettinger of ONC.
Based on the definition of ‘TEF’ in TEFCA, there are existing trusted exchange frameworks we have been calling other things.
Carequality is one:
The comprehensive Carequality Interoperability Framework consists of multiple elements, including legal terms, policy requirements, technical specifications, and governance processes, which operationalize data sharing under the previously approved Principles of Trust.
It is a hub-and-spoke architecture versus the peer-to-peer architecture laid out in TEFCA.
The California Trusted Exchange Network, CTEN, from the California Association of Health Information Exchanges, is another. Participants have to sign the California Data Use and Reciprocal Services Agreement. It is a very lightweight, ‘transport and content agnostic’ framework. (And it has been around a while – since at least 2014. Only one state away from me here in Oregon and I only kind of knew they had something until I started Googling ‘trusted exchange’.)
For those existing frameworks, it looks like providers large enough to have their own distributed networks may be able to join directly.
For the thing CMS is trying to mandate, the specific requirements are relatively modest:
The trusted exchange network must be able to exchange PHI, defined in 45 CFR 160.103, in compliance with all applicable state and federal laws across jurisdictions.
The trusted exchange network must be capable of connecting both inpatient EHRs and ambulatory EHRs.
The trusted exchange network must support secure messaging or electronic querying by and between patients, providers and payers.
Does the requirement assume ‘trusted exchange network’ and ‘trusted exchange framework’ and ‘trust network’ are all synonymous, and the requirement is actually demanding indirect participation in an exchange framework, essentially ‘join a HIN that interoperates with other HINs via some trusted network or framework?’
Or is just joining a HIN ok for now? And the requirements say nothing about the geographic scope. Would joining a regional HIN fit the bill? Is all of Utah already in like Flynn via UHIN?
As an MA payer do I have to support all my patients/members? All my providers? Only those who want to play?
Supporting ‘secure messaging or querying’ is like supporting ‘PVC pipes or water’. Messaging is an integration channel, like shared files, shared databases, and remote procedure calls. I understand CMS is talking about secure human to human messaging as in the Direct project. But if someone uses a ‘Direct’ message to ask a question and get a reply, how is that different from a query? (And frankly passing docs around via Direct, like you throw files around at work with IM, gives me the willies. Even if secure, it is hard to govern.)
The trusted exchange network must be capable of connecting EHRs…to what? If a payer goes through Door Number 2, secure messaging, how are EHRs ‘connected’?
Later, talking about TEFCA, the regulation throws a knuckle ball. Discussing payers’ responses to the draft TEFCA regulation advocating leveraging existing trust networks, CMS says – my italics – “we are considering proposing in the future an approach to payer to payer and payer to provider interoperability that leverages existing trust networks to support care coordination and improve patient access to their data.”
Does that mean in some future draft regulation? Or does it mean the current draft regulation? You know, like some people insist on saying ‘next Friday’ when clearly they mean ‘this Friday’? And if it means some future regulation, does that mean the current regulation is not about leveraging existing trust networks, but only…what, new trust networks?
And then later, talking about some potential future interoperability play where payers and providers exchange data about their overlapping populations – as if that were materially different somehow than the interoperability we have already been discussing, and not just an additional use case – CMS suggests this:
“[S]ome geographic areas might have regional health information exchanges that could coordinate such transmissions. Elsewhere, direct provider-to-provider and plan-to-plan exchange might be more appropriate. Plans could participate in direct exchange through existing trusted networks…”.
OK, I’m just picking on CMS now : ). Maybe I don’t have sufficient context to understand what they are advocating, and my concerns are specious. You tell me – comments are open : ).
What I do know is that legislating technology is a hard business. We are all getting better at it. And while I do think this regulation needs to be more precise, and more internally consistent, and hopefully we get that when all the comments are assimilated, I think the spirit of the regulation is clear even if the flesh is weak. Payers, cowboy up at the Interop Corral!
And consider this. Draw a picture in your mind’s eye of the fragmented landscape of current interoperability initiatives. Try to write some legislation that says ‘join any one of them’ without actually naming any of them, which is as prohibidado as the Fountain of Troy. You might end up where CMS did : )
But why is CMS driving this now, with TEFCA around the corner? Why force payers to get networked (in whatever form it turns out CMS means)? It might speak to a lack of coordination between ONC and CMS. But not only does the CMS reg explicitly call out their cooperation – “[we] are working with … (ONC) on this…” – it’s a two minute walk – three if they meet at the Starbucks down on D.
Version 2 of the TEFCA draft de-prioritized the use cases that serve payers (and consumer health solutions) in the interest of time-to-market in providing broad provider-to-provider EHR interoperability.
The CMS regulation will force MA payers (for all of their lines – no one will build a ‘my MA business only’ integration) to be well-staged for eventual inclusion in TEFCA. It will drive the payer and consumer use cases to a level of maturity which will port over to TEFCA. So ‘trusted payer exchanges’ are directionally consistent with TEFCA, even if at first blush they appear otherwise.
It will also do that good stuff CMS lays out in the reg – “improve patient access to data, reduce provider burden, and reduce redundant and unnecessary procedures”.
The lack of clarity could be a blessing in disguise. If we are left to interpret the cryptic oracle that is the regulation, we have an opportunity to drive innovation around interoperability, potentially unconstrained by backwards-compatibility with older standards and technologies.
Stay tuned.
Health IT Architect 