TEFCA compliance for digital health companies: a guide to identity proofing
In 1996, the US signed the Health Insurance Portability and Accountability Act (HIPAA) into law. One of the government’s chief goals was to safeguard sensitive patient data and protected health information (PHI) from unauthorized disclosure.
While these protections were critical, HIPAA compliance requirements (alongside an already-fragmented electronic health record systems) have led to ongoing data silos across healthcare. These silos make it difficult to share patient records within and across networks, or coordinate care, which can lead to missed diagnoses, lawsuits, and even significant fines.
Addressing these challenges requires making it easier for patient data to move securely across providers and networks, all without compromising privacy. In this article, we’ll discuss how healthcare organizations can create a more connected and modern healthcare experience for patients via TEFCA with identity proofing.
What is TEFCA?
The Trusted Exchange Framework and Common Agreement (TEFCA) is a national framework for sharing electronic health data in the US. Its primary goal is to make it easier to safely share health records. This includes patients accessing their own data or sharing it with providers, as well as providers exchanging records with each other.
Crucially, TEFCA enables sharing across different networks. In other words, records can move between systems, effectively removing the data siloes discussed above. To enable this, TEFCA provides clear standards, legal terms, and governance.
How TEFCA works
Often described as a “network of networks,” TEFCA makes it possible for multiple networks to connect and share patient health records seamlessly and nearly instantly.
To understand how it works, it’s important to define the key players in this network. We’ve provided a brief outline in the table below:
| TEFCA network player | Who they are and what they do |
|---|---|
| Qualified health information networks (QHINs) | QHINs are large intermediary networks that enable different healthcare organizations and health information networks to exchange data with one another. They power TEFCA’s information exchange. Examples include eHealth Exchange, Epic Nexus, Oracle Health, and CommonWell Health Alliance. |
| Participants | A participant is any organization that connects to a QHIN. This could include public health agencies, health systems, and hospitals. By connecting to a QHIN, participants make their patient data available for sharing via TEFCA. |
| Individual Access Service (IAS) providers | IAS providers are the personal health applications, like digital health and telehealth platforms, that provide an interface for patients to access or authorize the sharing of their own health records via TEFCA. |
| Credential Service Providers (CSPs) | Credential Service Providers (CSPs) are trusted entities that have been approved by the Kantara Initiative or DirectTrust to perform identity proofing and to issue identity tokens to IAS providers. Approved CSPs that are currently providing identity proofing services to IAS providers include Persona, Clear, and ID.me. |
To connect to a QHIN as a participant or subparticipant, an IAS provider must have an agreement with an approved CSP. This CSP performs identity proofing whenever an individual accesses or shares health data. Identity proofing must adhere to NIST IAL2 guidelines.
An example TEFCA exchange
To show how a TEFCA exchange works, imagine that John Doe moves from California to Texas and needs to see a new provider. Without a framework like TEFCA, John would ordinarily need to request his medical records from his previous provider and wait for them to be transferred. It’s a lengthy process that often takes days or even weeks.
With TEFCA, John could instead use a digital health app powered by an IAS provider to access his health records. Before accessing sensitive health information, John would first complete an identity verification to prove he is who he claims to be.
Once verified, the IAS provider can request John’s medical records through its connected QHIN. The request is then securely routed between QHINs to other participating organizations (e.g., his previous hospital in California) where John’s prior medical history resides.
QHINs exchange the data on behalf of their respective participants (such as hospitals or health systems), allowing John’s new provider in Texas to quickly retrieve the information they need.
To make this possible, the IAS provider must first verify that John is who he claims to be before granting access to sensitive health data. This identity proofing step, performed by a CSP, ensures that only the right individual can access and share that information.
Information required for identity proofing under TEFCA
Under TEFCA, CSPs are required to verify, at a minimum, the following information for each individual:
First name
Last name
Date of birth
Address
City
State
Zip code
TEFCA also specifies additional elements that must be included if known, including:
Historical addresses
Middle name or initial
Sex
Suffix
Email address
Mobile phone number
Social Security number (SSN) or last four digits
Zip code+4
Other identifiers (such as a medical record number, passport number, driver’s license, or other government-issued ID)
How to achieve NIST IAL2 for identity proofing
NIST’s identity assurance levels (IALs) are standards that measure confidence in a person’s claimed identity. Meeting IAL2 means that identity must be verified, not simply asserted.
Verifying identity involves a few key steps:
Evidence collection: Meeting IAL2 requires collecting evidence of a person's claimed identity, such as a passport or driver's license. NIST rates evidence by strength, such as “superior” or “strong.” The higher the quality, the fewer pieces of evidence required.
Validation: Once collected, evidence must be validated to ensure that it is legitimate and isn’t forged, tampered with, or otherwise fraudulent. Validation involves inspecting evidence for physical and digital security features, then cross-checking the identifying details against an issuing or authoritative data source.
Biometric comparison: After validation, the evidence must be bound to the person claiming the identity, typically via some form of biometric comparison. A common method is to have the user capture and upload a selfie, which is analyzed for liveness and then compared against the portrait contained within the photo ID.
How Persona supports TEFCA
Persona is a leading identity verification platform that helps healthcare organizations exchange data securely. Trusted by some of the largest companies in the industry, including Citizen Health, K Health, and Circle Medical, Persona is a Kantara-approved CSP capable of meeting all of NIST’s requirements for IAL2 identity proofing.
With Persona, you can leverage prebuilt identity proofing flows designed to meet TEFCA’s IAL2 requirements:
Verify patient identities using trusted evidence like driver’s licenses and passports
Validate evidence against authoritative sources such as state DMVs
Confirm the individual’s identity through checks like selfie verification with liveness detection
Corroborate identity across current and historical addresses to reconcile records that may span multiple years and locations
Wondering how you can modernize patient access and participate in the TEFCA exchange while staying in line with HIPAA? Reach out today, or learn more about our other digital health use cases.