Understanding Patient access: TEFCA IAS SOP explained.
In the ever-evolving landscape of healthcare interoperability, the Trusted Exchange Framework and Common Agreement (TEFCA) plays a pivotal role in ensuring seamless and secure health information exchange across the United States. One of the key components of TEFCA is the Exchange Purpose (XP) Implementation Standard Operating Procedure (SOP) for Individual Access Services (IAS), which provides detailed guidelines for how Qualified Health Information Networks (QHINs), Participants, and Sub-participants should implement services that allow individuals to access their health information.
In this blog, we’ll dive into the key aspects of the IAS Implementation SOP, version 2.0, published on August 6, 2024, and explore its technical requirements, definitions, and implications for healthcare providers and organizations.
What is Individual Access Services (IAS)?
Individual Access Services (IAS) refer to the services provided by a QHIN, Participant, or Sub-participant that enable individuals to access, inspect, obtain, or transmit their health information via TEFCA Exchange. These services are crucial for empowering patients to take control of their health data, ensuring transparency, and promoting patient-centered care.
The IAS Implementation SOP outlines the specific requirements that IAS Providers must follow to ensure secure and compliant access to health information. This includes identity verification, technical standards, and the use of specific exchange purpose codes.
Here are the designated QHIN offering IAS
Key Requirements for IAS Providers
1. Exchange Purpose Code (XP Code)
All TEFCA Exchange under IAS must use the XP Code T-IAS. This code is specifically designated for Individual Access Services and ensures that the exchange is properly categorized and tracked within the TEFCA framework.
2. Technical Framework Compliance
IAS Providers must adhere to the technical requirements specified in the Qualified Health Information Network (QHIN) Technical Framework (QTF) and the Facilitated FHIR Implementation SOP. This ensures that all exchanges are conducted using standardized protocols, such as FHIR (Fast Healthcare Interoperability Resources), which is widely adopted in healthcare interoperability.
Credential Service Providers (CSPs)
IAS Providers must partner with a Credential Service Provider (CSP) that has been approved by an RCE-selected CSP approval organization. The CSP is responsible for verifying the identity of individuals to at least NIST Identity Assurance Level 2 (IAL2), which is a critical step in ensuring the security and integrity of the exchange.
The CSP must provide a signed OpenID Connect token to the IAS Provider, which is used to validate the individual’s identity during the exchange. The token must include specific demographic information, such as the individual’s name, date of birth, and address, and must be signed using RSA SHA-256 encryption.
4. Individual Identity Verification
IAS Providers must authenticate individuals using processes that meet at least Authenticator Assurance Level 2 (AAL2) requirements. This ensures that the individual accessing the information is who they claim to be.
The verification process must include specific demographic information, such as:
Required Demographics: First Name, Last Name, Date of Birth, Address, City, State, and Zip Code.
Optional Demographics: Sex, Middle Name, Email Address, Mobile Phone Number, Social Security Number (or last four digits), and other verifiable identifiers (e.g., Medical Record Number, Passport Number, etc.).
5. OpenID Connect Token Requirements
The OpenID Connect (OIDC) token is a critical component of the IAS exchange process. The token must include specific claims, such as the individual’s demographics, and must be signed by the CSP using RSA SHA-256 encryption.
The token must also include a JSON Web Key Set (JWKS), which is used by the Responding Node to validate the token’s signature. The CSP must publish the JWKS publicly, allowing for seamless verification of the token’s authenticity.
Required Information for IAS Exchange
Starting December 31, 2024, the Required Information for TEFCA Exchange under the XP Code T-IAS includes at least the USCDI v1 data classes and data elements that the Responding Node maintains. This ensures that individuals have access to a standardized set of health information, including clinical notes, lab results, and other critical data.
If the Responding Node is controlled by a Health Plan, it must also share individual claims and encounter data (excluding provider remittances and enrollee cost-sharing information). This requirement ensures that individuals have access to a comprehensive view of their health information, including data from both clinical and administrative sources.
Responding to IAS Queries
When a Responding Node receives an IAS Query that includes the appropriate IAL2 Claims Token, it must respond with the Required Information, provided that the query achieves an acceptable demographics-based match based on the responder’s policy. This ensures that individuals can access their health information across different healthcare organizations, promoting interoperability and continuity of care.
Conclusion
The Exchange Purpose Implementation SOP for Individual Access Services (IAS) is a critical component of TEFCA, ensuring that individuals can securely access their health information across different healthcare organizations. By adhering to the technical and operational requirements outlined in the SOP, IAS Providers can empower patients, promote transparency, and enhance the overall quality of care.
As healthcare continues to move towards greater interoperability, the IAS Implementation SOP provides a clear roadmap for organizations to follow, ensuring that they remain compliant with TEFCA standards while delivering secure and patient-centered services.
For more detailed information, you can refer to the full IAS Implementation SOP document available on the Recognized Coordinating Entity (RCE) website.