Why TEFCA’s facilitated FHIR will succeed
The lessons learned from Direct Secure Messaging are expected to provide important guidance on the road to improved interoperability.
Recently announced interoperability changes to the Trusted Exchange Framework and Common Agreement may enable FHIR API transactions to be supported by the same sort of trust in identity framework that underlies the DirectTrust network.
The hallmark of this approach is the use of digital certificates and a technical trust framework that enables exchange between parties without a transaction intermediary broker. Using digital certificates lets exchange partners know precisely who they are communicating with and other important information about the partner and the transaction.
The Office of the National Coordinator for Health Information Technology (ONC) and the Sequoia Project in its role as recognized coordinating entity (RCE) for TEFCA announced the changes in late April and updated the documentation early this month. The guardrails the ONC and the RCE have placed around “facilitated FHIR” have the potential to make connectivity as scalable and trustworthy as Direct Secure Messaging, providing for the query modality the security and fidelity that DirectTrust network participants appreciate.
The impact on QHINs
The facilitated FHIR approach will also fundamentally alter the role of the qualified health information network (QHIN) in TEFCA, relieving them of the task of relaying or brokering transactions. Instead, the network will inform participants and sub-participants where to find patient records, enabling them to query these locations for themselves. The approach has the potential to substantially enhance the trust that the trusted exchange framework seeks to provide.
Those who know how QHINs work with currently available standards recognize that all messages in the new TEFCA network function much like CommonWell and Carequality have been operating for some time. In this model, initiated query messages pass from node to node to node like a string of pearls, with the QHINs responsible for forwarding these transactions to other QHINs where they might then forward them to the responder one or two nodes away.
While it might be possible for QHINs to continue this role with FHIR, it isn’t really how FHIR works. And doing away with this string of pearls can play a major role in improving trust in TEFCA by making it crystal clear who is asking for the data and for what purpose.
Enabling interoperability
FHIR APIs enable interoperability between two systems where one system authenticates to the other directly using the fundamental rails of Internet protocol, much like we bank and shop on the Internet.
One standard called OpenID Connect (OIDC) supports connections with specialized structures to carry important information that exchange participants want to share. Another standard called OAuth 2 supports a type of single sign-on approach with which people are familiar that we use when we “log in with” one application (like Google) or platform to another (like Facebook). The only weakness is that these standards, on their own, don’t provide any identity assurance for the organizations and individuals that are interacting.
If the information provided about a querier can be digitally signed under a managed set of policies, the responder can trust that the querier is who they assert to be and that they are authorized to be part of the network all on an automated basis.
Important assertions like the subject of the query (the person), what community they belong to and the purpose of use are all protected from tampering by the use of the digital certificate. This trust in identity and transaction fidelity enables new connections to be made between the tens of thousands of FHIR endpoints and for subsequent connections to be authenticated reliably and without manual effort.
Ensuring reliability
The standard used to make this reliable is called Unified Data Access Profiles (UDAP™), and the HL7 FAST Accelerator stipulated these profiles that have been referenced in the Facilitated FHIR SOP as UDAP Security for Scalable Registration and Authentication and Authorization (SSRAA).
These profiles play many roles beyond registration, in particular, for the individual access services (IAS) use case. A profile called Tiered OAuth, for example, allows for a data holder to check the validity of a credential issued by an identity provider to a patient querying for their own records through a health app. SSRAA basically allows for trust to be established between parties that have never interacted before.
The goal of the SOP is for SSRAA to be adopted as soon as possible, but it is understood that the community hasn’t built their FHIR servers with the ability to interpret the information provided in the assertions or to process them appropriately. As such, the SOP also has provided flexibility for the community to adjust the deadlines if most of the community fails to make good progress.
DirectTrust is excited to support the community by offering accreditations that test conformance with UDAP profiles. Now that the Facilitated FHIR SOP and the QHIN Technical Framework have been finalized, it’s time for the community to scale FHIR use to enable data exchange that improves fidelity and trust.
In the new proposed rule that the ONC published this month called HTI-2, the agency seeks to fill gaps left by previous rules and by TEFCA. An example is that in the proposed rule, UDAP will be a part of what electronic health record companies need to do to be certified by the ONC, which will make it extremely likely that the work required will be done.
With these changes the ONC has provided the underpinnings for a scalable and secure and trustworthy FHIR ecosystem in TEFCA.
Scott Stuewe is president and CEO of DirectTrust.